Subject: "Virus Construction HowTos" im uni-linz-Netz gefunden (fwd) From: Herbert Rosmanith Date: Tue, 19 Mar 2002 17:22:53 +0100 (MET) To: k3032e4@wildsau.idv-edu.uni-linz.ac.at (Alexander Bartolich) ----- Forwarded message from Ferdinand Goldmann ----- >From Ferdinand.Goldmann@zid.uni-linz.ac.at Tue Mar 19 14:23:44 2002 Return-Path: Received: from alijku01.edvz.uni-linz.ac.at (alijku01.edvz.uni-linz.ac.at [140.78.2.62]) by wildsau.idv-edu.uni-linz.ac.at (8.11.6/8.11.6) with ESMTP id g2JDNhX30899 for ; Tue, 19 Mar 2002 14:23:44 +0100 Received: from control.edvz.uni-linz.ac.at (k000181@control.edvz.uni-linz.ac.at [140.78.4.60]) by alijku01.edvz.uni-linz.ac.at (8.12.1/8.12.1) with ESMTP id g2JDPdOl028426; Tue, 19 Mar 2002 14:25:39 +0100 Date: Tue, 19 Mar 2002 14:25:37 +0100 (CET) From: Ferdinand Goldmann X-X-Sender: k000181@control.edvz.uni-linz.ac.at Reply-To: netadmin@jku.at To: herp@wildsau.idv-edu.uni-linz.ac.at Subject: "Virus Construction HowTos" im uni-linz-Netz gefunden (fwd) Message-ID: Hi Herp Zur freundlichen Beachtung. [:-)] -- >> Ferdinand Goldmann >> EMail: Ferdinand.Goldmann@zid.uni-linz.ac.at >> Tel. : +43/732/2468/9398 Fax. : +43/732/2468/9397 ---------- Forwarded message ---------- Date: Tue, 19 Mar 2002 14:20:17 +0100 From: Thomas_Steiner@NAI.com To: netadmin@jku.at Subject: "Virus Construction HowTos" im uni-linz-Netz gefunden Sehr geehrte Damen & Herren, unser Antivirus-Team meldet, dass sich im Universitaetsnetz Linz Anleitungen zur Konstruktion von Linux-Computerviren befinden. Da diese Dokumente als Bauplan fuer die Erzeugung gefaehrlicherer Viren herangezogen werden koennen, empfehlen wir, die entsprechenden Seiten von den WWW-Servern zu entfernen. Der Link lautet: http://wildsau.idv.uni-linz.ac.at/~k3032e4/ Mit freundlichen Gruessen, DI Thomas Steiner Network Associates, Inc. ======================================================================== = MSS-VX-News [Clipping]: < dex.html> ex.html Web-News Priority: 3 [out of 1-3] Comment: NEW Article -- <> [March 15, 2002] ======================================================================== = AEN2The Linux Virus Writing And Detection HOWTO post link-time code modification of ELF executables under Linux/i386 Abstract Measurement is the foundation of science. This document describes how to write parasitic file viruses infecting ELF executables on Linux/i386. Though it contains a lot of source code, no actual virus is included. Unfinished snapshot taken on 2002-03-17. What we do not understand we do not possess. Table of Contents Introduction < dex.html#INTRO> Before < fore_we_start.html> we start The < gic_of_elf.html> magic of the Elf readelf < adelf.html> One < e_step_closer.html> step closer to the edge The < try_point.html> entry point Additional < ditional_cs.html> code segments INTROIntroduction In the tradition of release early, release often <> this document escaped version control at an immature stage. General direction and structure is not yet fixed. Big changes are likely. You might want to look at the discussion on LDP-discuss <> . For the time being you will find complete source of this release and all previous versions here <> . Writing a program that inserts code into another program file is one thing. Writing that program so that it can be injected itself is a very different art. Although this document shows a lot of code and technique, it is far from being a "Construction Kit For Dummies". Instead I'll try to show how things work. Translation of infecting code to assembly is left as a (non-trivial) exercise to the reader. An astonishing number of people think that viruses require secret black magic. Here you will find simple code that patches other executables. But since regular users can't overwrite system files (we are talking about serious operating systems here) that is not even half the journey. To make any impact you need root permissions. Either by tricking the super user to run your virus, or combining it with a root-exploit. And since all popular distributions come with checksum mechanisms, a single command can detect any modification. Unless you implement kernel-level stealth functionality... I do believe that free software is superior, at least in regard to security. And I strongly oppose the argument that Linux viruses will flourish once it reaches a critical mass of popularity. On the contrary I question the credibility of people whose income relies on widespread use of ridiculously insecure operating systems. This document is my way to fight the FUD <> . Use the information presented here in any way you like. I bet that Linux will only grow stronger. BEHIND_THE_STAGESBehind the stages All sections titled "Output" are real product of source code and shell scripts included in this document. Most numbers and calculations are processed by a perl-script parsing these output files. The document itself is written in DocBook <> , a SGML document type definition. Conversion to HTML is the last step of a Makefile that builds and runs all examples. I used an installation of RedHat <> 7.2 