Re: gmonstart / jvregisterclasses in tons of binaries with commands, malware?

To: debian-security@lists.debian.org
Subject: Re: gmonstart / jvregisterclasses in tons of binaries with commands, malware?
From: Drake Wilson <drake@begriffli.ch>
Date: Wed, 16 Dec 2009 22:47:28 -0600
Message-id: <[🔎] 20091217044727.GA11287@drache.begriffli.ch>
Mail-followup-to: debian-security@lists.debian.org
In-reply-to: <[🔎] N1B-aUiG6bOFXb@Safe-mail.net>
References: <[🔎] N1B-aUiG6bOFXb@Safe-mail.net>

Quoth whereislibertyandjustice@Safe-mail.net, on 2009-12-16 17:59:13 -0500:
> Whether I run 'strings' on the binary files or view with vim or gedit, here
> is what is always seen inside the binaries:
> 
> __gmon_start__
> _Jv_RegisterClasses

These are internal symbols generated by the compiler.  __gmon_start__
is used for profiling, and _Jv_RegisterClasses is part of the GCJ Java
ABI, at least based on a cursory glance at the GCC source.

You might notice that an executable freshly compiled with GCC 4.3 from
unstable has these symbols as "weak symbols".  I would hazard a guess
that they're stub functions called from common startup code in case
the relevant object files get linked with Java code or anything with
profiling enabled (in which case the real functions would be pulled in
and override the stubs).

> I've purchased Linux CDs from brick + mortar stores, downloaded ISOs
> from different physical locations and found some CDs contained these
> strings in the binaries and one or two rare ones did not, but when
> installed/updated on a network connection the binaries replaced in
> the update process would show these strings!

In other words, most likely, you upgraded the binaries from versions
compiled with an old compiler (and therefore not having the same
internal symbols) to ones compiled with a new compiler.

As for OpenBSD, it's entirely plausible that a different platform
would port the compiler differently, or use more aggressive symbol
stripping, or a slightly different C library, or any number of other
things that might perturb the internal symbols, since they're not
meant to be highly stable and portable.

> every Linux user I've asked to date calls me paranoid

I'd have to agree on that one, in this regard.

> The strings may/may not be common, but in comparing commands which
> follow these strings I've noticed some which seem down right
> malicious!

This is a pretty ill-defined statement, but I'm curious what strings
exactly you've seen that make you think this.  Of course, it's
impossible for me to determine definitively that you don't have some
_other_ hostile factor on your machine.

   ---> Drake Wilson

Reply to:

References:
- gmonstart / jvregisterclasses in tons of binaries with commands,malware?
  - From: whereislibertyandjustice@Safe-mail.net

Prev by Date: Re: gmonstart / jvregisterclasses in tons of binaries with commands,malware?
Next by Date: Re: gmonstart / jvregisterclasses in tons of binaries with commands,malware?
Previous by thread: Re: gmonstart / jvregisterclasses in tons of binaries with commands,malware?
Next by thread: Re: gmonstart / jvregisterclasses in tons of binaries with commands,malware?
Index(es):
- Date
- Thread