gmonstart / jvregisterclasses in tons of binaries with commands, malware?

Werner Schram wrschram at gmail.com
Wed Dec 16 23:12:15 UTC 2009 

whereislibertyandjustice at Safe-mail.net wrote:
> In linux binaries, in any linux distro, I've discovered the same strings 
> which I believe may be due to a virus or trojan.
>
> Yet, clamav, rkhunter, chkrootkit do not detect abnormalities.
>
> Whether I run 'strings' on the binary files or view with vim or gedit, here
> is what is always seen inside the binaries:
>
>
> __gmon_start__
> _Jv_RegisterClasses
>
> Followed by commands which differ within each binary.
>
> If, by some luck, I've downloaded a fresh Linux ISO where binaries do not
> include the above two strings followed by commands, after I run an update
> the updated binaries suddenly contain the above two strings and other, what
> I believe to be, rogue strings. I've avoided the possible infection with an
> OpenBSD install, yet all the Linux installations and burned ISOs contain
> binaries with the above two strings followed by commands.
>
> Search using find within your bin and sbin directories for those two strings
> and see how many positives you find. Now use a text editor like vi or gedit
> and search through the gibberish, locate these strings and isolate the
> commands, if any, which follow them. Searching for gmonstart, gmon,
> registerclasses, jv, etc. variations of works. If you find results in your
> binaries, please copy/paste the commands following the gmonstart and
> jvregisterclasses strings so I may compare them to mine.
>
> I've purchased Linux CDs from brick + mortar stores, downloaded ISOs from
> different physical locations and found some CDs contained these strings 
> in the binaries and one or two rare ones did not, but when installed/updated 
> on a network connection the binaries replaced in the update process would
> show these strings!! These strings are not alone by themselves in the
> binaries they follow with commands with a @ mark before each command.
>
> Google results are vague, some suggest shell backdoors, every Linux user
> I've asked to date calls me paranoid while at the same time this knowledge
> comes as a surprise to them, too, when they search their binaries and find
> the same strings. I'm amazed by how quickly some rush to judgement and call
> you a paranoid for being curious about the files on your system. The strings
> may/may not be common, but in comparing commands which follow these strings
> I've noticed some which seem down right malicious!
>
> Maybe they're right, I'm just paranoid, but what am I seeing and why
> are these strings so common across Linux distros binaries, esp. the
> Jv (java?) reference? Please, any help?
>
>   
$ cat test.c
#include <stdio.h>
int main() {
        printf("hello world");
}
$ gcc test.c -o test
$ nm --undefined-only test
                 w _Jv_RegisterClasses
                 w __gmon_start__
                 U __libc_start_main@@GLIBC_2.2.5
                 U printf@@GLIBC_2.2.5

I'm pretty sure that my this application does nothing more than print 
"hello world" on my screen.

Those symbols are added by gcc. If you want to know why, I think you 
will find more help at the gcc mailing list:
http://gcc.gnu.org/ml/gcc/

Werner

More information about the ubuntu-users mailing list