for development All required tools are contained on the freely downloadable CDs <> . COPYRIGHTCopyright Information This document is copyrighted (c) 2002 Alexander Bartolich and is distributed under the terms of the Linux Documentation Project (LDP) license, stated below. Unless otherwise stated, Linux HOWTO documents are copyrighted by their respective authors. Linux HOWTO documents may be reproduced and distributed in whole or in part, in any medium physical or electronic, as long as this copyright notice is retained on all copies. Commercial redistribution is allowed and encouraged; however, the author would like to be notified of any such distributions. All translations, derivative works, or aggregate works incorporating any Linux HOWTO documents must be covered under this copyright notice. That is, you may not produce a derivative work from a HOWTO and impose additional restrictions on its distribution. Exceptions to these rules may be granted under certain conditions; please contact the Linux HOWTO coordinator at the address given below. In short, we wish to promote dissemination of this information through as many channels as possible. However, we do wish to retain copyright on the HOWTO documents, and would like to be notified of any plans to redistribute the HOWTOs. If you have any questions, please contact > > DISCLAIMERDisclaimer No liability for the contents of this documents can be accepted. Use the concepts, examples and other content at your own risk. As this is a new edition of this document, there may be errors and inaccuracies, that may of course be damaging to your system. Proceed with caution, the author does not take any responsibility. Who am I kidding? This is dangerous stuff! Stop reading immediately or risk lethal pollution of your systems! All copyrights are held by their respective owners, unless specifically noted otherwise. Use of a term in this document should not be regarded as affecting the validity of any trademark or service mark. Naming of particular products or brands should not be seen as endorsements. You are strongly recommended to take a backup of your system before major installation and backups at regular intervals. NEWVERSIONSNew Versions 2002-03-09. Unfinished excerpt sent to Linux Documentation Project. 2002-03-11. Unfinished excerpt sent to Linux Documentation Project. * Section One < e_step_closer.html> step closer to the edge rewritten & finished. 2002-03-14. Unfinished snapshot. * Added epigraphs to all sections, removed one offending paragraph on the way. * Added example for large scale scanning in The < adelf.html#THE_PLAN> plan. * Started section The < try_point.html> entry point. * Started Credits < dex.html#CREDITS> . 2002-03-15. Unfinished snapshot. * First working example in The < try_point.html> entry point. * Lots of small fixes about everywhere. * Renamed from "The Linux Virus Writing HOWTO". 2002-03-17. Unfinished snapshot. * Inserted section Before < fore_we_start.html> we start. * Finished section The < try_point.html> entry point. Fixed a silly bug in the output of the heuristic scanner. * Started Additional < ditional_cs.html> code segments. CREDITSCredits Everything in this document is either plain obvious or has been written by someone else long time ago. My meager contribution is nice formatting, reproducibility and the idea to take the subject to mainstream media. But I'm certainly not innovative. Silvio Cesare. > > Founder of the trade. Keeper of the source. Check out <> and admire the release date. John Reiser. > > Found one bug and two superfluous bytes in In < gic_of_elf.html#EVIL-MAGIC> the language of evil. Proved that I can't code a straight 23 byte "Hello World". paddingx. Contributed technical details and implementation for Additional < ditional_cs.html> code segments. A lot of people helped me shape language and ethical position of this document (sorted by perl, blame Larry): Charles Curley, David Merrill, Gary Lawrence Murphy, Greg Ferguson, Marinho Paiva Duarte, Martin Wheeler, QuickFox of kuro5hin, Steve Sanfratello. FEEDBACKFeedback Feedback is most certainly welcome for this document. Please send your additions, comments and criticisms to the following email address: > > Next < fore_we_start.html> >>> Before we start Cheers! Patrick R. Mullen Dir. of Engineering Mullen Scientific Software 1686 State Route 69 Parish, NY 13131 Office: (315) 625-4660 Cell: (315) 243-8367 prmullen@starband.net [Office] prmullen@dreamscape.com [Backup] MSS.LabGroup@starband.net [Virus Lab] "Whatever nature has in store for mankind, unpleasant as it may be, men must accept, for ignorance is never better than knowledge." --Enrico Fermi > ________________________________________________________________ > > Thomas Steiner > Network Associates Software Development GmbH > Pulvermuehlstrasse 17a > A-4040 Linz > > E-mail thomas_steiner@nai.com > PGP Fingerprint 1709 A5F4 252B 8545 AEEA FC61 7397 2B06 7B07 3585 > Tel +43 (0)732-757244-13 > Fax +43 (0)732-757244-20 > > ----- End of forwarded message from Ferdinand Goldmann -----