Mail Archives: cygwin/2005/01/10/16:41:08
It may be worth thinking about what's actually happened here. Take a look
at the technical description at
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=BKDR_HACDEF.M&VSect=T
. One of the characteristics of the malware is that it hides a file named
cygcrypt-0.dll. The description does not state that the malware installs
cygcrypt-0.dll, but it is well known that some root kits are built using
cygwin. Indeed, someone from our security office recently told me that
if someone runs cygwin and gets complaints about conflicting or duplicate
cygwin dll's and if that person is sure that cygwin has never been
installed on the machine, chances are that the machine has been
compromised and that a cygwin-based root kit has been installed.
I suspect that cygcrypt-0.dll is distributed as part of the malware in
question. Why else would it hide the file? If cygcrypt-0.dll is
distributed as part of the malware, rebuilding the package will only put
the problem off until the malware is repackaged to use the latest release.
Rather than telling users to bug the anti-virus company it might be worth
having someone from cygwin contact them to explain the issue. It might
also be worth doing a little bit of home work. That is, get a copy of the
malware, unpack it, and check to see whether cygcrypt-0.dll is included in
its entirety. What if it's really only something that bears the name and
that the anti-virus company is checking names only?
Just my 2 cents,
Dick Repasky
-----------------
Dick Repasky
Bioinformatics Support
UITS Cubicle 101.08
Indiana University
USA
rrepasky AT indiana DOT edu
--
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
Problem reports: http://cygwin.com/problems.html
Documentation: http://cygwin.com/docs.html
FAQ: http://cygwin.com/faq/
- Raw text -