gmonstart / jvregisterclasses in tons of binaries with commands,malware?
On Wed, Dec 16, 2009 at 9:01 PM,
> In linux binaries, in any linux distro, I've discovered the same strings
> which I believe may be due to a virus or trojan.
> Yet, clamav, rkhunter, chkrootkit do not detect abnormalities.
> Whether I run 'strings' on the binary files or view with vim or gedit, here
> is what is always seen inside the binaries:
poison@chicane /data/distfiles $ /lib/libc.so.6 --version
GNU C Library stable release version 2.9, by Roland McGrath et al.
hmm... it could be an issue, I suppose... but given I'm on a version
of glibc far newer than the 2.1 to 2.2 transition that caused issues
regarding that relocation, according to the mail referenced above... I
think I'm safe, don't you? And... that's on my x86 *stable* system.
> Followed by commands which differ within each binary.
> If, by some luck, I've downloaded a fresh Linux ISO where binaries do not
> include the above two strings followed by commands, after I run an update
> the updated binaries suddenly contain the above two strings and other, what
> I believe to be, rogue strings. I've avoided the possible infection with an
> OpenBSD install, yet all the Linux installations and burned ISOs contain
> binaries with the above two strings followed by commands.
> Search using find within your bin and sbin directories for those two strings
> and see how many positives you find. Now use a text editor like vi or gedit
> and search through the gibberish, locate these strings and isolate the
> commands, if any, which follow them. Searching for gmonstart, gmon,
> registerclasses, jv, etc. variations of works. If you find results in your
> binaries, please copy/paste the commands following the gmonstart and
> jvregisterclasses strings so I may compare them to mine.
> I've purchased Linux CDs from brick + mortar stores, downloaded ISOs from
> different physical locations and found some CDs contained these strings
> in the binaries and one or two rare ones did not, but when installed/updated
> on a network connection the binaries replaced in the update process would
> show these strings!! These strings are not alone by themselves in the
> binaries they follow with commands with a @ mark before each command.
> Google results are vague, some suggest shell backdoors, every Linux user
> I've asked to date calls me paranoid while at the same time this knowledge
> comes as a surprise to them, too, when they search their binaries and find
> the same strings. I'm amazed by how quickly some rush to judgement and call
> you a paranoid for being curious about the files on your system. The strings
> may/may not be common, but in comparing commands which follow these strings
> I've noticed some which seem down right malicious!
> Maybe they're right, I'm just paranoid, but what am I seeing and why
> are these strings so common across Linux distros binaries, esp. the
> Jv (java?) reference? Please, any help?
They're so common because they're binaries compiled with the same
compiler against the same libc implementation, for the most part, and
there will *always* be very similar strings resulting from BOTH of
those states across anything they've had a hand in. Yes, of course,
it's reasonable to be security concious, but both of the links I found
for those strings are first page on Google. There's also the confusing
fact that you look so heavily at the binaries while failing to take a
look at the things that would be sensible reasons for the same strings
between them... and grep is your friend if you're going to do any
1) Their own source code (may or may not have a reference)
2) Toolchain (and, really, it's the source code for these you'll want
to look through)
2a) Compiler -> gcc suite
2b) Linker -> ld from binutils
2c) Assembler -> Also binutils
3) Libraries -> Anything *all* of them link to. ldd is an amazingly
3a) libc.so.6 -> glibc
3b) linux-gate.so.1 -> part of the the kernel (not a real file on the system)
3c) /lib/ld-linux.so.2 -> runtime component for the linker (which
would be ld from binutils)
And... when your own phrasing of things shows you don't even know
*what* these two strings you found *do* or are *really* related to...
cross posting to gentoo-security is really not necessary, though I
can't guarantee the actual security experts on that list would
agree... I get that feeling.
Joshua M. Murphy