In message <[EMAIL PROTECTED]>, "Kenneth R. van Wyk" writes:
>
>This reminded me of an old class of PC viruses (circa 1992) that evaded
>detection by file scanners by hooking the S-DOS file read interrupt and
>returning the original, uninfected version of infected files whenever a
>program opened up an infected file for reading. It tricked a lot of file
>scanners at the time. If I'm not mistaken, it was the DIR-II family of
>viruses. I'm sure that you've taken that sort of evasive action into
>account, but I thought that I'd mention it here for the SC-L folks.
>
And there is, as I recall, a Linux piece of malware that uses a
loadable kernel module of some sort to hide a back door in init -- if
it's not opened by pid 1, it gives the real file; otherwise, it
gives the Trojan'ed version.
--Steve Bellovin, http://www.stevebellovin.com
_______________________________________________
Secure Coding mailing list (SC-L)
SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
