Crossplatform virus - the latest proof of concept
Kostya April 07, 2006 | 07:32 GMT
Weve received a new sample: another cross platform virus. This sample is the latest attempt to create malicious code which will infect both Linux and Win32 systems. Its therefore been given a double name: Virus.Linux.Bi.a/ Virus.Win32.Bi.a
The virus is written in assembler and is relatively simple: it only infects files in the current directory. However, it is interesting in that it is capable of infecting the different file formats used by Linux and Windows - ELF and PE format files respectively.
To infect ELF files, the virus uses INT 80 system calls and injects its body into the file immediately after the ELF file header and before the .text section. This changes the entry point of the original file.
Infected files are identified with a 2-byte signature, 7DFBh, at 0Bh.
The virus uses the Kernel32.dll function to infect systems running Win32. It injects its code to the final section, and gains control by again changing the entry point. Infected PE files contain the same 2-byte signature as ELF files; the signature is placed in the PE TimeDateStamp header.
Infected files contain the following text strings:
This is Sepultura signing off...
This is The Soul Manager saying goodbye...
Greetz to: Immortal Riot, #RuxCon!
The infector itself contains the following strings:
[CAPZLOQ TEKNIQ 1.0] VIRUS SUCCESFULLY EXECUTED!
The virus doesnt have any practical application - its classic Proof of Concept code, written to show that it is possible to create a cross platform virus.
However, our experience shows that once proof of concept code is released, virus writers are usually quick to take the code, and adapt it for their own use.
Detection for Virus.Linux.Bi.a/ Virus.Win32.Bi.a was added to the Kaspersky Anti-Virus databases shortly after the sample was received.
Zeugma:
So, this appears to be a proof of concept, not an actual threat (yet). It's an interesting bit of code in that it can run on both MS-Windows and Linux. I gotta wonder if aspects of this code could be used in the cause of good, by making regular programs that could run on either platform.
The way this code is described, it reminds me a lot of a program I used to have many years ago that would convert ".com" files into standard ascii text that were still executable. It was cool, in that you could actually print the program itself, yet the same string of ascii text would do whatever the original program did. Needless to say, this increased the size of the executable considerably. I had a program called "beep.com" that was a whopping 6 bytes(!) long. It was the smallest functional program I'd ever seen on DOS. All it did was make your PC's speaker beep it's default beep once. I used it a lot in batch files to annoy folks :-) Anyway, when converted to an ascii executable, it was something like 200 or so bytes.
Been thinking about this a little while, and I've very much like to see how this type of virus/worm will operate in practice.
Most likely, it will require a bit of social engineering for Alice to get Bob to execute the payload. Given the same bit of code that is, say, attached to an email. Let's examine how they would possibly operate.
Alice sends Bob and Charlie an email with a malicious payload as an attachment. "Wow! Look at this great picture of Al Franken being tossed from the Empire State building!" Being good republicans, their interest is piqued. Bob, who is an MS-Windows user either saves the file (IAmNotAVirus.jpg.com) then double-clicks on it, or just double-clicks the attachment. =Poof=, Bob is 0wn3d!
Charlie uses Linux. He either saves the file (IAmNotAVirus.jpg.com) to disk, or double-clicks the attachment to open it. Either way, the file itself won't run automatically? Why not? Well, in order for a file to execute under Linux, it has to be made executable. Just calling it somefile.com or somefile.exe or even somefile.sh is just not enough for the system to execute the file, because Linux doesn't act on a specific type of file based on its filename.
So, most likely, even with an identical virus/worm with the identical payload, under most circumstances, it will still be much more dangerous to MS-Windows users than Linux users.
So, either I'm missing something, the write-up is wrong/incomplete/misleading, or this isn't really a "cross-platform virus".