You cannot have a science without measurement. | |
R. W. Hamming |
Writing a program that inserts code into another program file is one thing. Writing that program so that it can be injected itself is a very different art. Although this document shows a lot of code and technique, it is far from being a "Construction Kit For Dummies". You can't build a working virus just by copying whole lines from this text. Instead I'll try to show how things work. Translation of infecting code to a assembly is left as a (non-trivial) exercise to the reader.
An astonishing number of people think that viruses require secret black magic. Here you will find simple code that patches other executables. It is not hard to write a virus (once you have a good understanding of assembler, compiler, linker and operating system). It's just hard to let it make any impact.
Regular users can't overwrite system files (at least under serious operating systems). So you need root permissions. You can either trick the super user to run your virus. Or combine it with a root-exploit. But since all popular distributions come with checksum mechanisms, a single command can detect any modification. Unless you implement kernel-level stealth functionality…
I do believe that free software is superior, at least in regard to security. And I strongly oppose the argument that Linux viruses will flourish once it reaches a critical mass of popularity. On the contrary I question the credibility of people whose income relies on widespread use of ridiculously insecure operating systems.
This document is my way to fight the FUD. Use the information presented here in any way you like. I bet that Linux will only grow stronger.
All sections titled "Output" are real product of source code and shell scripts included in this document. Most numbers and calculations are processed by a Perl script parsing these output files. The document itself is written in DocBook, a SGML document type definition. Conversion to HTML is the last step of a Makefile that builds and runs all examples.
I used an installation of RedHat 7.2 for development. The freely downloadable CDs contains all necessary tools.
This document is not yet officially accepted by LDP. You might want to look at the discussion on LDP-discuss. For the time being you will find the document at these sites:
Location | Organization |
---|---|
Austria | enemy.org |
Austria | synflood.at |
Germany | Andreas Thienemann |
USA | Laramie Wyoming Freenix User's Group |
USA | Peaceful Action |
Geographic location is based on http://netgeo.caida.org/perl/netgeo.cgi. An interesting variation on the topic is the applet at http://visualroute.visualware.com. Anyway, in two cases people convinced me that their server really is somewhere else.
Every site hosts complete source of this release and all previous versions: ../../archive.
Copyright (c) 2002 Alexander Bartolich
Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.1 or any later version published by the Free Software Foundation; with no Invariant Sections, with no Front-Cover Texts, and with no Back-Cover Texts.
All accompanying source code, build scripts and makefiles is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version.
All copyrights are held by their respective owners, unless specifically noted otherwise. Use of a term in this document should not be regarded as affecting the validity of any trademark or service mark.
Naming of particular products or brands should not be seen as endorsements.
No liability for the contents of this documents can be accepted. Use the concepts, examples and other content at your own risk. As this is a new edition of this document, there may be errors and inaccuracies, that may of course be damaging to your system. Proceed with caution, the author does not take any responsibility.
All software is distributed in the hope that it will be useful, but without any warranty; without even the implied warranty of merchantability or fitness for a particular purpose. See the GNU General Public License for more details.
Who am I kidding? This is dangerous stuff! Stop reading immediately or risk lethal pollution of your systems!
You are strongly recommended to take a backup of your system before major installations and backups at regular intervals.
Everything in this document is either plain obvious or has been written by someone else long time ago. My meager contribution is nice formatting, reproducibility and the idea to take the subject to mainstream media. But I'm certainly not innovative.
Silvio Cesare. <silvio@big.net.au> Founder of the trade. Keeper of the source. Check out http://www.big.net.au/~silvio and admire the release date.
John Reiser. <jreiser@BitWagon.com> Found one bug and two superfluous bytes in In the language of evil. Proved that I can't code a straight 23 byte "Hello World".
paddingx. Contributed technical details and implementation for Additional code segments and Doing it in C.
Rick Moen. <rick@linuxmafia.com> Has very inspiring pages at http://linuxmafia.com/~rick/. And I shamelessly quote him in the abstract.
A lot of people helped me shape language and ethical position of this document (sorted by perl(1), blame Larry): Charles Curley, Dave Wreski, David Merrill, Gary Lawrence Murphy, Greg Ferguson, Harald Wagener, Ian Turner, Marinho Paiva Duarte, Martin Wheeler, QuickFox of kuro5hin, Steve Sanfratello.
Feedback is most certainly welcome for this document. Please send your additions, comments, criticisms, flames and "contributions" to the following email address: <alexander.bartolich@gmx.at>
A few people sent me executables for that other operating system. I am very grateful for this kindness. But you should know that this document is about Linux only.
The document was initially hosted on a recreational machine at the University of Linz in Austria. German speaking readers might find the exchange of emails between Network Associates, Inc. and the admin of the original web-site interesting. There are rumors that this eventually lead to the removal of my pages.
Anyway, university officials handled the matter in style. I can understand that they don't want to be associated with such delicate matters. No bad feelings there. But the technical expertise of a world class anti-virus company deserves broad audience. Here is my humble translation of the first mail:
Dear Sirs,
Our anti-virus team reports that instructions for the construction of Linux computer viruses are located on the network of the University of Linz. Since these documents can be used as building plan for the creation of dangerous viruses, we recommend to remove the corresponding pages from the WWW server.
The link is: http://wildsau.idv.uni-linz.ac.at/~k3032e4/
Yours sincerely DI Thomas Steiner Network Associates, Inc.
The humorous reply is beyond my capabilities of translation. I'll just continue with the second mail from NAI.
Dear Mr. Rosmanith,
I must say that your ironic remarks don't contribute to ease the relationship between University and business world. The nature of your feedback gives cause for concern, especially since you don't object to distribution of virus construction kits. This is sad and disturbing.
The reason for our advise is the tendency of affected companies to sue web providers (and Universities) offering malware or virus kits acting as knowledge base for new virus derivatives for horrendous compensation.
Usually our warnings are received positively and are not answered with infantile ignorance, as in your case.
Hereby we have given you notice of the dangers.
Yours sincerely DI Thomas Steiner Network Associates, Inc.
A hilarious reply to this got no answer.