On Tuesday 28 August 2007 09:37:08 am Bob Miller wrote: > Neil Parker wrote: > > No. The closest you can get is probably to run your suspicious software > > under the control of strace or something similar. This will report all > > system calls made by the process, including attempts to open files. (I > > believe this was exactly how skype's suspicious behavior was discovered.) > > What, exactly, is suspicious about reading /etc/passwd? > /etc/passwd is used to map numeric user IDs to user names. > It's also used to map user IDs and names to full names. > > Does Skype ever display your name or your username?
Skype calls getpwuid()/getgrgid() (which opens /etc/passwd and /etc/group, resp.) to map a UID/GID to it's info (to say, their home directory: ~/.skype ?), nothing special. [EMAIL PROTECTED] /opt/skype$ readelf -s skype | egrep 'get(pw|gr)' 179: 00000000 478 FUNC GLOBAL DEFAULT UND [EMAIL PROTECTED] (17) 679: 00000000 478 FUNC GLOBAL DEFAULT UND [EMAIL PROTECTED] (17) What you should be worried about is why skype has references to /proc/interrupts and parts of it's contents in memory. Possibly to generate a unique ID for your box: [EMAIL PROTECTED] /tmp/skype$ strings skype-bin | grep /proc /proc/meminfo /proc/interrupts /proc/stat /proc/sys/kernel/ostype /proc/sys/kernel/osrelease /proc/%1/exe [EMAIL PROTECTED] /tmp/skype$ strings skype-heap | grep IO-APIC 17: 17380080 0 0 0 IO-APIC-fasteoi ahci, uhci_hcd:usb3 18: 2489214 0 0 0 IO-APIC-fasteoi libata, uhci_hcd:usb4 19: 2058330 0 0 0 IO-APIC-fasteoi HDA Intel, uhci_hcd:usb5 20: 275144 0 0 0 IO-APIC-fasteoi ehci_hcd:usb1, uhci_hcd:usb2 .. and how the binary is obfuscated so you have to dump it's memory with gdb after it decrypts parts of the binary. [EMAIL PROTECTED] /opt/skype$ strings skype | grep -c proc 0 [EMAIL PROTECTED] /opt/skype$ Thanks,
signature.asc
Description: This is a digitally signed message part.
_______________________________________________ EUGLUG mailing list [email protected] http://www.euglug.org/mailman/listinfo/euglug
