Re: RPM aware rootkits?

From: Michal Zalewski (
Date: 02/14/02

Date: Wed, 13 Feb 2002 21:59:13 -0500 (EST)
From: Michal Zalewski <>
To: Anton Chuvakin <>

On Tue, 12 Feb 2002, Anton Chuvakin wrote:

> Do you know any of the RPM-aware rootkits for Linux which will not be
> detected by "rpm --verify". I would prefer direct edit of /var/lib/rpm
> rather to trojaned rpm binary, but what the heck - whatever will do.

All rootkits that are stealth - i.e. modify kernel or libraries to return
original contents on open() but new contents on exec*() - are
automatically "RPM-aware". No reason to trust this mechanism more than any
other (tripwire or such).

Michal Zalewski [] [security]
[] <=-=> bash$ :(){ :|:&};:
=-=> Did you know that clones never use mirrors? <=-=