Keylogers
Jean-David Beyer
jeandavid8 at verizon.net
Thu Apr 28 15:35:49 CEST 2011
Mike Acker wrote (in part):
> this is the only way to certify a system: a running system cannot be
> used to certify itself. for those who don't understand this an old and
> common malware trick is to replace the directory list program. when the
> system owner types dir c:\windows\*.* the modified dir list program
> simply fails to report the presence of the malware programs, instead
> adding the space taken by the malware back into the reported
> free-space. the original dir program is hidden someplace on the c:
> drive and then reported on the dir list with its orignal directory
> info. if you dump the program out you get this back-up copy; but when
> you run it -- the bad copy runs. the system-- has had a bug purposely
> installed,-- one with produces INCOROUT (incorrect output) ,-- it has
> been "pwn3d".
>
I run Linux and I used to run the tripwire program to certify what ran
on it. What it actually did was assume at some point that all your
programs were valid, and compute some checksums of each one. Whenever
you ran the test, it would make sure the checksums were still valid.
http://sourceforge.net/projects/tripwire/
There were some serious problems, it seemed to me, with this.
First of all, I would have to install everything from the distribution
disks onto a blank machine, and trust the vendor to supply safe
software. I thought Red Hat pretty good in this respect, but could not
prove it. Trouble is that tripwire did not come with the distributions
at that time, so I had to go on line to get it, and that would run the
risk of getting my machine infected while I was on line.
The second problem is that there are a lot of updates that come down as
the system ages, and they all fail the tripwire testing. And how do I
know that the downloaded updates are correct? These days, the updates
come with checksums and sometimes have digital signatures, so they may
be OK. But for every update, I have to reset the signature database, and
that got to be so much trouble that I have not used tripwire in several
years.
There is SELINUX on my machine, but I have never enabled it.
--
.~. Jean-David Beyer Registered Linux User 85642.
/V\ PGP-Key: 9A2FC99A Registered Machine 241939.
/( )\ Shrewsbury, New Jersey http://counter.li.org
^^-^^ 09:20:01 up 12 days, 12:38, 3 users, load average: 5.00, 4.67, 4.68
More information about the Gnupg-users
mailing list