Again, a programs distribution-file has been trojanned. This time, sendmail 8.12.6 is the victim. It appears that files downloaded from ftp.sendmail.org, starting on september 28th, 2002, have been infected by a trojan. The server has been taken offline october 28th.

These kind of attacks seem to increase steadily. I remember reporting trojanned distributions a couple of times, last few months. How can this be stopped?

Notice on sendmail.org
If you download the sendmail distribution you MUST verify the PGP signature. Do NOT use sendmail without verifying the integrity of the source code.
(part of) CERT® Advisory CA-2002-28 Trojan Horse Sendmail Distribution
The CERT/CC has received confirmation that some copies of the source code for the Sendmail package have been modified by an intruder to contain a Trojan horse.

The following files were modified to include the malicious code:

sendmail.8.12.6.tar.Z
sendmail.8.12.6.tar.gz

These files began to appear in downloads from the FTP server ftp.sendmail.org on or around September 28, 2002. The Sendmail development team disabled the compromised FTP server on October 6, 2002 at approximately 22:15 PDT. It does not appear that copies downloaded via HTTP contained the Trojan horse; however, the CERT/CC encourages users who may have downloaded the source code via HTTP during this time period to take the steps outlined in the Solution section as a precautionary measure.

The Trojan horse versions of Sendmail contain malicious code that is run during the process of building the software. This code forks a process that connects to a fixed remote server on 6667/tcp. This forked process allows the intruder to open a shell running in the context of the user who built the Sendmail software. There is no evidence that the process is persistent after a reboot of the compromised system. However, a subsequent build of the Trojan horse Sendmail package will re-establish the backdoor process.