Gentoo Archives: gentoo-security

From: "Robin H. Johnson" <robbat2@g.o>
To: gentoo-security@l.g.o
Subject: Re: [gentoo-security] gmonstart / jvregisterclasses in tons of binaries with commands,malware?
Date: Thu, 17 Dec 2009 06:11:15
Message-Id: robbat2-20091217T050303-895383311Z@orbis-terrarum.net
In Reply to: [gentoo-security] gmonstart / jvregisterclasses in tons of binaries with commands,malware? by whereislibertyandjustice@Safe-mail.net
1 On Wed, Dec 16, 2009 at 09:06:04PM -0500, whereislibertyandjustice@×××××××××.net wrote:
2 > Google results are vague, some suggest shell backdoors, every Linux user
3 > I've asked to date calls me paranoid while at the same time this knowledge
4 > comes as a surprise to them, too, when they search their binaries and find
5 > the same strings. I'm amazed by how quickly some rush to judgement and call
6 > you a paranoid for being curious about the files on your system. The strings
7 > may/may not be common, but in comparing commands which follow these strings
8 > I've noticed some which seem down right malicious!
9 Just because it seems to be everywhere, doesn't mean it's malicious.
10 Why did you assign "malicious" as the reason for it occurring everywhere?
11
12 If you'd compiled a single program yourself with gcc, manually on the
13 commandline, you would have seen the same symbols too.
14
15 Even this really simple program:
16 int main(int argc, char** argv) { return 0; }
17
18 > Maybe they're right, I'm just paranoid, but what am I seeing and why
19 > are these strings so common across Linux distros binaries, esp. the
20 > Jv (java?) reference? Please, any help?
21 First of all, using strings is not the best way to go about looking at
22 binaries. objdump and the various ELF inspection tools would show that
23 you were looking at a function named __gmon_start__ in the code.
24
25 # readelf -s /usr/bin/bc |egrep 'Jv|gmon'
26 Symbol table '.dynsym' contains 57 entries:
27 Num: Value Size Type Bind Vis Ndx Name
28 ...
29 5: 0000000000000000 0 NOTYPE WEAK DEFAULT UND __gmon_start__
30 6: 0000000000000000 0 NOTYPE WEAK DEFAULT UND _Jv_RegisterClasses
31
32 Weak-binding, undefined references to functions of said names.
33
34 __gmon_start__:
35 Grab yourself the glibc sources, and read the following files:
36 glibc-${PV}/csu/gmon-start.c
37 glibc-${PV}/sysdeps/generic/initfini.c
38 In both cases, searching for "gmon_start"
39
40 gmon_start is the entry point of profiling any program.
41
42 _Jv_RegisterClasses:
43 You'll need to dig into the GCC sources to understand this one.
44 I wish GCC wouldn't pollute non-Java stuff with it, but it seems an
45 unfortunate side-effect of having GCJ support, even if you don't use it.
46
47 --
48 Robin Hugh Johnson
49 Gentoo Linux: Developer, Trustee & Infrastructure Lead
50 E-Mail : robbat2@g.o
51 GnuPG FP : 11AC BA4F 4778 E3F6 E4ED F38E B27B 944E 3488 4E85