Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 25 May 1998 15:44:39 -0400
From:      Dave Chapeskie <dchapes@ddm.on.ca>
To:        freebsd-security@FreeBSD.ORG
Subject:   Re: Virus on FreeBSD
Message-ID:  <19980525154439.60457@ddm.on.ca>
In-Reply-To: <199805251518.LAA05684@brain.zeus.leitch.com>; from Greg A. Woods on Mon, May 25, 1998 at 11:18:27AM -0400
References:  <199805211431.KAA17444@brain.zeus.leitch.com> <Pine.SOL.3.96.980522100017.17145A-100000@banshee.cs.uow.edu.au> <199805251518.LAA05684@brain.zeus.leitch.com>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Mon, May 25, 1998 at 11:18:27AM -0400, Greg A. Woods wrote:
> I meant some way to detect the pattern of code in the *kernel* that is
> necessary to implement a module loader.

This would be a waste of effort IMHO.  When you build the kernel you
check what you are compiling in at the source level (as you've done by
checking what the NO_LKM define actually disables).  If someone else has
the ability to change or replace the kernel on you (either on disk or in
memory) then your already screwed and LKMs are the least of your worries
:-)

> Detecting the pattern of code of a loadable module in files might
> be a good thing too, as you could then scan for hidden instances
> of such modules.  Of course any cracker worth their salt would at
> least obscure the contents of the file with some trivial "encryption"
> mechanism.... :-)

Why waste your time with "trivial" encryption when there are lots of
implementations of really good encryption freely available?

In general I find the idea of searching of "code patterns" to be a
waste of effort.  Like the guy who wrote a perl script that looked for
code that designed to crash machines using the pentium 'FOOF' bug.  The
script looked for the four byte pattern in files... it's real easy to
build up the required four bytes dynamically and then run them (assuming
of course that the memory protection mechanism provided by the OS either
allows executing from the data area or writing to the code area).

-- 
Dave Chapeskie <dchapes@ddm.on.ca>, DDM Consulting

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe security" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?19980525154439.60457>