Hi Steven J. Yellin!

 On 2016.09.07 at 19:03:32 -0700, Steven J. Yellin wrote next:

>     Are rpm and the check sum tools statically linked?  If not, hiding
> copies of them might not help if libraries have been compromised.  But
> busybox is statically linked, and it looks like it can be easily used to
> replace most commands used to check security without going to the trouble of
> pulling files from it.  For example, 'ln -s busybox md5sum' allows use of
> busybox's md5sum and 'ln -s busybox vi' allows use of its vi. See
> https://busybox.net/FAQ.html#getting_started .

Statically linked rpm won't help you at all. This malware in question
doesn't modify any system files or libraries, it installs new (non
system-managed) library and creates extra config file for linker, it has
random name and is treated as non system-managed as well. This library
preloads itself for any non-statically linked binary and replaces libc
functions.

rpm has absolutely nothing to do with non-system files, you can do as
many verify passes as you want, using statically linked rpm binary if
you prefer, and it won't show you that anything is wrong.

-- 

Vladimir