Secure Coding mailing list archives
Countering Trusting Trust through Diverse Double-Compiling
From: bellovin at acm.org (Steven M. Bellovin)
Date: Wed, 14 Dec 2005 23:10:42 -0500
In message <200512141941.47006 at KRvW>, "Kenneth R. van Wyk" writes:
This reminded me of an old class of PC viruses (circa 1992) that evaded detection by file scanners by hooking the S-DOS file read interrupt and returning the original, uninfected version of infected files whenever a program opened up an infected file for reading. It tricked a lot of file scanners at the time. If I'm not mistaken, it was the DIR-II family of viruses. I'm sure that you've taken that sort of evasive action into account, but I thought that I'd mention it here for the SC-L folks.
And there is, as I recall, a Linux piece of malware that uses a loadable kernel module of some sort to hide a back door in init -- if it's not opened by pid 1, it gives the real file; otherwise, it gives the Trojan'ed version. --Steve Bellovin, http://www.stevebellovin.com
Current thread:
- Countering Trusting Trust through Diverse Double-Compiling David A. Wheeler (Dec 14)
- Countering Trusting Trust through Diverse Double-Compiling Kenneth R. van Wyk (Dec 14)
- <Possible follow-ups>
- Countering Trusting Trust through Diverse Double-Compiling Steven M. Bellovin (Dec 14)