[TUHS] On UNIX Trojans

Ron Natalie ron at ronnatalie.com
Tue Sep 21 00:48:25 AEST 2021 

I have to say my experience in UNIX systems programming was due to the 
discovery of a trojan.   It also shaped my research into security on 
UNIX and other systems over the coming decades.

At the time, the UNIX system at Johns Hopkins University (there was only 
one) in the EE department was run by an undergraduate activity called 
the "University Computing Society."    This bunch, headed by Mike Muuss 
and another covered all aspects of running the computer:  programming, 
operations, hardware, and documentation support.    I was just a loose 
hangar on at the time, writing my first C programs and the like.

A couple of student operators managed to get access to what would be the 
installed copy of /lib/crt0.o (the small snippet inserted at the 
beginning of all C programs).   They inserted a couple of bytes that did 
an exec of a file "^V" (current directory) and then waited.   Most of 
the time, this is a harmless change as there is no ^V file in the 
current directory.    Then, one day they hit the jackpot and a setuid 
root program got rebuilt and now they had a way of getting a root shell 
easily.

This went largely undetected as they used it for quasi-productive uses 
for a while.   One day one of the other programmers was rebuilding a 
program and noticed the few byte increase in size (back then we were 
running the system on a grand total of 8.5MB so every byte was 
precious).   Subsequent analysis of what changed revealed the trojan.    
This led to an upheaval in the department and the end of the UCS.   They 
did decide to keep the cheap student labor however, and since I had kept 
my nose clean and had some extensive, albeit, non-UNIX programming 
experience, I was brought on board.    I spent the next three and a half 
years looking for and plugging security holes.

I went on (after a brief stint at Martin Marietta) to work for Mike at 
Aberdeen Proving Ground and continued doing random security work 
including being put on the Army's initial tiger team effort.    Also, 
there used to be a discussion in the security groups about what a 
"hacker with a Cray" could do for things about brute forcing decryption. 
    I was given use of the new X/MP the Army bought to see if that was a 
feasibility.    I later got to purchase a $25 million Cray 2, but left 
BRL for Rutgers before that was delivered.

More information about the TUHS mailing list