The ELF Virus Writing HOWTO

redhat-linux-i386

Alexander Bartolich

alexander.bartolich@gmx.at

Copyright © 2002 by Alexander Bartolich

Revision History
Revision When a camel flies, no one laughs if it doesn't get very far.	2002-06-30
Renamed document. Restructed Magic of the ELF. Links to other sites are now footnotes. Many portability issues.

This document describes how to write parasitic file viruses infecting ELF executables on Linux/i386. Though it contains a lot of source code, no actual virus is included. Every mentioned infection method is accompanied with a practical guide to detection.

This is work in progress. Expected outcome is convincing evidence that popular distributions contain everything necessary to develop, detect and control viruses. And that it requires considerable cooperation or outright negligent behavior to give viruses any foothold.

Viruses are not a threat to Linux!

A quote from Rick's Rant on anti-virus software: [1]

The problem with answering this question is that those asking it know only OSes where viruses, trojan-horse programs, worms, nasty Java scripts, ActiveX controls with destructive payloads, and ordinary misbehaved applications are a constant threat to their computing. Therefore, they refuse to believe Linux [2] could be different, no matter what they hear. And yet it is.

Table of Contents

1. Introduction

1.1. Behind the stages
1.2. Copyright & trademarks
1.3. Disclaimer
1.4. Credits
1.5. Feedback

2. Before we start

2.1. What exactly is a virus?
2.2. Worm vs. virus
2.3. Freedom is security

3. The magic of the Elf

3.1. Executable and linkable format
3.2. Portability
3.3. In the language of mortals
3.4. How it works
3.5. Strings and dumps
3.6. The address of main
3.7. Other roads to ELF

4. The language of evil

4.1. In doubt use force
4.2. In the language of evil

5.1. Bashful glance
5.2. Turn the pages
5.3. The plan
5.4. Paranoid android

6. One step closer to the edge

6.1. INFECTION_SIZE
6.2. Target::infection
6.3. main
6.4. The opening
6.5. isSuitable
6.6. Patch entry address
6.7. Patching program headers
6.8. Patching section headers
6.9. Copy & infect
6.10. writeInfection
6.11. Off we go

7. A closer look

7.1. First scan
7.2. Looking around
7.3. Second scan

8. The entry point

8.1. Disassemble it again, Sam
8.2. patchEntryAddr 2.0
8.3. Second verse, same as the first
8.4. Use the Source, Luke
8.5. patchEntryAddr 3.0
8.6. Two is company, three is an orgy

9. Remote shell trojan (RST)

9.1. Three years later
9.2. The lighter side
9.3. Another three months later
9.4. The serious side
9.5. Another theory

10. Additional code segments

10.1. Magic of the GNU
10.2. A simple plan
10.3. patchPhdr
10.4. newEntryAddr
10.5. patchShdr
10.6. copyAndInfect
10.7. To serve & detect

11. Doing it in C

11.1. System calls
11.2. Position independent code
11.3. writeInfection
11.4. A section called .text
11.5. The stub
11.6. All together now
11.7. Off we go again

12. The stub revisited

12.1. Disassembly
12.2. Stack dump
12.3. Another look at the source
12.4. A few bytes on the stack
12.5. First implementation
12.6. First test
12.7. Second implementation
12.8. Second test

13. Suspicious code

13.1. Extracting sections

A. GNU Free Documentation License

B. GNU General Public License

C. Revision history

C.1. Revisions
C.2. Road map
C.3. Random links

D.1. Do it yourself
D.2. Some emails

Notes

[1]	http://linuxmafia.com/~rick/faq/#virus
[2]	The first release of this document covered only Linux/i386.

		Next
		Introduction