Re: Linux file virus, 8759 bytes, is this a known virus?

From: RainbowHat (nHiATlE@blSackholeP.mAit.edMu.invalid)
Date: 03/07/02 

From: RainbowHat <nHiATlE@blSackholeP.mAit.edMu.invalid>
Date: Thu, 7 Mar 2002 16:21:15 +0000 (UTC)

< Mike Ingle
>While cleaning up a rooted Linux server, I found it infected with a virus
>that came along with one of the cracker's tools. The virus infects ELF
>executables, making them 8759 bytes longer. When an infected program is run,
>it forks, and the extra process goes to work infecting more files.

Generally Linux (Unix) ELF virus are not so effective like poor
Windoze because we have the concept 'permition' and 'user ID'. A
trojan (local backdoor mission) (not virus) can fork other processes
and setuid root. But trojan have not propagation mechanism. Good
(bad?) trojan are same file size and time stamps. But loose (good?)
trojan are increase file size.

Have you really confirmed that other ELF increase 8759 bytes after
(when) you ran infected ELF binary? And were you run with root or
other accounts? If not root, you (virus) can't write /bin, /sbin,
/usr/bin, /usr/sbin,... Or only your permitions file in current
directory?

>Is this a known virus? If so, where can I read more about it? If not, and if
>anyone wants to study it, please send me an email. I have a specimin that
>will reproduce in a DemoLinux 3.0 test environment. I also wrote a scan and
>detect utility to help clean up the machine.

What is DemoLinux 3.0? I can't say which virus, which variant and
known or unknown because characteristic informations are too less.
You said useful characteristic informations only 8759 bytes. Others
are general virus attributes. I'd like to know more about it but I
don't like email so I can't send you a email :) Why don't you
disclose more detail here even you have wrote detect and clean up
utility? Have you disassemble it? Dose this virus part use shared
library or static linked?

RST and RST.b ELF virus insert 4096 Bytes.
 4,096 bytes bootstrap segment (text segment)
 2,877 bytes trojan code.
Please check;

ls -l /dev/hdx*
ls -l /tmp/*gtkrc*
strings ./_your_virus_
netstat -atunp
/usr/sbin/lsof -n -i

>The virus appends itself at the end of the file. Once it's running, any file
>you write gets hit immediately. Even if you write all but the last byte, and
>then later add the last byte, the virus infects the file as soon as the last
>byte is written out. It also seems to infect programs that are run but not
>written to or changed. Occasionally the infected programs hang. I couldn't
>get it to infect while under 'strace'.
>
>This virus caused me an unpleasant day, as I tried to figure out why
>freshly reinstalled RPMs still had bad MD5 values. Finally I had to make a
>list of bad RPMs and reinstall them in single user mode, then write a detect
>utility to get rid of stray infected executables. I found a uuencoded file in
>the cracker's hidden directory with the virus in it, so the cracker either
>deliberately infected the machine, or accidentally brought the virus along.

Perhaps /bin/rpm and your detect utility already infected.

http://www.qualys.com/alert/remoteshell.html
http://www.qualys.com/alert/remoteshellb.html
http://www.securiteam.com/unixfocus/5MP022K5GE.html
http://online.securityfocus.com/archive/75/213221

http://www.big.net.au/~silvio/elf-pv.txt
http://www.big.net.au/~silvio/unix-viruses.txt
http://www.big.net.au/~silvio/siilov.txt
http://www.big.net.au/~silvio/vit.txt
http://hcunix.7350.org/grugq/doc/subversiveld.pdf 

-- 
HTH, 
RainbowHat. Windoze is not trademark. Unix is not trademark already.
----+----1----+----2----+----3----+----4----+----5----+----6----+----7

Relevant Pages

  • virus on xp need help
    ... i did a scan on my puter with systemworks and got 0 virus ... This virus infects the master boot record ... This is a trojan horse ... the MBR of the hard drive; it infects only the Boot ...
    (microsoft.public.windowsxp.security_admin)
  • Re: Trojans.... Is there a way???
    ... | usually not the province of virus detectors or virus removers. ... Virus -- software that self replicates and often has a payload that may be destructive. ... virus infects a goven computer it has a payload date. ... Trojan -- software that does NOT self replicate but usually has a payload that may be ...
    (microsoft.public.windowsxp.general)
  • Re: virus on xp need help
    ... What version of Norton are you running? ... > i did a scan on my puter with systemworks and got 0 virus ... This is a backdoor type trojan ... > the MBR of the hard drive; it infects only the Boot ...
    (microsoft.public.windowsxp.security_admin)
  • Re: OT Bush says Bird Flu might get military quarantine of effected areas.
    ... Once avian flu xenomorphs into humans it will kill over 60% of people it infects initially, then the death rate will grow as medical infrastructure and other societal needs melt down - people can and will die of perfectly treatable ailments such as secondary bacterial infections, starvation and gunshot. ... In this age of instant communication, it's so much easier for local health officials to keep in touch with the worldwide epidemiology community that it's very doubtful such a virus could spread far enough in a short enough period of time before somebody noticed something funny. ...
    (sci.space.shuttle)
  • Re: Apples Mac OS X Leopard firewall fails every test
    ... Decade old virus infects Vista You may not be able to teach an old dog ... Bullguard was quick to point out that its software was able to detect ...
    (comp.sys.mac.advocacy)
Quantcast