[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Debian audititing tool?

You are correct in that the binary would have to be scanned as well,
but I was thinking of recompiling the binary from the scanned source.
 As to doing the search to find possible "signatures" that virus have,
since many virus are deviation of an original virus you can use pattern
matching from an original back orifice trojan to catch back orifice 2000.
 To get a list or code of these virus, www.antionline.org, www.mcafee.com,
and other virus scan sites will give you lists and even a very complete
display of the known familiar virus, trojens on the internet.  It is
a good start.  Some thing several commerial companies are developing
currently and would be a good project to start with GNU probably.  

Also with the Debian Firewall/Gibrator?(sorry for the spelling) does
it include SNMP and remote managibility.


---- Peter Cordes <peter@llama.nslug.ns.ca> wrote:
> On Thu, Dec 21, 2000 at 03:37:56PM +0100, Christian Kurz wrote:
> > On 00-12-21 Dan Hutchinson wrote:
> > > Sorry it was fornesics, but the code is basically matching the
> machine
> > > code, a unique pattern of 1's and 0's to the machine code of the
> kernal.
> > 
> > Well, but then you need to know all patterns of malicous code that
> could
> > occur. I think this will be a lot of patterns that you have to search
> > for, so that the search will take a long time.
> > 
> > > Unless you have a kernal file that doesn't have 1's and 0's in
> machine
> > > language, you can scan the code.  I am not sure how ASM code is
> written
> > > thou.
> > 
> > Well, ASM (assembler) comes also down to 1 and 0 if you think about
> > machine-code that is used by the processor. I thaught you wanted
> to scan
> > the code that you find beneath /usr/src/linux.
>  You have to search the binary kernel image.  If you just scan the
> source,
> you have no way of knowing that the binary came from the source.  Someone
> could hack the binary without changing the source.  If there are any
> commonly-made changes to the binary, then you could look for them.
>  It will be hard to do, and impossible to do perfectly.  The Right
> Way is to
> keep a hash of your kernel binary so you know if it changes.  BTW,
> md5 has
> not been broken, AFAIK, so there is no currently known way to change
> a
> binary without changing its MD5 hash, except trial and error, which
> would
> take a lot more _years_ than anyone would want to wait!  You expressed
> doubt
> about this earlier.  Rest assured that no real breaks in MD5 have been
> made
> public.  (The NSA might have something, but they don't publish.)  The
> md5sum
> manpage notes:
>        The related MD4 message digest  algorithm  was  broken  in
>        October  1995.  MD5 isn't looking as secure as it used to.
>  I think a signed database of stuff that's supposed to be in Debian,
> and a
> decent way to make a bootable CD that downloads what it needs, and
> checks
> what's on your drive, is a good start.  If the MD5 sum lists are signed,
> you
> don't need to trust the server you download them from.
> -- 
> #define X(x,y) x##y
> Peter Cordes ;  e-mail: X(peter@llama.nslug. , ns.ca)
> "The gods confound the man who first found out how to distinguish the
> hours!
>  Confound him, too, who in this place set up a sundial, to cut and
> hack
>  my day so wretchedly into small pieces!" -- Plautus, 200 BCE
> --  
> To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

To get your own FREE ZDNet Onebox - FREE voicemail, email, and fax,
all in one place - sign up today at http://www.zdnetonebox.com

Reply to: