The ELF Virus Writing HOWTO

Introduction

Alexander Bartolich

alexander.bartolich@gmx.at

Revision History
Revision I'm not a nerd - I'm "socially challenged".2003-01-07
Rewrote segment scanner in C. Required changes to infector framework. Now supports 64-bit ELF.

This document describes how to write parasitic file viruses infecting ELF executables. Though it contains a lot of source code, no actual virus is included. Every mentioned infection method is accompanied with a practical guide to detection.

Viruses are not a threat to Linux! [1]

A quote from Rick's Rant on anti-virus software: [2]

The problem with answering this question is that those asking it know only OSes where viruses, trojan-horse programs, worms, nasty Java scripts, ActiveX controls with destructive payloads, and ordinary misbehaved applications are a constant threat to their computing. Therefore, they refuse to believe Linux could be different, no matter what they hear. And yet it is.


Table of Contents
1. Introduction
1.1. What exactly is a virus?
1.2. Worm vs. virus
1.3. Freedom is security
1.4. Copyright & trademarks
1.5. Disclaimer
1.6. Credits
1.7. Feedback
2. Platforms
2.1. Executable and linkable format
2.2. Assembly language documentation
2.3. Assemblers and disassemblers
2.4. Be fertile and reproduce
2.5. i386-redhat7.3-linux
2.6. sparc-debian2.2-linux
2.7. sparc-sunos5.7
3. One step closer to the edge (i)
3.1. print_errno
3.2. Conditional output
3.3. trace_infector.h
3.4. trace_scanner.h
3.5. target.h
3.6. check.h
3.7. main
3.8. target_open_src
3.9. target_close
3.10. target_is_elf
3.11. target_get_seg
4. Scratch pad (i)
4.1. print_summary #1
4.2. target_action #1
4.3. target_patch_entry_addr #1
4.4. target_open_dst
4.5. target_write_infection #1
4.6. Dressing up binary code
5. Scanners (i)
5.1. Finding targets
5.2. Driver scripts
5.3. Scan entry point
5.4. Scan segments
5.5. Scan file size
6. Segment padding infection (i)
6.1. _SC_PAGESIZE
6.2. The plan
6.3. target_new_entry_addr #1
6.4. target_patch_phdr #1
6.5. target_patch_shdr #1
6.6. target_copy_and_infect #1
7. Remote shell trojan (i)
7.1. Three years later
7.2. The lighter side
7.3. Another three months later
7.4. The serious side
7.5. Another theory
7.6. Intrusion detection systems
A. GNU Free Documentation License
B. GNU General Public License
C. Revision history
C.1. Revisions
C.2. Road map
C.3. Random links
D. Mirrors
D.1. Do it yourself
D.2. Some emails

Notes

[1]

The first release of this document covered only Linux/i386. Among the platforms using ELF it is considered the most viable for virus spread.

[2]

http://linuxmafia.com/~rick/faq/#virus