Re: RPM aware rootkits?

From: Michael H. Warfield (mhw@wittsend.com)
Date: 02/19/02


Date: Tue, 19 Feb 2002 17:52:22 -0500
From: "Michael H. Warfield" <mhw@wittsend.com>
To: Anton Chuvakin <anton@chuvakin.org>

On Tue, Feb 12, 2002 at 01:44:52PM -0500, Anton Chuvakin wrote:
> Hello all,

> After spending some time in google.com, I decided to ask it here.

> Do you know any of the RPM-aware rootkits for Linux which will not be
> detected by "rpm --verify". I would prefer direct edit of /var/lib/rpm
> rather to trojaned rpm binary, but what the heck - whatever will do.

        The rootkit "BOBKit" carries a list of update rpms for various
RedHat distros. When it runs, it determines what distro is running
and then downloads legitimate updates for that system and installs
them (generally closing the door it snuck in through - hackers worry
about getting hacked too) then downloads some trojan/backdoor rpms
and installs them. Since it's using rpm to install itself and it's
backdoors, it doesn't have to worry about diddling your rpm database.
The database will be right up to date with what BOBKit installed
on your system. Game over...

> I need to deploy something on Linux which will pass the "rpm -V", but will
> involve replacing some binaries. I can rebuild the stuff from source
> RPMs, recreate the package and then replace the stock RPM., but it is too
> messy (GPG sig will be different, but that will hopefully be OK for the
> honeypot).
>
> Thanks a lot for responses!
>
> Best regards,
> --
> Anton A. Chuvakin, Ph.D.
> http://www.chuvakin.org
> http://www.info-secure.org

-- 
 Michael H. Warfield    |  (770) 985-6132   |  mhw@WittsEnd.com
  /\/\|=mhw=|\/\/       |  (678) 463-0932   |  http://www.wittsend.com/mhw/
  NIC whois:  MHW9      |  An optimist believes we live in the best of all
 PGP Key: 0xDF1DD471    |  possible worlds.  A pessimist is sure of it!



Relevant Pages

  • Re: Xine problem
    ... I got Xine fromwww.xinehq.defor RH9. ... Having been a former Mandriva user, which uses the Redhat package ... rpm package, or even much much better setup and configure urpmi ... you risk to have double installs of packages, which can lead to real troubles. ...
    (alt.os.linux)
  • Re: System cannot come back from suspend (Fedora 9)
    ... System cannot come back from suspend ... |> still good to know and use rpm. ... So it's possible that I nailed something in the kernel, ... be surprised given that the kernel always installs as a new ...
    (comp.os.linux.misc)
  • Re: System cannot come back from suspend (Fedora 9)
    ... |> still good to know and use rpm. ... | and it removes everything that was in the original installed package. ... So it's possible that I nailed something in the kernel, ... be surprised given that the kernel always installs as a new ...
    (comp.os.linux.misc)
  • Re: Patch management tool - a rethink
    ... // The below said points are valid in the case of Linux. ... RPM has its own database. ... // installs, then no way one can patch automatically. ... Sourceforge, Freshmeat, etc., so who is any _one_ distro developer to tell ...
    (Pen-Test)
  • Re: SINNER (Or anyone), help me install mandrake spellutils on fc3
    ... I guess there would not be any other way than tarball then. ... >> really prefer to stick with rpm installs, even if I have to build the rpm ... Oh yeah, I heard about checkinstall. ...
    (alt.os.linux)