Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm
List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive: <http://sourceware.org/ml/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>
Sender: cygwin-owner AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
Delivered-To: mailing list cygwin AT cygwin DOT com
Date: Mon, 10 Jan 2005 16:40:57 -0500 (EST)
From: Dick Repasky <rrepasky AT lack DOT ucs DOT indiana DOT edu>
To: cygwin AT cygwin DOT com
Subject: Re: cygcrypt-0.dll infected
In-Reply-To: <20050110204419.GL23702@cygbert.vinschen.de>
Message-ID: <Pine.LNX.4.61.0501101557260.5185@lack.ucs.indiana.edu>
References: <41E2DCC4 DOT 1060506 AT watchmark DOT com> <Pine DOT GSO DOT 4 DOT 61 DOT 0501101526330 DOT 24510 AT slinky DOT cs DOT nyu DOT edu> <20050110204419 DOT GL23702 AT cygbert DOT vinschen DOT de>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed
X-IsSubscribed: yes
Note-from-DJ: This may be spam


It may be worth thinking about what's actually happened here.  Take a look 
at the technical description at 
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=BKDR_HACDEF.M&VSect=T 
.  One of the characteristics of the malware is that it hides a file named 
cygcrypt-0.dll.  The description does not state that the malware installs 
cygcrypt-0.dll, but it is well known that some root kits are built using 
cygwin.  Indeed, someone from our security office recently told me that
if someone runs cygwin and gets complaints about conflicting or duplicate 
cygwin dll's and if that person is sure that cygwin has never been 
installed on the machine, chances are that the machine has been 
compromised and that a cygwin-based root kit has been installed.

I suspect that cygcrypt-0.dll is distributed as part of the malware in 
question. Why else would it hide the file?  If cygcrypt-0.dll is 
distributed as part of the malware, rebuilding the package will only put 
the problem off until the malware is repackaged to use the latest release.

Rather than telling users to bug the anti-virus company it might be worth
having someone from cygwin contact them to explain the issue.  It might 
also be worth doing a little bit of home work. That is, get a copy of the
malware, unpack it, and check to see whether cygcrypt-0.dll is included in 
its entirety.  What if it's really only something that bears the name and 
that the anti-virus company is checking names only?

Just my 2 cents,

Dick Repasky

-----------------

Dick Repasky
Bioinformatics Support
UITS Cubicle 101.08
Indiana University
USA

rrepasky AT indiana DOT edu

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/