--- Mike Tancsa <[EMAIL PROTECTED]> wrote: > >But what if the trojan copies its files to the RAM disc and waits for this > >sha256 binary showing up? And then, when it is there, it removes its > >changes on > >the hard disc (those changes certainly must be in unused (formerly zeroed) > >areas of the hard disc or in the (zeroed) end of certain shell > >scripts... Or do > >I miss something? > > Yes, sounds possible. Between checks, "undo" the trojan. However, > the binary would have to live somewhere on the flash or it would not > survive reboots and you would have to tinker with the bootup process > to load the trojan at boot time. > Yes, that is what I mean with "unused" areas... I think many scripts in /etc/rc.d have some space in their end, that is zeroed and unused... So you just have to record their original size... Then u add some trojan software stuff in some start shell script function and u r done (of course those changes must be made, after the check sum procedure is over...; and must be undone before every check sum procedure)...
Maybe we should try to make the box physically safer... By an sabotage detection unit... Infrared scanner or ultra-sound movement scanner or so... -Arne __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com _______________________________________________ [email protected] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "[EMAIL PROTECTED]"
