Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. Gentoo>
  3. Security
gmonstart / jvregisterclasses in tons of binaries with commands,malware?
whereislibertyandjustice at Safe-mail
Dec 16, 2009, 6:06 PM
Post #1 of 5 (6317 views)
Permalink
In linux binaries, in any linux distro, I've discovered the same strings
which I believe may be due to a virus or trojan.

Yet, clamav, rkhunter, chkrootkit do not detect abnormalities.

Whether I run 'strings' on the binary files or view with vim or gedit, here
is what is always seen inside the binaries:


__gmon_start__
_Jv_RegisterClasses

Followed by commands which differ within each binary.

If, by some luck, I've downloaded a fresh Linux ISO where binaries do not
include the above two strings followed by commands, after I run an update
the updated binaries suddenly contain the above two strings and other, what
I believe to be, rogue strings. I've avoided the possible infection with an
OpenBSD install, yet all the Linux installations and burned ISOs contain
binaries with the above two strings followed by commands.

Search using find within your bin and sbin directories for those two strings
and see how many positives you find. Now use a text editor like vi or gedit
and search through the gibberish, locate these strings and isolate the
commands, if any, which follow them. Searching for gmonstart, gmon,
registerclasses, jv, etc. variations of works. If you find results in your
binaries, please copy/paste the commands following the gmonstart and
jvregisterclasses strings so I may compare them to mine.

I've purchased Linux CDs from brick + mortar stores, downloaded ISOs from
different physical locations and found some CDs contained these strings
in the binaries and one or two rare ones did not, but when installed/updated
on a network connection the binaries replaced in the update process would
show these strings!! These strings are not alone by themselves in the
binaries they follow with commands with a @ mark before each command.

Google results are vague, some suggest shell backdoors, every Linux user
I've asked to date calls me paranoid while at the same time this knowledge
comes as a surprise to them, too, when they search their binaries and find
the same strings. I'm amazed by how quickly some rush to judgement and call
you a paranoid for being curious about the files on your system. The strings
may/may not be common, but in comparing commands which follow these strings
I've noticed some which seem down right malicious!

Maybe they're right, I'm just paranoid, but what am I seeing and why
are these strings so common across Linux distros binaries, esp. the
Jv (java?) reference? Please, any help?
Re: gmonstart / jvregisterclasses in tons of binaries with commands,malware? [ In reply to ]
simcop2387 at yahoo
Dec 16, 2009, 8:49 PM
Post #2 of 5 (6142 views)
Permalink
whereislibertyandjustice@safe-mail.net said:
> In linux binaries, in any linux distro, I've discovered the same strings
> which I believe may be due to a virus or trojan.
>
> Yet, clamav, rkhunter, chkrootkit do not detect abnormalities.
>
> Whether I run 'strings' on the binary files or view with vim or gedit, here
> is what is always seen inside the binaries:
>
>
> __gmon_start__
> _Jv_RegisterClasses

http://gcc.gnu.org/ml/gcc/2002-06/msg00112.html

This at least appears to answer the _Jv_RegisterClasses issue, (i haven't found anything about gmon_start). Essentially what appears to be going on is gcc is doing it, its intended, and i would guess more than likely related to gcj in some way.
Re: gmonstart / jvregisterclasses in tons of binaries with commands,malware? [ In reply to ]
robbat2 at gentoo
Dec 16, 2009, 9:20 PM
Post #3 of 5 (6162 views)
Permalink
On Wed, Dec 16, 2009 at 09:06:04PM -0500, whereislibertyandjustice@Safe-mail.net wrote:
> Google results are vague, some suggest shell backdoors, every Linux user
> I've asked to date calls me paranoid while at the same time this knowledge
> comes as a surprise to them, too, when they search their binaries and find
> the same strings. I'm amazed by how quickly some rush to judgement and call
> you a paranoid for being curious about the files on your system. The strings
> may/may not be common, but in comparing commands which follow these strings
> I've noticed some which seem down right malicious!
Just because it seems to be everywhere, doesn't mean it's malicious.
Why did you assign "malicious" as the reason for it occurring everywhere?

