[lug] Scary precedent, W32.Winux virus

Michael J. Pedersen marvin at keepthetouch.org
Wed Mar 28 16:08:33 MST 2001 

On Wed, Mar 28, 2001 at 03:40:14PM -0700, D. Stimits wrote:
> > Did you see the actual code? How does it handle the two different
> > ABIs? What kind of header does it have? I'd like to see code that
> > can convince both Win and linux loaders that it's PE and ELF.
> 
> I haven't seen the actual code, but I wondered some of the same things.
> I would guess it has two entry points to the code, and wouldn't mind
> seeing myself how the asm is compiled. On linux of course, you could
> trick the user into running some sort of compile or link, since the
> tools are always there; for windows there are likely a lot of ways you
> could attempt to insert inline object code that isn't checked for
> validity ahead of time. It would be interesting to run ldd on the code.

Disclaimer: I haven't seen the code, but I have read the reports, and thought
about the ways this could be done.

The code replaces the entry code for PE executables. If the PE area is too
small for that exe, then the file doesn't get infected. For ELF, it places
itself at the beginning of the file, and moves the real startup code to the
end.

Doing this would be fairly easy. Have a body of code which has two headers
available to it. One for PE, one for ELF. Write the correct header, which
calls the actual body of the code, and that's about it. Nothing special or
magical about it.

The only worthwhile thing about it is that since it hadn't been done before,
the author should be able to get a patent on it, especially with the way the
USPTO is working these days ;)

Seriously, here's a short algorithm which shows what happens:

DEFINE PE HEADER as CODE WHICH LAUNCHES VIRAL BODY FOR PE EXECUTABLES
DEFINE ELF HEADER as CODE WHICH LAUNCHES VIRAL BODY FOR ELF EXECUTABLES

REM BEGIN VIRAL BODY

PROCEDURE INFECTFILES
	BEGIN
		FOREACH $FILE in $DIRECTORY
			IF $FILE is a DIRECTORY (NOT ..)
				RECURSE
			ELSE IF $FILE is executable
				IF $FILE is PE format
					WRITE PE HEADER TO $FILE
					WRITE THIS BODY TO $FILE
				ELSE IF $FILE is ELF FORMAT
					WRITE ELF HEADER TO $FILE
					WRITE THIS BODY TO $FILE
	END

PROCEDURE MAIN
	BEGIN
		INFECTFILES ($DIRECTORY = CURRENT WORKING DIRECTORY PARENT)
		REM Here, we simply run the actual code, rather than the infected
		REM portion
		RUN INFECTED PROGRAM
	END

REM END VIRAL BODY

As you can see, nothing terribly special. Writing it in assembler was hardly
even necessary. Even with differing kernel calls, you could simply duplicate
the code, making the virus twice as large, and still have things work
correctly fairly easily.

This virus is nothing special, nor even frightening.
-- 
Michael J. Pedersen
My GnuPG KeyID: 4E724A60        My Public Key Available At: wwwkeys.pgp.net
My GnuPG Key Fingerprint: C31C 7E90 5992 9E5E 9A02 233D D8DD 985E 4E72 4A60
GnuPG available at http://www.gnupg.org

More information about the LUG mailing list