The Linux Virus Writing HOWTO

post link-time code modification of ELF executables under Linux/i386.

Alexander Bartolich

alexander.bartolich@gmx.at

Copyright © 2002 by Alexander Bartolich

Revision History
Revision All warranty and guarantee clauses become null and void upon payment of invoice.	2002-06-23
Big modifications in The magic of the Elf. Finished The stub revisited. Major internal changes. Spreading to other platforms is near.

This document describes how to write parasitic file viruses infecting ELF executables on Linux/i386. Though it contains a lot of source code, no actual virus is included. Every mentioned infection method is accompanied with a practical guide to detection.

This is work in progress. Expected outcome is convincing evidence that popular distributions contain everything necessary to develop, detect and control viruses. And that it requires considerable cooperation or outright negligent behavior to give viruses any foothold.

Viruses are not a threat to Linux!

A quote from Rick's Rant on anti-virus software:

The problem with answering this question is that those asking it know only OSes where viruses, trojan-horse programs, worms, nasty Java scripts, ActiveX controls with destructive payloads, and ordinary misbehaved applications are a constant threat to their computing. Therefore, they refuse to believe Linux could be different, no matter what they hear. And yet it is.

Table of Contents

1. Introduction

1.1. Behind the stages
1.2. Copyright & trademarks
1.3. Disclaimer
1.4. Credits
1.5. Feedback

2. Before we start

2.1. What exactly is a virus?
2.2. Worm vs. virus
2.3. Freedom is security

3. The magic of the Elf

3.1. Executable and linkable format
3.2. The language of mortals
3.3. How it works
3.4. Showing off some tools
3.5. The address of main
3.6. In doubt use force
3.7. The language of evil
3.8. Other roads to ELF

4.1. Bashful glance
4.2. Turn the pages
4.3. The plan
4.4. Paranoid android

5. One step closer to the edge

5.1. INFECTION_SIZE
5.2. Target::infection
5.3. main
5.4. The opening
5.5. isSuitable
5.6. Patch entry address
5.7. Patching program headers
5.8. Patching section headers
5.9. Copy & infect
5.10. writeInfection
5.11. Off we go

6. A closer look

6.1. First scan
6.2. Looking around
6.3. Second scan

7. The entry point

7.1. Disassemble it again, Sam
7.2. patchEntryAddr 2.0
7.3. Second verse, same as the first
7.4. Use the Source, Luke
7.5. patchEntryAddr 3.0
7.6. Two is company, three is an orgy

8. Remote shell trojan (RST)

8.1. Three years later
8.2. The lighter side
8.3. Another three months later
8.4. The serious side
8.5. Another theory

9. Additional code segments

9.1. A simple plan
9.2. patchPhdr
9.3. newEntryAddr
9.4. patchShdr
9.5. copyAndInfect
9.6. To serve & detect

10. Doing it in C

10.1. System calls
10.2. Position independent code
10.3. writeInfection
10.4. A section called .text
10.5. The stub
10.6. All together now
10.7. Off we go again

11. The stub revisited

11.1. Disassembly
11.2. Stack dump
11.3. Another look at the source
11.4. A few bytes on the stack
11.5. First implementation
11.6. First test
11.7. Second implementation
11.8. Second test

12. Suspicious code

12.1. Extracting sections

A. GNU Free Documentation License

B. GNU General Public License

C. Revision history

C.1. Revisions
C.2. Road map
C.3. Random links

D.1. Do it yourself
D.2. Some emails

		Next
		Introduction