>and
>
>I think this needs to be emphasized...just in case anyone missed it.
>
>"using a potentially compromised gcc, ld, etc."
>
>"using a potentially compromised cp"
>
>And, unless I'm mistaken, the resulting executable will then proceed
>to re-infect everything after cleaning it first. Social engineering,
>or major oversight???
I sent the following to bugtraq, though it has not passed moderation yet:
I think you missed an important part:
....so that there are two versions of the executable
(./temp and ./kill). It runs ./temp on ./kill, ostensibly to
clean it, then deletes ./temp.
i.e. is uses ./temp to clean kill, and then the now "clean" kill removes ./temp
Which begs the question, does it /really/ clean temp?
If the infested temp is run to clean kill, how do we know that temp doesn't re-infect
kill as fast as it clean it? Does the infecting part happen first (which would seem to
me to produce a doubly infected binary), and then both infections are removed, or does
it clean the old infection, then add a new one?
----------------------------------------------------
Jonathan Wilson
System Administrator
Cedar Creek Software http://www.cedarcreeksoftware.com
Central Texas IT http://www.centraltexasit.com
_______________________________________________
http://linux.nf -- [EMAIL PROTECTED]
Archives, Subscribe, Unsubscribe, Digest, Etc
->http://linux.nf/mailman/listinfo/linux-users
