Security Incidents mailing list archives

Re: yes, its t0rn again

From: Joe Stewart <jstewart () LURHQ COM>
Date: Tue, 2 Jan 2001 03:39:50 -0500

On Tuesday 02 January 2001 00:36, you wrote:

Just curious if anyone has turned up any more bits of the new t0rn kit and
reported them to you...  I am very interested in its ability to avoid md5
checksums.

Im guessing it simply trojans your local copy of md5sum, given its
installed in the default location.  I knew there was a good reason I built
my copy of md5sum from source and stuck it in /usr/local/bin/sec-tools/  =)


It could be a Linux kernel module that is being used to redirect exec calls
for selected binaries to a trojaned version hidden elsewhere on the system.
In this case, md5sum wouldn't detect any changes in the legit binaries,
because there wouldn't be any.

One such rootkit that uses this method is knark:
http://packetstorm.securify.com/UNIX/penetration/rootkits/knark-0.59.tar.gz

Regards,
-Joe

--
Joe Stewart
Information Security Analyst
LURHQ Corporation
===================
jstewart () lurhq com

Current thread:

yes, its t0rn again johnathan curst (Jan 01)
- Re: yes, its t0rn again Michael Damm (Jan 01)
  - Re: yes, its t0rn again Joe Stewart (Jan 02)
- Message not available
  - Re: yes, its t0rn again MadHat (Jan 02)
    - Re: yes, its t0rn again Jonas Luster (Jan 02)
- Re: yes, its t0rn again Andrew Edelstein (Jan 03)
  - Re: yes, its t0rn again Andreas Hasenack (Jan 03)
    - Re: yes, its t0rn again Helmut Springer (Jan 04)
    - Re: yes, its t0rn again Aaron (Jan 06)
    - Re: yes, its t0rn again Helmut Springer (Jan 06)
    - LKM insecurity Greg A. Woods (Jan 06)
- <Possible follow-ups>
- Re: yes, its t0rn again Robert Horn (Jan 04)
  - Re: yes, its t0rn again Jeff Bachtel (Jan 04)

(Thread continues...)