Intrusion Detection Systems mailing list archives

Previous By Date Next
Previous By Thread Next

Re: strings in backdoor binaries

From: flynngn () jmu edu (Gary Flynn)
Date: Fri, 28 Apr 2000 11:09:02 -0400

Archive: http://msgs.securepoint.com/ids
FAQ: http://www.ticm.com/kb/faq/idsfaq.html
IDS: http://www-rnks.informatik.tu-cottbus.de/~sobirey/ids.html
UNSUBSCRIBE: email "unsubscribe ids" to majordomo () uow edu au
"Meritt, Jim" wrote:


When an intruder has penetrated a system and installed trojan binaries, when
a "strings" command is executed what text strings will appear in trojaned
files (aside from "letmein" or "satori", or course) that will (probably) not
show up in a non-trajaned binary?  I'm looking for a system (as opposed to
network) 'after-the-event' intrusion detection methodology.


I guess you can collect known signatures like the anti-virus folks
do for windows machines but I don't think you'll find any "for-sure"
signatures. Its up the the writer of the trojan.

I just found a trojaned login that made a reference to a file
called xstat that the intruder had created. That was the only
thing obviously different until someone mentioned on the PAM
list that they'd seen trojaned login programs without PAM
support. Sure enough, mine was missing the references to the
PAM libraries.
Previous By Date Next
Previous By Thread Next

Current thread: