The ELF Virus Writing HOWTO

Introduction

Alexander Bartolich

alexander.bartolich@gmx.at

Revision History
Revision We had joy, we had fun, we had seasons on a Sun.2002-10-23
Very big modifications in the first part of the platform specific part. Started port to sparc-sunos5.7.

This document describes how to write parasitic file viruses infecting ELF executables. Though it contains a lot of source code, no actual virus is included. Every mentioned infection method is accompanied with a practical guide to detection.

Viruses are not a threat to Linux! [1]

A quote from Rick's Rant on anti-virus software: [2]

The problem with answering this question is that those asking it know only OSes where viruses, trojan-horse programs, worms, nasty Java scripts, ActiveX controls with destructive payloads, and ordinary misbehaved applications are a constant threat to their computing. Therefore, they refuse to believe Linux could be different, no matter what they hear. And yet it is.


Table of Contents
1. Introduction
1.1. What exactly is a virus?
1.2. Worm vs. virus
1.3. Freedom is security
1.4. Copyright & trademarks
1.5. Disclaimer
1.6. Credits
1.7. Feedback
2. Platforms
2.1. Executable and linkable format
2.2. Assembly language documentation
2.3. Assemblers and disassemblers
2.4. Be fertile and reproduce
2.5. i386-redhat7.3-linux
2.6. sparc-debian2.2-linux
2.7. sparc-sunos5.7
3. One step closer to the edge (i)
3.1. Dressing up binary code
3.2. target.h
3.3. main
3.4. target_open
3.5. target_close
3.6. target_is_suitable
3.7. target_patch_entry_addr #1
3.8. target_write_infection #1
4. Segment padding infection (i)
4.1. The plan
4.2. target_new_entry_addr
4.3. target_patch_phdr
4.4. target_patch_shdr
4.5. target_copy_and_infect
5. Remote shell trojan (RST) (i)
5.1. Three years later
5.2. The lighter side
5.3. Another three months later
5.4. The serious side
5.5. Another theory
5.6. Intrusion detection systems
6. Scanners (i)
6.1. Driver scripts
6.2. Scan segment padding
6.3. Scan entry point
A. GNU Free Documentation License
B. GNU General Public License
C. Revision history
C.1. Revisions
C.2. Road map
C.3. Random links
D. Mirrors
D.1. Do it yourself
D.2. Some emails

Notes

[1]

The first release of this document covered only Linux/i386. Among the platforms using ELF it is considered the most viable for virus spread.

[2]

http://linuxmafia.com/~rick/faq/#virus