Re: RPM aware rootkits?

From: Michal Zalewski (lcamtuf@coredump.cx)
Date: 02/14/02


Date: Wed, 13 Feb 2002 21:59:13 -0500 (EST)
From: Michal Zalewski <lcamtuf@coredump.cx>
To: Anton Chuvakin <anton@chuvakin.org>

On Tue, 12 Feb 2002, Anton Chuvakin wrote:

> Do you know any of the RPM-aware rootkits for Linux which will not be
> detected by "rpm --verify". I would prefer direct edit of /var/lib/rpm
> rather to trojaned rpm binary, but what the heck - whatever will do.

All rootkits that are stealth - i.e. modify kernel or libraries to return
original contents on open() but new contents on exec*() - are
automatically "RPM-aware". No reason to trust this mechanism more than any
other (tripwire or such).

-- 
_____________________________________________________
Michal Zalewski [lcamtuf@bos.bindview.com] [security]
[http://lcamtuf.coredump.cx] <=-=> bash$ :(){ :|:&};:
=-=> Did you know that clones never use mirrors? <=-=
          http://lcamtuf.coredump.cx/photo/