From owner-freebsd-security  Mon May 25 12:45:43 1998
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id MAA21709
          for freebsd-security-outgoing; Mon, 25 May 1998 12:45:43 -0700 (PDT)
          (envelope-from owner-freebsd-security@FreeBSD.ORG)
Received: from ymris.ddm.on.ca (p.radon.sentex.ca [207.245.238.64])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id MAA21663
          for <freebsd-security@FreeBSD.ORG>; Mon, 25 May 1998 12:44:56 -0700 (PDT)
          (envelope-from dchapes@ddm.on.ca)
Received: from squigy.ddm.on.ca (squigy.ddm.on.ca [209.47.139.138])
	by ymris.ddm.on.ca (8.8.8/8.8.8) with ESMTP id PAA02401
	for <freebsd-security@FreeBSD.ORG>; Mon, 25 May 1998 15:44:40 -0400 (EDT)
	(envelope-from dchapes@ymris.ddm.on.ca)
From: Dave Chapeskie <dchapes@ddm.on.ca>
Received: (from dchapes@localhost)
	by squigy.ddm.on.ca (8.8.8/8.8.7) id PAA15659;
	Mon, 25 May 1998 15:44:39 -0400 (EDT)
Message-ID: <19980525154439.60457@ddm.on.ca>
Date: Mon, 25 May 1998 15:44:39 -0400
To: freebsd-security@FreeBSD.ORG
Subject: Re: Virus on FreeBSD
Mail-Followup-To: freebsd-security@FreeBSD.ORG
References: <199805211431.KAA17444@brain.zeus.leitch.com> <Pine.SOL.3.96.980522100017.17145A-100000@banshee.cs.uow.edu.au> <199805251518.LAA05684@brain.zeus.leitch.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-Mailer: Mutt 0.89i
In-Reply-To: <199805251518.LAA05684@brain.zeus.leitch.com>; from Greg A. Woods on Mon, May 25, 1998 at 11:18:27AM -0400
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk

On Mon, May 25, 1998 at 11:18:27AM -0400, Greg A. Woods wrote:
> I meant some way to detect the pattern of code in the *kernel* that is
> necessary to implement a module loader.

This would be a waste of effort IMHO.  When you build the kernel you
check what you are compiling in at the source level (as you've done by
checking what the NO_LKM define actually disables).  If someone else has
the ability to change or replace the kernel on you (either on disk or in
memory) then your already screwed and LKMs are the least of your worries
:-)

> Detecting the pattern of code of a loadable module in files might
> be a good thing too, as you could then scan for hidden instances
> of such modules.  Of course any cracker worth their salt would at
> least obscure the contents of the file with some trivial "encryption"
> mechanism.... :-)

Why waste your time with "trivial" encryption when there are lots of
implementations of really good encryption freely available?

In general I find the idea of searching of "code patterns" to be a
waste of effort.  Like the guy who wrote a perl script that looked for
code that designed to crash machines using the pentium 'FOOF' bug.  The
script looked for the four byte pattern in files... it's real easy to
build up the required four bytes dynamically and then run them (assuming
of course that the memory protection mechanism provided by the OS either
allows executing from the data area or writing to the code area).

-- 
Dave Chapeskie <dchapes@ddm.on.ca>, DDM Consulting

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe security" in the body of the message