[SGVLUG] False positive?: "LKM Trojan Installed"

David Lawyer dave at lafn.org
Mon Oct 16 14:26:19 PDT 2006 

I thought that it's about time that I post something "on topic" rather
than OT.  So here it is.  I think I've solved the problem by
assuming that it's "no problem".

When my cron jobs run, that were somehow set up to run by updating
Debian packages using "apt-get", I get email reports from them.  One
such report told me that a possible LKM Trojan was installed.  But it
also said that per "chkproc" 1 process was hidden for the ps command.
This means that there was a process running which didn't get listed by
the "ps" command, possibly because the "ps" command has been
contaminated with code so that it would not display a certain rogue
LKM (Linux Kernel Module) process.  So I ran "chkproc" (it's not in
any standard path so I had to use "locate" to find it) and it finds
nothing wrong.

So per what I saw on the Internet, chkproc can make a mistake since it
takes a snapshot of both the output of "ps" and the list of processes
in the /proc/ directory.  They are not really a list since each
process number appears as the name of a subdirectory in the /proc/
directory.  /proc/ is not a normal directory since the contents of all
the files in it's tree are all in memory and not on disk.

So since chkproc take a snapshot of the output of ps and the list of
processes in /proc at slightly different times, there's supposedly a
possibility of an error since a process may be born or die while the
chkproc is gathering the info (including the time ps is gathering it
info, etc.).  Such an error would be a false positive.  Here the
"positive" result of the test is that it finds a trojan.  But if
that`s false they say it's a "false positive".  So I think I'm just
getting a false positive and have nothing to worry about.  Any
comments?  Do other's get this false positive?

I further checked the checksum of the ps binary and found it to be
correct.  To do this I used the md5sum program on ps and compared it
to a md5 list in a file in the Debian package directory tree.  These
are the md5sums of the binaries (such as ps) which I downloaded from
Debian over the Internet using apt-get.

			David Lawyer

More information about the SGVLUG mailing list