Re: RPM aware rootkits?

From: Michael H. Warfield (mhw@wittsend.com)
Date: 02/19/02


Date: Tue, 19 Feb 2002 17:52:22 -0500
From: "Michael H. Warfield" <mhw@wittsend.com>
To: Anton Chuvakin <anton@chuvakin.org>

On Tue, Feb 12, 2002 at 01:44:52PM -0500, Anton Chuvakin wrote:
> Hello all,

> After spending some time in google.com, I decided to ask it here.

> Do you know any of the RPM-aware rootkits for Linux which will not be
> detected by "rpm --verify". I would prefer direct edit of /var/lib/rpm
> rather to trojaned rpm binary, but what the heck - whatever will do.

        The rootkit "BOBKit" carries a list of update rpms for various
RedHat distros. When it runs, it determines what distro is running
and then downloads legitimate updates for that system and installs
them (generally closing the door it snuck in through - hackers worry
about getting hacked too) then downloads some trojan/backdoor rpms
and installs them. Since it's using rpm to install itself and it's
backdoors, it doesn't have to worry about diddling your rpm database.
The database will be right up to date with what BOBKit installed
on your system. Game over...

> I need to deploy something on Linux which will pass the "rpm -V", but will
> involve replacing some binaries. I can rebuild the stuff from source
> RPMs, recreate the package and then replace the stock RPM., but it is too
> messy (GPG sig will be different, but that will hopefully be OK for the
> honeypot).
>
> Thanks a lot for responses!
>
> Best regards,
> --
> Anton A. Chuvakin, Ph.D.
> http://www.chuvakin.org
> http://www.info-secure.org

-- 
 Michael H. Warfield    |  (770) 985-6132   |  mhw@WittsEnd.com
  /\/\|=mhw=|\/\/       |  (678) 463-0932   |  http://www.wittsend.com/mhw/
  NIC whois:  MHW9      |  An optimist believes we live in the best of all
 PGP Key: 0xDF1DD471    |  possible worlds.  A pessimist is sure of it!