Date: Mon, 25 May 1998 15:44:39 -0400 From: Dave Chapeskie <dchapes@ddm.on.ca> To: freebsd-security@FreeBSD.ORG Subject: Re: Virus on FreeBSD Message-ID: <19980525154439.60457@ddm.on.ca> In-Reply-To: <199805251518.LAA05684@brain.zeus.leitch.com>; from Greg A. Woods on Mon, May 25, 1998 at 11:18:27AM -0400 References: <199805211431.KAA17444@brain.zeus.leitch.com> <Pine.SOL.3.96.980522100017.17145A-100000@banshee.cs.uow.edu.au> <199805251518.LAA05684@brain.zeus.leitch.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, May 25, 1998 at 11:18:27AM -0400, Greg A. Woods wrote: > I meant some way to detect the pattern of code in the *kernel* that is > necessary to implement a module loader. This would be a waste of effort IMHO. When you build the kernel you check what you are compiling in at the source level (as you've done by checking what the NO_LKM define actually disables). If someone else has the ability to change or replace the kernel on you (either on disk or in memory) then your already screwed and LKMs are the least of your worries :-) > Detecting the pattern of code of a loadable module in files might > be a good thing too, as you could then scan for hidden instances > of such modules. Of course any cracker worth their salt would at > least obscure the contents of the file with some trivial "encryption" > mechanism.... :-) Why waste your time with "trivial" encryption when there are lots of implementations of really good encryption freely available? In general I find the idea of searching of "code patterns" to be a waste of effort. Like the guy who wrote a perl script that looked for code that designed to crash machines using the pentium 'FOOF' bug. The script looked for the four byte pattern in files... it's real easy to build up the required four bytes dynamically and then run them (assuming of course that the memory protection mechanism provided by the OS either allows executing from the data area or writing to the code area). -- Dave Chapeskie <dchapes@ddm.on.ca>, DDM Consulting To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?19980525154439.60457>