Possible virus? Process 'bioset'

**unspawn** · June 6th, 2014

Originally Posted by dshauld

Thanks for your help. That command returns nothing. Actually I get 'readlink: extra operand ‘ldd’' when I run that command but separately they return nothing.

Yeah sorry, that was a formatting fsckup the commands should indeed be run separately.

Originally Posted by dshauld

What do you make of that post by the Guest I linked to on the forum?

Which post do you mean?

Originally Posted by dshauld

When I was looking for information about this process it was sparse and that post got me thinking it may be a virus.

The reflex should be to gather nfo. Now you've got some commands for next time.

Originally Posted by dshauld

Every other process I looked for I could find information on. How is it that a process doesn't have any explanation or documentation?

Common kernel processes may be mentioned deep in the bowels of the kernel Documentation/ but simply don't have any manual or info pages. Like I said they'll usually be children (have a PPID) of the kthreadd.

**dshauld** · June 7th, 2014

Originally Posted by unspawn

Yeah sorry, that was a formatting fsckup the commands should indeed be run separately. Which post do you mean? The reflex should be to gather nfo. Now you've got some commands for next time. Common kernel processes may be mentioned deep in the bowels of the kernel Documentation/ but simply don't have any manual or info pages. Like I said they'll usually be children (have a PPID) of the kthreadd.

The post on the 'lunaticoutpost' forum. The guest poster says, 'Have a bunch of new processes. Bioset is one of them.' and links to linux.die.net. That's a strange post if it was intended for kernel developers. If it were for the kernel wouldn't I be able to find more information about it even with no man or info page?

Also thank you for the information about it being a child process but doesn't that make it more suspicious with no info? Wouldn't a virus/rootkit try to get loaded/attached to a process near ring 0?

Sorry if that doesn't make much sense, I am not a programmer or sysadmin. I just have an interest in security.

**dshauld** · June 7th, 2014

It appears to be related to Truecrypt

Code:

After restart, before starting truecrypt
ps -A | grep bioset
   67 ?        00:00:00 bioset
  355 ?        00:00:00 bioset
  359 ?        00:00:00 bioset
  383 ?        00:00:00 bioset
  386 ?        00:00:00 bioset

After starting truecrypt
ps -A | grep bioset
   67 ?        00:00:00 bioset
  355 ?        00:00:00 bioset
  359 ?        00:00:00 bioset
  383 ?        00:00:00 bioset
  386 ?        00:00:00 bioset
 2506 ?        00:00:00 bioset
 2509 ?        00:00:00 bioset
 2523 ?        00:00:00 bioset
 2526 ?        00:00:00 bioset
 2568 ?        00:00:00 bioset
 2573 ?        00:00:00 bioset
 2632 ?        00:00:00 bioset
 2635 ?        00:00:00 bioset
 2647 ?        00:00:00 bioset
 2650 ?        00:00:00 bioset
 2694 ?        00:00:00 bioset
 2697 ?        00:00:00 bioset
 2715 ?        00:00:00 bioset
 2718 ?        00:00:00 bioset
 2764 ?        00:00:00 bioset
 2767 ?        00:00:00 bioset
 2785 ?        00:00:00 bioset
 2789 ?        00:00:00 bioset
 2836 ?        00:00:00 bioset
 2839 ?        00:00:00 bioset
 2857 ?        00:00:00 bioset
 2860 ?        00:00:00 bioset
 2911 ?        00:00:00 bioset
 2914 ?        00:00:00 bioset
 2932 ?        00:00:00 bioset
 2935 ?        00:00:00 bioset