The ELF Virus Writing HOWTO

Introduction

Alexander Bartolich

alexander.bartolich@gmx.at

Revision History
Revision If you don't care where you are, then you ain't lost.2003-02-15
Systematic search for infection targets with scanner.

This document describes how to write parasitic file viruses infecting ELF executables. Though it contains a lot of source code, no actual virus is included. Every mentioned infection method is accompanied with a practical guide to detection.

Viruses are not a threat to Linux! [1]

A quote from Rick's Rant on anti-virus software: [2]

The problem with answering this question is that those asking it know only OSes where viruses, trojan-horse programs, worms, nasty Java scripts, ActiveX controls with destructive payloads, and ordinary misbehaved applications are a constant threat to their computing. Therefore, they refuse to believe Linux could be different, no matter what they hear. And yet it is.


Table of Contents
1. Introduction
1.1. What exactly is a virus?
1.2. Worm vs. virus
1.3. Freedom is security
1.4. Copyright & trademarks
1.5. Disclaimer
1.6. Credits
1.7. Feedback
2. Platforms
2.1. Executable and linkable format
2.2. Assembly language documentation
2.3. Assemblers and disassemblers
2.4. Be fertile and reproduce
2.5. i386-Red Hat8.0-linux
2.6. sparc-debian2.2-linux
2.7. sparc-sunos5.9
3. Scratch pad
3.1. objdump_format.pl
3.2. gdb_format.pl
3.3. Offset of e_entry
3.4. Extracting e_entry
3.5. Dressing up binary code
3.6. Self modifying code
4. Dual use technology
4.1. print_errno
4.2. Conditional output
4.3. trace_infector.h
4.4. trace_scanner.h
4.5. gcc-filter.pl
4.6. cc.sh
4.7. target.h
4.8. check.h
4.9. main
4.10. target_open_src
4.11. target_close
5. One step closer to the edge
5.1. target_is_elf
5.2. target_get_seg
5.3. print_summary #1
5.4. target_action #1
5.5. target_patch_entry_addr #1
5.6. target_open_dst
5.7. target_write_infection #1
6. Scanners
6.1. Finding executables
6.2. Driver scripts
6.3. Scan entry point
6.4. Scan segments
6.5. Food for segment padding
6.6. Scan file size
7. Segment padding infection
7.1. _SC_PAGESIZE
7.2. The plan
7.3. target_new_entry_addr #1
7.4. target_patch_phdr #1
7.5. target_patch_shdr #1
7.6. target_copy_and_infect #1
8. Additional code segments
8.1. The NOTE program header
8.2. Scanning for NOTE
8.3. A simple plan
8.4. target_patch_phdr #2
8.5. target_new_entry_addr #2
8.6. target_patch_shdr #2
8.7. copy_and_infect #2
9. Remote shell trojan
9.1. Three years later
9.2. The lighter side
9.3. Another three months later
9.4. The serious side
9.5. Another theory
9.6. Intrusion detection systems
A. GNU Free Documentation License
B. GNU General Public License
C. Revision history
C.1. Revisions
C.2. Road map
C.3. Random links
D. Mirrors
D.1. Archive
D.2. Sites directly updated by me
D.3. Independent sites
D.4. Do it yourself
D.5. Some emails

Notes

[1]

The first release of this document covered only Linux/i386. Among the platforms using ELF it is considered the most viable for virus spread.

[2]

http://linuxmafia.com/~rick/faq/#virus