If you'd compiled a single program yourself with gcc, manually on the
commandline, you would have seen the same symbols too.

Even this really simple program:
int main(int argc, char** argv) { return 0; }

> Maybe they're right, I'm just paranoid, but what am I seeing and why
> are these strings so common across Linux distros binaries, esp. the
> Jv (java?) reference? Please, any help?
First of all, using strings is not the best way to go about looking at
binaries. objdump and the various ELF inspection tools would show that
you were looking at a function named __gmon_start__ in the code.

# readelf -s /usr/bin/bc |egrep 'Jv|gmon'
Symbol table '.dynsym' contains 57 entries:
Num: Value Size Type Bind Vis Ndx Name
...
5: 0000000000000000 0 NOTYPE WEAK DEFAULT UND __gmon_start__
6: 0000000000000000 0 NOTYPE WEAK DEFAULT UND _Jv_RegisterClasses

Weak-binding, undefined references to functions of said names.

__gmon_start__:
Grab yourself the glibc sources, and read the following files:
glibc-${PV}/csu/gmon-start.c
glibc-${PV}/sysdeps/generic/initfini.c
In both cases, searching for "gmon_start"

gmon_start is the entry point of profiling any program.

_Jv_RegisterClasses:
You'll need to dig into the GCC sources to understand this one.
I wish GCC wouldn't pollute non-Java stuff with it, but it seems an
unfortunate side-effect of having GCJ support, even if you don't use it.

--
Robin Hugh Johnson
Gentoo Linux: Developer, Trustee & Infrastructure Lead
E-Mail : robbat2@gentoo.org
GnuPG FP : 11AC BA4F 4778 E3F6 E4ED F38E B27B 944E 3488 4E85
Re: gmonstart / jvregisterclasses in tons of binaries with commands,malware? [ In reply to ]
karl at hiramoto
Dec 16, 2009, 10:00 PM
Post #4 of 5 (6144 views)
Permalink
On 12/17/09 03:06, whereislibertyandjustice@Safe-mail.net wrote:
> In linux binaries, in any linux distro, I've discovered the same strings
> which I believe may be due to a virus or trojan.
>
> Yet, clamav, rkhunter, chkrootkit do not detect abnormalities.
>
> Whether I run 'strings' on the binary files or view with vim or gedit, here
> is what is always seen inside the binaries:
>
>
> __gmon_start__
> _Jv_RegisterClasses
>
> Followed by commands which differ within each binary.
>
Can you give an example of what commands you are talking about?

__gmon_start is part of a normal glibc
http://repo.or.cz/w/glibc.git/blob/HEAD:/csu/gmon-start.c#l60

Almost every gcc compiled dynamicly linked binary contains references to
_Jv_RegisterClasse.

--

--
Karl Hiramoto http://karl.hiramoto.org/
Re: gmonstart / jvregisterclasses in tons of binaries with commands,malware? [ In reply to ]
solar at gentoo
Dec 17, 2009, 3:14 AM
Post #5 of 5 (6162 views)
Permalink
On Wed, 2009-12-16 at 21:06 -0500,
whereislibertyandjustice@Safe-mail.net wrote:
> In linux binaries, in any linux distro, I've discovered the same strings
> which I believe may be due to a virus or trojan.
>
> Yet, clamav, rkhunter, chkrootkit do not detect abnormalities.
there is none. And I don't think any of the above mention tools actually
will dig as deep as symbols of an ELF.

> Whether I run 'strings' on the binary files or view with vim or gedit, here
> is what is always seen inside the binaries:
>
>
> __gmon_start__
> _Jv_RegisterClasses

These symbols are normal and nothing to really get over paranoid about.
Some years ago I had a patch for uClibc/gcc where I removed the _Jv_R..
weak symbol, but in the end it was not worth it.
There is no attack vector there.

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal