Virus features in Unix operating systems

Elk cloner: the first computer virus. It will get all the stuff on your disk, and it will even penetrate into the chip. This is Cloner! It will stick you like glue, and it will modify the memory! DX
}
Computer viruses are the most famous member of a large number of electronic destructive techniques. They are actually some very dangerous malicious programs, they are ugly, but in my opinion they are cute, derived from my control of the Internet and exploration of computer programs. They will copy themselves and infect other files. These infected files even include very innocent documents. And they are easy to get. They can spread everywhere, anytime, anywhere. In fact, no OS can completely defend against viruses. A virus can be completely copied by the system itself, for example, the executable files in pe format of Windows operating systems and the elf format of unix-like operating systems are used. Therefore, any computer virus is attached to the OS architecture. The writing methods of various OS viruses are different, but no OS can escape the virus, including Linux. Tm83]
% M
As mentioned above, Linux can also be infected, just like Windows NT or Mac OS. Both DOS, Windows, and Amiga on a PC can create virus code. So, why don't we look at some viruses on ipvs NT or Linux systems ?, W> pcn
67 M
You may be surprised that in fact the first computer virus is a Unix virus (maybe the first is ElkCloner, as if it was written between 1980 and 1982 ). FredCohen wrote some very early Unix viruses on the 4BSD VAX system. One year later, ElkCloner was born. Because Unix systems have a memory protection mechanism, people do not believe that viruses on Unix systems are more harmful than Windows and DOS systems, but they are wrong. MCIk
E9 #
Some common mistakes d0JC {
| P
The biggest misunderstanding is the prevention of virus spread by many high-performance security systems. Because we use the DOS system and it does not have any memory protection mechanism or data protection mechanism, we believe that viruses can fully control all computer resources. Yes, they can easily become full control users for DOS and simple Windows operating systems. Without the memory protection mechanism and data protection mechanism, computer viruses can gain control of all computers. Windows NT and Unix systems are relatively advanced protection systems. This can prevent most viruses from being infected, but not all. When a user acts as root or administrator, the protection mechanisms of these systems are actually stopped. A well-designed virus can use its own method to find every file in the file system. The NT ownership or ACL mechanism does not pay much attention to this issue. X
RAEqgA
Another misunderstanding is that the Linux system can especially prevent viruses, because all Linux programs come from the source code, not the binary format, which deserves attention, after all, only a very small number of people (or even administrators) are able to find virus code from the source code. This is a very time-and effort-consuming job. Generally, users are used to communicating with files in binary format, because they do not want to use these programs to execute commands such as make config and make, they like simple programs. All these causes give the Unix system enough space for viruses to access and manipulate the system. 79 ^, kt
K] IJb
The third misunderstanding is that the Unix system is absolutely secure because it has many different platforms, and each version of the Unix system is very different. But now I can't see it like this. The current virus is written in standard C to adapt to any Unix-like operating system, and they can use the make program for cross-platform compilation. Think about the internet worm written by Morris, which uses this technology and has a standard ELF binary format and library file. L
Ug $ S
Shell script "Dpd
N
The first problem we face is how to spread it. This is a natural problem, at least on Unix systems. We need to find a way to make each platform compatible, so we first think of the shell script language. Shell has very little difference on different Unix systems, so FredCohen wrote in his book "intruders, worms, and viruses" (published in 1990: "In unix Command interpretation languages, virus code can be written within 200 bytes." Maybe we can write a man page virus script based on his words, which can be used to operate files and executable programs, which is very similar to macro viruses. The virus of man page does not spread to other systems unless you change the format of man page for other users. In any case, this virus is a common cross-system virus. Similarly, you can write another script virus to control mail readers. V7e +
O
Writing a shell script virus is a simple way to create a Unix virus. I know there will certainly be many people in the industry saying, how can script viruses be real viruses? It is written in scripting rather than assembly. But in fact, we assess that a virus can be infected and transmitted on the system, rather than the virus size or language. On Volume 2 USENIX1989, you can see the script virus code of Tom Duff and M. Douglas McIlroy. The shell script virus is not harmful and can be easily destroyed, because it is written and executed in plaintext mode, and can be noticed by any user or administrator. However, I don't think most users will understand the code: 4xM
G'f"
For % f in (*. bat) do copy % f + bfv. bat *
Ki>
Generally, a user will be convinced to execute any script without asking about the script's origins. In this way, these users have become the targets of viruses. These are users' awareness issues, so they cannot avoid virus intrusion, therefore, our users need to strengthen their awareness of these viruses.> E/
A)
Worm?
