Gil Hamilton wrote:
Karsten Self writes:
Defeat: create a log buffer file of fixed size, logged activity changes its contents, but not the size of the file. E.g.: a filesystem image file under GNU/Linux. Techniques could be used to maintain a constant global MD5 checksum to defeat other detection attempts.
What techniques could be used to do this? MD5 has some weaknesses, but creating collisions still is not trivial. Unless you know something I don't.
I interpreted that not as working around MD5, but as working around the procedure which would use MD5 to get a single number for an entire file system. Example: mark the logging software's keylog file as a device file, which wouldn't be processed by the file system checksum procedure. When the logger needs to write to its log, the file type is changed to "ordinary" and then back to "device" again. -- Steve Furlong, Computer Condottiere Have GNU, will travel