Virus.Org IT Security News and Information Portal. We offer the latest IT security news, updates, product reviews, books, and articles for all you IT security professionals out there. Enter and get the best IT security information on the Internet.

 
. Welcome to the Virus.Org Mailing List Archive  
.
.


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]


Re: yes, its t0rn again
.

  • To: [EMAIL PROTECTED]
  • Subject: Re: yes, its t0rn again
  • From: Joe Stewart <[EMAIL PROTECTED]>
  • Date: Tue, 02 Jan 2001 17:43:11 +0100
  • In-reply-to: <[EMAIL PROTECTED]>
.
 
On Tuesday 02 January 2001 00:36, you wrote:
> Just curious if anyone has turned up any more bits of the new t0rn kit and
> reported them to you...  I am very interested in its ability to avoid md5
> checksums.
>
> Im guessing it simply trojans your local copy of md5sum, given its
> installed in the default location.  I knew there was a good reason I built
> my copy of md5sum from source and stuck it in /usr/local/bin/sec-tools/  =)

It could be a Linux kernel module that is being used to redirect exec calls
for selected binaries to a trojaned version hidden elsewhere on the system.
In this case, md5sum wouldn't detect any changes in the legit binaries,
because there wouldn't be any.

One such rootkit that uses this method is knark:
http://packetstorm.securify.com/UNIX/penetration/rootkits/knark-0.59.tar.gz

Regards,
-Joe

--
Joe Stewart
Information Security Analyst
LURHQ Corporation
===================
[EMAIL PROTECTED]
 
.
.
 
Copyright (c) Virus.Org 1997-2006.
All Trademarks Acknowledged.
Please view our Terms and Conditions and our Privacy Policy.