Hi Steven J. Yellin! On 2016.09.07 at 19:03:32 -0700, Steven J. Yellin wrote next:
> Are rpm and the check sum tools statically linked? If not, hiding > copies of them might not help if libraries have been compromised. But > busybox is statically linked, and it looks like it can be easily used to > replace most commands used to check security without going to the trouble of > pulling files from it. For example, 'ln -s busybox md5sum' allows use of > busybox's md5sum and 'ln -s busybox vi' allows use of its vi. See > https://busybox.net/FAQ.html#getting_started . Statically linked rpm won't help you at all. This malware in question doesn't modify any system files or libraries, it installs new (non system-managed) library and creates extra config file for linker, it has random name and is treated as non system-managed as well. This library preloads itself for any non-statically linked binary and replaces libc functions. rpm has absolutely nothing to do with non-system files, you can do as many verify passes as you want, using statically linked rpm binary if you prefer, and it won't show you that anything is wrong. -- Vladimir