[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Have I caught a firmware attack in the act? Or am I just paranoid?

Another potential home for this script is tiger, which also currently has an MD5-only checker:


It may be more probable that they simply infect a hidden file in your home directory[...]
   I would presume that you have booted from DVD when checking your installation since it does not make sense to check from within an infected system. That would be going to fail in almost 100% of the cases.

This check was done from within the system (it was never intended to be a perfect test - as you note, it can be evaded by infecting a non-package-owned file), but my script can also do checking from a DVD boot.

  An infected system will also alter the md5sum utility so that it will return the md5 of the pristine file instead of the altered one which is actually on disk (I have already seen that). Concerning your program I have seen that it uses /var/lib/dpkg/info/$2.md5sums. This is inherently unsafe because an attacker can simply alter this file alongside with all the other altered file. Anyone knows about this file and if I logged in via ssh an did some manual cracking then I also replaced the md5-s in that file with sed -i.

  Nonetheless manual sha512-lists are generally more secure than tools just checking files in the packages like debcheckroot because they also record files that are not in the installation database as well as files auto-generated/altered on installation by installation scripts. You can create such an sha512-list after securely offline-installing and put it on an sdcard which you take always with you. I like sdcards because they have a read only switch and are very small and flat so that you can easily take them with you. Read only switches are a security feature because you can read the content without the fear that it may be altered. Of course you can not easily install new packages then. That requires you checking all the sha512s via a clean boot medium. After that you can boot into the system, install new packages and update the sha512s. I also take the boot media with me where the dvd images reside on sdcards bootable via USB-sdcard adapter. The read-only switch makes it as safe as a read only burnt dvd.

  Concerning debcheckroot I had planned to make it support mounting different install-dvds/bds. At the moment it only works with a singleton install blue ray. Installing from blue ray or dvd is an additional security measure you can take to spot malware. I would not have been able to spot the rootkit I had talked about in my last mail in Brasileia, Brazil (Cobija, Bolivia) if I had decided to install online updates because then fetching the updated packages for the tool (debcheckroot supports this) would have been much more complicated. Downloads can and often are impersonated if you do not use tor so that you will be shipped the malwared-packages for comparence instead of the original ones. So always use tor with debcheckroot if you do not have all the packages available offline. To come back to the rootkit spotted in South America I had the fortune to spot it only because I could compare all files 1:1 which was only possible because I did not need online repositories to install the clean image of the distro.

  Here is again the reference for debcheckroot:


Reply to: