Anti-Security and the Christmas Day Incident

On the morning of Dec. 25, yet another anti-security eZine was published, its contents this time targeting some well-known security professionals and projects.

The Anti-Security Movement isn't anything new, they have been around in various forms for a long time, with different names and different group affiliations, including ~el8, pHC (Phrack High Council), Fluffy Bunny, PR0J3KT M4YH3M, h0no, ZFO and others.

With the release of the "Owned and Exposed" eZine this particular Anti-Security group made claims of that they compromised several different web sites and security projects, providing evidence in the form of configuration files, directory listings, and password files gained mostly via web-server / web application attacks leveraged against the public web servers for these projects. In some cases they targeted other unrelated systems hosted on the same shared environment as their targets.

One of the claims made in the zine was that they compromised the popular ARP-Spoofing toolkit – Ettercap, and implied that the code had been altered several years ago. The implication was that a backdoor was placed in the code.

Now, the Ettercap project itself has been frozen for a few years, and is not currently maintained. So unlike some of the other projects that were "Owned and Exposed" the Ettercap project really doesn't have anyone to publicly post an analysis of the attack, the impact, and any response to the claims made in the zine.

As a result, this statement created a certain amount of FUD with various people suggesting that Ettercap project was backdoored by someone that hacked their website some years ago.

This anxiety is not exactly unfounded, in the past, different well known systems and applications such as Linux Kernel, OpenSSH and many others were attacked and backdoored, so these sorts of rumors are generally taken seriously in the information security community.

Wendel Henrique from the SpiderLabs PenTest team contacted Alberto Ornaghi (ALoR) who was one of the previous admins of the Ettercap project. Because this project is dead and its likely no details will be posted publicly, we are publishing the conversation with ALoR with his permission here.

SpiderLabs: The guys from backtrack gave a brief and polite answer to the incident, and I don't believe you guys will do the same since the project has been frozen for a few years.

ALoR: Exactly, we don't have time anymore to keep up with the project and its website.

SpiderLabs: News available in several blogs and on mail-lists is that Ettercap is backdoored from 5 years ago or so. The zine authors are not stating it outright or providing any evidence, but they suggest this is the case. As the project is frozen a lot of people are concerned about Ettercap now, which is a great tool.

ALoR: They got access to the web-server (not thru Ettercap, but thru another project) with id 'apache' and thus the only thing they had access to were the config file of the forum, then the mysql db and they dumped the content of it.

I've shut down the forum yesterday (you may have noticed it). It didn't work for long time anyway and was full of spam (five years without maintenance are hard to clean up) so not a real loss...

SpiderLabs: Could you provide a safe sum such as SHA of the good Ettercap files?

ALoR: The source code was not modified. They didn't had access to it in any way. The CVS is safe and so [are] the downloads.

These are the SHA1sum from my local copy:

206972046b7cfc4150e5d08eff18a93dd49b9574 ettercap-NG-0.7.0.tar.gz

13d1353daf97af03b7b72f40c5f6c51ef41d3b3d ettercap-NG-0.7.1.tar.gz

514760efdca27a45d6486c18679d2b6e9ba67452 ettercap-NG-0.7.2.tar.gz

7a2c3f848ca4f39c07fddeb0d6308641265bc4ff ettercap-NG-0.7.3.tar.gz

I've checked and [these] are the same as those on sourceforge.

Here at SpiderLabs we do not endorse the Anti-Security movement in any way, and we respect and appreciate Ettercap Project and Offensive Security Projects. In fact, even before SpiderLabs developed the tool Thicknet we considered simply resurrecting and modifying the Ettercap project for this purpose.

Our advice is to make sure that your copy of Ettercap has the SHA1sum provided by ALoR.

Trustwave reserves the right to review all comments in the discussion below. Please note that for security and other reasons, we may not approve comments containing links.