Slashdot: OpenSSH Package Trojaned. OpenSSH, for the Windows audience out there, is a secure connection package that allows encrypted connections over which users can use a shell on a remote machine or transfer files. (Grossly simplified, but that’s what I use it for.) It’s pretty essential, to the point that it’s become the default remote login daemon on Mac OS X.
Apparently someone hacked the package available for download from ftp.openbsd.org (and its mirrors) and inserted a line in the makefile to call a script that attempts to contact a server during the build process. So the trojan doesn’t appear to be much more than a proof of concept.
It’s pretty damn scary all the same. But there are is one simple thing that people can do to mitigate their risks: Check the checksums. According to the mailing list message that announced the problem, the two packages have different checksums:
This is the md5 checksum of the openssh-3.4p1.tar.gz in the FreeBSD
MD5 (openssh-3.4p1.tar.gz) = 459c1d0262e939d6432f193c7a4ba8a8
This is the md5 checksum of the trojaned openssh-3.4p1.tar.gz:
MD5 (openssh-3.4p1.tar.gz) = 3ac9bc346d736b4a51d676faa2a08a57
This is why Apple started digitally signing its software update packages. Without an infrastructure to verify identity and validity of downloaded packages, people will continue to be at risk.
Now the OpenSSH project will have to look at its server and its processes to figure out how they got tainted.