[lug] Scary precedent, W32.Winux virus
Michael J. Pedersen
marvin at keepthetouch.org
Wed Mar 28 16:08:33 MST 2001
On Wed, Mar 28, 2001 at 03:40:14PM -0700, D. Stimits wrote:
> > Did you see the actual code? How does it handle the two different
> > ABIs? What kind of header does it have? I'd like to see code that
> > can convince both Win and linux loaders that it's PE and ELF.
>
> I haven't seen the actual code, but I wondered some of the same things.
> I would guess it has two entry points to the code, and wouldn't mind
> seeing myself how the asm is compiled. On linux of course, you could
> trick the user into running some sort of compile or link, since the
> tools are always there; for windows there are likely a lot of ways you
> could attempt to insert inline object code that isn't checked for
> validity ahead of time. It would be interesting to run ldd on the code.
Disclaimer: I haven't seen the code, but I have read the reports, and thought
about the ways this could be done.
The code replaces the entry code for PE executables. If the PE area is too
small for that exe, then the file doesn't get infected. For ELF, it places
itself at the beginning of the file, and moves the real startup code to the
end.
Doing this would be fairly easy. Have a body of code which has two headers
available to it. One for PE, one for ELF. Write the correct header, which
calls the actual body of the code, and that's about it. Nothing special or
magical about it.
The only worthwhile thing about it is that since it hadn't been done before,
the author should be able to get a patent on it, especially with the way the
USPTO is working these days ;)
Seriously, here's a short algorithm which shows what happens:
DEFINE PE HEADER as CODE WHICH LAUNCHES VIRAL BODY FOR PE EXECUTABLES
DEFINE ELF HEADER as CODE WHICH LAUNCHES VIRAL BODY FOR ELF EXECUTABLES
REM BEGIN VIRAL BODY
PROCEDURE INFECTFILES
BEGIN
FOREACH $FILE in $DIRECTORY
IF $FILE is a DIRECTORY (NOT ..)
RECURSE
ELSE IF $FILE is executable
IF $FILE is PE format
WRITE PE HEADER TO $FILE
WRITE THIS BODY TO $FILE
ELSE IF $FILE is ELF FORMAT
WRITE ELF HEADER TO $FILE
WRITE THIS BODY TO $FILE
END
PROCEDURE MAIN
BEGIN
INFECTFILES ($DIRECTORY = CURRENT WORKING DIRECTORY PARENT)
REM Here, we simply run the actual code, rather than the infected
REM portion
RUN INFECTED PROGRAM
END
REM END VIRAL BODY
As you can see, nothing terribly special. Writing it in assembler was hardly
even necessary. Even with differing kernel calls, you could simply duplicate
the code, making the virus twice as large, and still have things work
correctly fairly easily.
This virus is nothing special, nor even frightening.
--
Michael J. Pedersen
My GnuPG KeyID: 4E724A60 My Public Key Available At: wwwkeys.pgp.net
My GnuPG Key Fingerprint: C31C 7E90 5992 9E5E 9A02 233D D8DD 985E 4E72 4A60
GnuPG available at http://www.gnupg.org
More information about the LUG
mailing list