Sender: |
|
Date: |
Thu, 8 Sep 2016 13:44:19 +0300 |
Content-Disposition: |
inline |
Reply-To: |
|
Message-ID: |
|
Subject: |
|
From: |
|
Content-Type: |
text/plain; charset="us-ascii" |
In-Reply-To: |
|
MIME-Version: |
1.0 |
Comments: |
|
Parts/Attachments: |
|
|
Hi Steven J. Yellin!
On 2016.09.07 at 19:03:32 -0700, Steven J. Yellin wrote next:
> Are rpm and the check sum tools statically linked? If not, hiding
> copies of them might not help if libraries have been compromised. But
> busybox is statically linked, and it looks like it can be easily used to
> replace most commands used to check security without going to the trouble of
> pulling files from it. For example, 'ln -s busybox md5sum' allows use of
> busybox's md5sum and 'ln -s busybox vi' allows use of its vi. See
> https://busybox.net/FAQ.html#getting_started .
Statically linked rpm won't help you at all. This malware in question
doesn't modify any system files or libraries, it installs new (non
system-managed) library and creates extra config file for linker, it has
random name and is treated as non system-managed as well. This library
preloads itself for any non-statically linked binary and replaces libc
functions.
rpm has absolutely nothing to do with non-system files, you can do as
many verify passes as you want, using statically linked rpm binary if
you prefer, and it won't show you that anything is wrong.
--
Vladimir
|
|
|