[colug-432] Necropsy: Virus?: objdump -x; comparing binaries
R P Herrold
herrold at owlriver.com
Wed May 4 08:20:57 EDT 2011
On Tue, 3 May 2011, jep200404 at columbus.rr.com wrote:
> http://www.colug.net/~jep/screenscrape.txt
> http://www.colug.net/~beware/danger-possible-malicious-software.tgz
>
> In the latter URL, change beware to jep to download the suspect software.
in that URL, sed -e '/beware/jep/' I find
running 'strings' against the binaries I find expected values
and indications of 'hooks' to conform to selinux requirements
--- one sad thing that Red Hat has chosen to do is to move
away from a 'static linked' RPM (which would cause it to be
ignored in pre-linking, as well as permit more use cases for
recovery and testing)
At this point, it should be possible to perform forensics on
the box in question by booting in 'recovery' mode from a
install CD, and inspecting the integrity of the cryptographic
signature of the binaries, as contained in the package entries
containing 'cp' and 'rpm' ('coreutils' and 'rpm' respectively)
A list member then employed at a major bank and I went back on
forth on this topic privately in a 'thought experiment' when
Red Hat and separately its Fedora project revealed that there
had been compromise of their keysigning machine, and of its
infrastructure, respectively, in 2008 -- see:
http://www.owlriver.com/projects/packaging/#compromises
Red Hat was unable to publicly give a credible approach on a
mechanism for a customer of its RHEL product to detect the
trojaned sshd, as I recall ... memory fades
-- Russ herrold
More information about the colug-432
mailing list