Gentoo Archives: gentoo-security

From: whereislibertyandjustice@×××××××××.net
To: gentoo-security@l.g.o
Subject: [gentoo-security] gmonstart / jvregisterclasses in tons of binaries with commands,malware?
Date: Thu, 17 Dec 2009 04:04:41
Message-Id: N1B-IFB_T1CDMm@Safe-mail.net
1 In linux binaries, in any linux distro, I've discovered the same strings
2 which I believe may be due to a virus or trojan.
3
4 Yet, clamav, rkhunter, chkrootkit do not detect abnormalities.
5
6 Whether I run 'strings' on the binary files or view with vim or gedit, here
7 is what is always seen inside the binaries:
8
9
10 __gmon_start__
11 _Jv_RegisterClasses
12
13 Followed by commands which differ within each binary.
14
15 If, by some luck, I've downloaded a fresh Linux ISO where binaries do not
16 include the above two strings followed by commands, after I run an update
17 the updated binaries suddenly contain the above two strings and other, what
18 I believe to be, rogue strings. I've avoided the possible infection with an
19 OpenBSD install, yet all the Linux installations and burned ISOs contain
20 binaries with the above two strings followed by commands.
21
22 Search using find within your bin and sbin directories for those two strings
23 and see how many positives you find. Now use a text editor like vi or gedit
24 and search through the gibberish, locate these strings and isolate the
25 commands, if any, which follow them. Searching for gmonstart, gmon,
26 registerclasses, jv, etc. variations of works. If you find results in your
27 binaries, please copy/paste the commands following the gmonstart and
28 jvregisterclasses strings so I may compare them to mine.
29
30 I've purchased Linux CDs from brick + mortar stores, downloaded ISOs from
31 different physical locations and found some CDs contained these strings
32 in the binaries and one or two rare ones did not, but when installed/updated
33 on a network connection the binaries replaced in the update process would
34 show these strings!! These strings are not alone by themselves in the
35 binaries they follow with commands with a @ mark before each command.
36
37 Google results are vague, some suggest shell backdoors, every Linux user
38 I've asked to date calls me paranoid while at the same time this knowledge
39 comes as a surprise to them, too, when they search their binaries and find
40 the same strings. I'm amazed by how quickly some rush to judgement and call
41 you a paranoid for being curious about the files on your system. The strings
42 may/may not be common, but in comparing commands which follow these strings
43 I've noticed some which seem down right malicious!
44
45 Maybe they're right, I'm just paranoid, but what am I seeing and why
46 are these strings so common across Linux distros binaries, esp. the
47 Jv (java?) reference? Please, any help?

Replies