antivir - net-tools - trojan horse
Michael Schwendt
ms-nospam-0306 at arcor.de
Sat Dec 13 09:55:58 UTC 2003
On Sat, 13 Dec 2003 06:11:29 +0100, Olaf Mueller wrote:
> checking my filesystem with antivir (H+BEDV Datentechnik GmbH,
> AntiVir / Linux Version 2.0.9-6, VDF version: 6.23.0.9 created 12 Dec
> 2003) runs into the following alert. Antivir says that the files
> /usr/share/locale/<pt_BR,fr,de,cs>/LC_MESSAGES/net-tools.mo are
> infected with trojan horse "TR/HackToolX.RK.1".
>
> So I get a fresh RPM file "net-tools-1.60-20.1" from
> http://rpmfind.net/linux/rpm2html/search.php?query=net-tools,
> extract one of the net-tools.mo files from RPM and checked it with
> antivir. And I was very surpriesed to see that antivir found in this
> new rpm- file a trojan horse too!
>
> So, is this only a fake from antivir or is there really a trojan horse
> in the net-tools-1.60-20.1.i386.rpm files on http://rpmfind.net/?
>
> Is there any descriptin available about what "TR/HackToolX.RK.1"
> exactly do?
Note that virus-detection tools sometimes are mistaken if they search for
a short virus fingerprint (e.g. a specific sequence of bytes) which can
appear in a arbitrary data file. They assume they've found something, but
actually the search was just sloppy. Btw, it's sort of pointless to hide a
trojan horse in a localization data file, because it would need malicious
code elsewhere to make use of the modified .mo file.
--
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://lists.fedoraproject.org/pipermail/users/attachments/20031213/bd87048d/attachment-0002.bin
More information about the users
mailing list