On Tuesday 02 January 2001 00:36, you wrote:
> Just curious if anyone has turned up any more bits of the new t0rn kit and
> reported them to you... I am very interested in its ability to avoid md5
> checksums.
>
> Im guessing it simply trojans your local copy of md5sum, given its
> installed in the default location. I knew there was a good reason I built
> my copy of md5sum from source and stuck it in /usr/local/bin/sec-tools/ =)
It could be a Linux kernel module that is being used to redirect exec calls
for selected binaries to a trojaned version hidden elsewhere on the system.
In this case, md5sum wouldn't detect any changes in the legit binaries,
because there wouldn't be any.
One such rootkit that uses this method is knark:
http://packetstorm.securify.com/UNIX/penetration/rootkits/knark-0.59.tar.gz
Regards,
-Joe
--
Joe Stewart
Information Security Analyst
LURHQ Corporation
===================
jstewart_at_lurhq.com
Received on Jan 02 2001
Intro