4Zmy
Another widely influential technology is worms. Imagine the Morris worm: Using attack programs-generally these attack programs are already existing technologies. This worm uses an existing sendmail program vulnerability to gain control of other machines. Viruses usually use rexec, fingerd, or password to try to connect. After successful intrusion, it will compile the source code on the target machine and execute it, and there will be a program dedicated to hiding its footprints. Internet Worms generally use known attack programs to obtain the administrator permissions of the target machine. However, the life of the worm is also very short. When the vulnerability used by the virus is repaired, the worm will lose its role, because they need to use the exploit media for their own replication. Exploit is effective only for specific programs of specific versions. Therefore, the cross-platform capability of worms is poor, and the timeliness is also weak.
] Zp
#
Spoofing library function N
$
We can fool silly users. If you use the LD_PRELOAD environment variable to tease him, you can let him execute your own code. You have used the LD_PRELOAD environment variable to replace the standard library function with your own program, interesting, right? LD_PRELOAD is not exclusive to linux systems and is generally used in some applications (for example, StarOffice of earlier versions needs to run on a newer version of Redhat system) they must use their own library functions (older or modified) because they do not meet their needs during installation. Quantum (author of The Staog virus) provides the code in the Unix virus email list. I have modified the Code to make it easy for everyone to understand:./t | = 5
<W {jN
------------------------ Tryld. c -------------------------------- N | br9 @
Extern int _ open (char *, int, int);> 68O
Extern int execv (char *, char * [], char * envp []); Py
{! OF
Int open (char * path, int flags, 3
Int mode) {YU0Tv
Printf ("open: % s", path); 23D? X
Return _ open (path, flags, mode); 0 W
}? 5
G9 [DMJ
/* Note that here, it gave up the envp parameter, so it will ...:(?! LS @-
Haha, So I modified it, but it has little impact: */L; j6P"
Int execve (char * path, char * args [],) R ~ Y * n
Char * envp []) {, <"c <'
Printf ("execve: % s", path); | X>
Return execv (path, args, envp); bJ
} R
---------------------------------------------------------------- L <^ y
------------------------ Main. c ---------------------------------- RU6jiY
/* Test only, by e4gle */6
# IncludeM
# IncludeTFo *
# Include7
# Include: bu
0
Main () 8n
{UR)
Int fd; c
Execve ("/bin/date", "", NULL); 5e
If (fd = open ("/etc/inittab", O_RDONLY )! =-1 )*
{~ 5KWj +
Fprintf (stdout, "open file succeed! ");,
} G
ElseN2-
Fprintf (stderr, "open error! "); <X <. x.
Close (fd); 07Zd
Return 0; z <m *
} Ddfx
------------------------------------------------------------------ D_yp
? W4?
This code gets open and execv and changes their output. Well, let's test: C ^ 4.) C
Kix + Q
[E4gle @ redhat62 elf] $ gcc-o main. cWk
[E4gle @ redhat62 elf] $./mainQr}
Open file succeed! <-- It indicates that the file is successfully opened and the open call works properly. tMf # C7
[E4gle @ redhat62 elf] $ ldd-v-r./mainO
Libc. so.6 =>/lib/libc. so.6 (0x4001c000) s @ h
/Lib/ld-linux.so.2>/lib/ld-linux.so.2 (0x40000000) nA = m0
K [? M
Version information: ^;
./Main: j3Y
Libc. so.6 (GLIBC_2.0) =>/lib/libc. so.6g
/Lib/libc. so.6: n6
Ld-linux.so.2 (GLIBC_2.1.1) =>/lib/ld-linux.so.2 {uE
Ld-linux.so.2 (GLIBC_2.1) =>/lib/ld-linux.so.2 (>! 6P7
Ld-linux.so.2 (GLIBC_2.0) =>/lib/ld-linux.so.2rJ6 |
/* Trace the usage of library functions. They are all standard library functions of glibc. sotruss is in solaris. I personally think sotruss}
Relatively easy to use :) */@ $ Y * 9
[E4gle @ redhat62 elf] $ gcc-shared-o tryld. cR4 =
[E4gle @ redhat62 elf] $ export LD_PRELOAD =./tryld <-- use our own libMuBZ * I
[E4gle @ redhat62 elf] $./mainfG
Execve:/bin/datea
Open:/etc/inittabIf
Open file succeed! Wf3 (
/* Note! No