This is the mail archive of the cygwin mailing list for the Cygwin project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

Re: cygcrypt-0.dll infected



It may be worth thinking about what's actually happened here. Take a look at the technical description at http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=BKDR_HACDEF.M&VSect=T . One of the characteristics of the malware is that it hides a file named cygcrypt-0.dll. The description does not state that the malware installs cygcrypt-0.dll, but it is well known that some root kits are built using cygwin. Indeed, someone from our security office recently told me that
if someone runs cygwin and gets complaints about conflicting or duplicate cygwin dll's and if that person is sure that cygwin has never been installed on the machine, chances are that the machine has been compromised and that a cygwin-based root kit has been installed.


I suspect that cygcrypt-0.dll is distributed as part of the malware in question. Why else would it hide the file? If cygcrypt-0.dll is distributed as part of the malware, rebuilding the package will only put the problem off until the malware is repackaged to use the latest release.

Rather than telling users to bug the anti-virus company it might be worth
having someone from cygwin contact them to explain the issue. It might also be worth doing a little bit of home work. That is, get a copy of the
malware, unpack it, and check to see whether cygcrypt-0.dll is included in its entirety. What if it's really only something that bears the name and that the anti-virus company is checking names only?


Just my 2 cents,

Dick Repasky

-----------------

Dick Repasky
Bioinformatics Support
UITS Cubicle 101.08
Indiana University
USA

rrepasky@indiana.edu

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]