Secure Coding mailing list archives

Countering Trusting Trust through Diverse Double-Compiling

From: bellovin at acm.org (Steven M. Bellovin)
Date: Wed, 14 Dec 2005 23:10:42 -0500

In message <200512141941.47006 at KRvW>, "Kenneth R. van Wyk" writes:


This reminded me of an old class of PC viruses (circa 1992) that evaded 
detection by file scanners by hooking the S-DOS  file read interrupt and 
returning the original, uninfected version of infected files whenever a 
program opened up an infected file for reading.  It tricked a lot of file 
scanners at the time.  If I'm not mistaken, it was the DIR-II family of 
viruses.  I'm sure that you've taken that sort of evasive action into 
account, but I thought that I'd mention it here for the SC-L folks.


And there is, as I recall, a Linux piece of malware that uses a 
loadable kernel module of some sort to hide a back door in init -- if 
it's not opened by pid 1, it gives the real file; otherwise, it 
gives the Trojan'ed version.

                --Steve Bellovin, http://www.stevebellovin.com

Current thread:

Countering Trusting Trust through Diverse Double-Compiling David A. Wheeler (Dec 14)
- Countering Trusting Trust through Diverse Double-Compiling Kenneth R. van Wyk (Dec 14)
- <Possible follow-ups>
- Countering Trusting Trust through Diverse Double-Compiling Steven M. Bellovin (Dec 14)