elfmaster/skeksi_virus elfmaster/skeksi_virus

  • Stars
    star
    221
  • Rank 179,773 (Top 4 %)
  • Language
    C
  • Created almost 9 years ago
  • Updated about 2 years ago
Twitter logo Share LinkedIn logo Share Facebook logo Share
elfmaster/skeksi_virus
github

elfmaster

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Devestating and awesome Linux X86_64 ELF Virus

skeksi_virus

Linux X86_64 ELF Virus that just might ruin someones day in the wrong hands

General about

This Virus is humurous, but it is also nasty and should not be executed on any system unless it is a controlled environmnent, or an expendable Virtual machine setup specifically to host malware. The Skeksi Virus was written merely for the sake of inventiveness, and to demonstrate how to write a quality Virus for Linux, mostly in C. It is a work in progress and is not yet complete.

Virus specifications

Infection techniques

  • Extends text segment in reverse to make room for parasite

This technique is nice, because it is less suspicious. The entry point still points into the .text section of the executable, and there is no modifications to the segment permissions or segment type (such as converting a PT_NOTE to PT_LOAD).

  • Infects the PLT/GOT

Currently the Virus only looks for the puts() function which is used to print strings and is often linked into an executable instead of printf(). The result is that an infected binary will print everything to stdout in l33t sp34k, randomly with a probability of 1 in 5.

Infection behaviour

The virus will infect only x86_64 ELF ET_EXEC binaries that are dynamically linked. The virus will soon also be able to infect shared libaries, but some adjustments must be made to take into account the position independent type executables. The virus will mark an infected file's EI_PAD area (9 bytes into the ELF file header) with a magic number 0x15D25. This prevents it from re-infecting a given file.

If the Virus is launched as a non-root user, it will only infect binaries in the CWD. If the virus is launched with root privileges it will randomly select one of four directories: /bin, /usr/bin, /sbin, /usr/sbin. After it picks a target directory it will have a 1 in 10 chance of infecting each file as it iterates through all of them.

Nuances and notes

Notice we do store string literals, not just on the stack. This is because the text and data segment are merged into a single segment and each time the virus copies itself, it copies all of the string data as well.

More Repositories

1

libelfmaster

Secure ELF parsing/loading library for forensics reconstruction of malware, and robust reverse engineering tools
C
403
star
2

ftrace

POSIX Function tracing
C
323
star
3

ecfs

extended core file snapshot format
C
219
star
4

maya

Highly advanced Linux anti-exploitation and anti-tamper binary protector for ELF.
C
151
star
5

dsym_obfuscate

Obfuscates dynamic symbol table
C
134
star
6

saruman

ELF anti-forensics exec, for injecting full dynamic executables into process image (With thread injection)
C
126
star
7

kdress

Transform vmlinuz into a fully debuggable vmlinux that can be used with /proc/kcore
C
121
star
8

binflow

This is the new ftrace (https://github.com/elfmaster/ftrace) - Much faster, better resolution but not complete yet! :)
C++
107
star
9

dt_infect

ELF Shared library injector using DT_NEEDED precedence infection. Acts as a permanent LD_PRELOAD
C
106
star
10

sherlocked

Universal script packer-- transforms any type of script into a protected ELF executable, encrypted with anti-debugging.
Objective-C
102
star
11

linker_preloading_virus

An example of hijacking the dynamic linker with a custom interpreter who loads and executes modular viruses
C
58
star
12

taskverse

A tool like /bin/ps but uses /proc/kcore for walking the tasklist; this finds hidden processes
C
56
star
13

libelfmaster_examples

Simple ELF tools written to demonstrate libelfmaster capabilities.
C
37
star
14

kprobe_rootkit

Linux kernel rootkit using kprobes (From http://phrack.org/issues/67/6.html)
C
35
star
15

ecfs_exec

Be able to execute memory snapshots so they can start running where they left off.
C
34
star
16

static_binary_mitigations

relros.c applies RELRO to static binaries, and static_to_dyn.c applies ASLR to static binaries.
C
32
star
17

shiva

Shiva is a programmable dynamic linker for loading ELF microprograms
Roff
29
star
18

davinci

Transforms any file into a protected ELF executable
C
26
star
19

scop_virus_paper

ELF Virus infection techniques that work with SCOP (Secure code partitioned) executables
C
14
star
20

fork_trace

C++
10
star
21

avu32

anti virus 32bit. my first attempt (in 2008) to write prototype for detecting/disinfecting unix ELF viruses
C
8
star
22

canaryism

Canaryism will tell you which functions are protected with gcc stack canaries
C
6
star
23

packt_book

C
6
star
24

interpx_documentation

4
star
25

shiva_blogposts

Multiple blogposts are maintained here.
3
star
26

shiva_presentations

2
star
27

unix_virus_anniversary

2
star
28

veriexec.linux

Veriexec implementation for Linux
C
2
star
29

poetry

Transcribing my poetry from 19yrs ago
1
star