Date: Tue, 11 Jul 2006 14:08:55 -0700 (PDT) From: "R. B. Riddick" <arne_woerner@yahoo.com> To: Mike Tancsa <mike@sentex.net>, Poul-Henning Kamp <phk@phk.freebsd.dk> Cc: freebsd-security@freebsd.org Subject: Re: Integrity checking NANOBSD images Message-ID: <20060711210855.970.qmail@web30303.mail.mud.yahoo.com> In-Reply-To: <6.2.3.4.0.20060711165223.04bce500@64.7.153.2>
next in thread | previous in thread | raw e-mail | index | archive | help
--- Mike Tancsa <mike@sentex.net> wrote: > >But what if the trojan copies its files to the RAM disc and waits for this > >sha256 binary showing up? And then, when it is there, it removes its > >changes on > >the hard disc (those changes certainly must be in unused (formerly zeroed) > >areas of the hard disc or in the (zeroed) end of certain shell > >scripts... Or do > >I miss something? > > Yes, sounds possible. Between checks, "undo" the trojan. However, > the binary would have to live somewhere on the flash or it would not > survive reboots and you would have to tinker with the bootup process > to load the trojan at boot time. > Yes, that is what I mean with "unused" areas... I think many scripts in /etc/rc.d have some space in their end, that is zeroed and unused... So you just have to record their original size... Then u add some trojan software stuff in some start shell script function and u r done (of course those changes must be made, after the check sum procedure is over...; and must be undone before every check sum procedure)... Maybe we should try to make the box physically safer... By an sabotage detection unit... Infrared scanner or ultra-sound movement scanner or so... -Arne __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20060711210855.970.qmail>