[SC-L] Countering Trusting Trust through Diverse Double-Compiling
Steven M. Bellovin
bellovin at acm.org
Wed Dec 14 23:10:42 EST 2005
In message <200512141941.47006 at KRvW>, "Kenneth R. van Wyk" writes:
>
>This reminded me of an old class of PC viruses (circa 1992) that evaded
>detection by file scanners by hooking the S-DOS file read interrupt and
>returning the original, uninfected version of infected files whenever a
>program opened up an infected file for reading. It tricked a lot of file
>scanners at the time. If I'm not mistaken, it was the DIR-II family of
>viruses. I'm sure that you've taken that sort of evasive action into
>account, but I thought that I'd mention it here for the SC-L folks.
>
And there is, as I recall, a Linux piece of malware that uses a
loadable kernel module of some sort to hide a back door in init -- if
it's not opened by pid 1, it gives the real file; otherwise, it
gives the Trojan'ed version.
--Steve Bellovin, http://www.stevebellovin.com
More information about the SC-L
mailing list