Integrity checking NANOBSD images
R. B. Riddick
arne_woerner at yahoo.com
Tue Jul 11 21:08:56 UTC 2006
--- Mike Tancsa <mike at sentex.net> wrote:
> >But what if the trojan copies its files to the RAM disc and waits for this
> >sha256 binary showing up? And then, when it is there, it removes its
> >changes on
> >the hard disc (those changes certainly must be in unused (formerly zeroed)
> >areas of the hard disc or in the (zeroed) end of certain shell
> >scripts... Or do
> >I miss something?
>
> Yes, sounds possible. Between checks, "undo" the trojan. However,
> the binary would have to live somewhere on the flash or it would not
> survive reboots and you would have to tinker with the bootup process
> to load the trojan at boot time.
>
Yes, that is what I mean with "unused" areas... I think many scripts in
/etc/rc.d have some space in their end, that is zeroed and unused... So you
just have to record their original size... Then u add some trojan software
stuff in some start shell script function and u r done (of course those changes
must be made, after the check sum procedure is over...; and must be undone
before every check sum procedure)...
Maybe we should try to make the box physically safer... By an sabotage
detection unit... Infrared scanner or ultra-sound movement scanner or so...
-Arne
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
More information about the freebsd-security
mailing list