Re: Possible LKM Trojan installed
Note: top posting fixed. Please don't do that. Also overquoting trimmed.
On Sat, Aug 25, 2007 at 02:43:41AM -0500, Jude DaShiell wrote:
> On Fri, 24 Aug 2007, Mike Bird wrote:
> >On Friday 24 August 2007 17:59, Jude DaShiell wrote:
> >>how these trojans survive is by surviving operating system reinstalls.
> >>The better trojans hide themselves in several out of the way places on
> >>disks and after adjacent areas have got their new files copy themselves
> >>back into the areas where no more disk wiping by the installer is about to
> >>happen. Trojan file names get changed too whenever this happens too.
> >How would a trojan be activated to copy itself back if block zero was
> >wiped, a new partitition table was installed, and new file systems
> >created? Yes, an image of a trojan may still exist in the unused sectors
> >of the first track of a partition, but how could it be activated?
> Very easily. The very first thing the trojan did after installing itself
> was to call home. Home has the address of the trojaned machine. Home can
> then check up on its trojan and maintain it and activate it or repair it
> as necessary.
That makes zero sense, unless you assume the newly installed system will
have the same security hole as the first. If it does, then why bother
reactivating the former Trojan? Just install it again.
In any case, the LKM warning is a WELL KNOWN FALSE POSITIVE from chkrootkit.
IIRC it can be cause by something as simple as a very high system load.
Carl Fink email@example.com
Read my blog at nitpickingblog.blogspot.com. Reviews! Observations!
Stupid mistakes you can correct!