CERT warns that the counterfeit program opens a server's "back door" to attackers, potentially giving them access to sensitive data.
The software, called TCP Wrappers, is designed to tighten security on Unix-based machines. If the bad version is installed, it would give a hostile attacker access to virtually anything on that computer.
Although the 52 sites that downloaded the bogus code from the original server have been notified, CERT is worried that others may have downloaded the program from so-called mirror sites. CERT fears the program could inadvertently be installed on hundreds of computers, opening them up to the very attackers it is designed to keep out.
"We can't necessarily pinpoint everyone who obtained a copy," said Jeff Carpenter, a CERT incident response team leader. "That's why we are publicizing this."
When the bad code is installed, it sends an email to notify the attacker of which machine has the software. TCP Wrappers provides access control features not available on standard Unix machines, Carpenter said.
"The issue is that this is an extremely popular program with system and network administrators--many people use this program to control access to their machines," said Carpenter. CERT has seen similar attacks on other programs, but never on TCP Wrappers.
"Because it is so popular, many people on a daily basis obtain the program and install it on their machines," Carpenter added.
However, the Trojan horse--a term for a program that appears to do something useful but also has a malicious element built in--doesn't affect everyone who has installed TCP Wrappers. It only affects users who have downloaded and installed the bad version within the last 24 hours, Carpenter said.
CERT issues 20 to 30 advisories each year, and in some cases it alerts the media, as it did this time.
Wietse Venema, who created the TCP Wrappers program, said in a message posted today that source code on an FTP site was replaced by a "backdoored version," meaning that a security hole was introduced.
"Eventually this was bound to happen, and that's why the source file is accompanied by a PGP signature," Venema wrote, adding that the program was downloaded 52 times today and that those sites have been notified. The FTP site is maintained by the Mathematics and Computing Science Department of Eindhoven University of Technology in the Netherlands.
Because CERT does not identify victims of security incidents, it would not release the names of the 52 sites that downloaded the Trojan horse. CERT also did not identify Venema or his university; that information was obtained from a mailing list used by network administrators.