I've got a few questions about Trojan dectetion program for linux:

1) How can you be sure the trojan detection program is really working?

2) How can you be sure the trojan detection program is not a trojan itself?

3) Wouldn't there be ways for trojans to bypass, trojan detection programs.

if [ ! ${LIFE} = "" ]; then echo "Ok, we're alive.."; else echo "Hmm. What's sure in life again? :-]"; fi

1. By testing it against trojaned binaries from rootkits?
*Requires LRK's. Not all are easy to come by. High possibility for testing to make sure, depending on what you got. Hope you have a spare box to test it on :-]
2. By performing md5sum/PGP/GPG verification? Performing an audit on the code? Requesting a copy of the tarball signed to your PGP key?
*Requires coding knowledge, more paranoia than usual and a good set of eyes. Trust tru key/md5 usual option when D/L from well known source. Low possibility for faking, I'd say 10%, cuz if trojaned it'll be uncovered and pubicised soon (for instance; Wietse Venema, trojaned TCP Wrappers at hungarian ftp archive).
3. Yes, like kernel modification. Read some here (Silvio) and here (CERT).
*Requires skilled cracker doing this neat trick at your box. Chance this happens (non-commercial home box with nothing interesting to get) %10.

Just my 2 cents, and I'm not even sure of those :-]