Viruses based on Linux systems

Although the virus spread in Linux is not much, but there are some, I from someSafetyThe site collects some information.
　
1. Virus Name:
　
Linux.Slapper.Worm
　
Category: Worms
　
Virus data: Infection system: Linux
　
Non-affected system:Windows3.x,Windows98, Windows NT, Windows $, Windows XP, Windows Me, Macintosh
　
Virus spread:
　
Ports: 80, 443, 2002
　
Infection target: Apache Web on each version of Linux systemServer
　
Technical Features:
　
The worm attempts to continuously connect to port 80 andServerAn invalid "GET" request was sent to identify the Apache system. Once the Apache system is discovered, it connects to port 443 and sends malicious code to the listening SSL service on the remote system.
　
This worm exploits the vulnerabilities that Linux shell code can only run on Intel systems. The code requires a shell command/bin/sh to execute correctly. The worm exploits the method of UU encoding, which first encodes the source of the virus into ". Bugtraq.c" (so that only the "ls-a" command can display this code file), then sends it to the remote system and decodes the file. It then uses GCC to compile the file and run the compiled binaries ". Bugtraq". These files will be stored in the/tmp directory.
　
The worm runs with an IP address as its parameter. These IP addresses are the addresses of the machines used by hackers to build a network of denial-of-service attacks using infected machines. Each infected system listens on UDP port 2002 to receive hacker instructions.
　
The worm exploits an Apache system with a fixed IP address with the following numbers:
　
3, 4, 6, 8, 9, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 24, 25, 26, 28, 29, 30, 32, 33, 34, 35, 38, 40, 43, 44, 45, 46, 47, 48, 49, 50, 51, 52, 53, 54, 55, 56, 57, 61, 62, 63, 64, 65, 66, 67, 68, 80, 81, 128, 129, 130, 131, 132, 133, 134 , 135, 136, 137, 138, 139, 140, 141, 142, 143, 144, 145, 146, 147, 148, 149, 150, 151, 152, 153, 154, 155, 156, 157, 158, 159, 160, 161, 162, 163, 164, 165, 166, 167, 168, 169, 170, 171, 172, 173, 174, 175, 176, 177, 178, 179, 180, 181, 182, 18 3, 184, 185, 186, 187, 188, 189, 190, 191, 192, 193, 194, 195, 196, 198, 199, 200, 201, 202, 203, 204, 205, 206, 207, 208, 209, 210, 211, 212, 213, 214, 215, 216, 217, 218, 219, 220, 224, 225, 226, 227, 228, 229, 230, 231, 232, 233, 234, 235, 2 36, 237, 238, 239
　
2. Virus name:
　
Trojan.linux.typot.a
　
Category: Trojan virus
　
Virus data: Destruction method:
　
The virus is a Trojan horse under the Linux operating system, the Trojan runs every few seconds after the sending of a TCP packet, its destination IP and source IP address is random, there are fixed features in this package, including TCP window size < here for 55808> at the same time, the virus will sniff the network , if the window size of the TCP packet is found to be equal to 55808, a file is generated in the current directory < file name: R> Every 24 hours, the virus detects if there is a file "R", and if so, tries to connect a fixed IP address < A client that may be a Trojan If the connection succeeds, the virus deletes the file:/tmp/....../a and exits
　
3. Virus Name:
　
TROJAN.LINUX.TYPOT.B Category: Trojan virus
　
Virus data: Destruction method:
　
The virus is a Trojan horse under the Linux operating system, the Trojan runs every few seconds after the sending of a TCP packet, its destination IP and source IP address is random, there are fixed features in this package, including TCP window size < here for 55808> at the same time, the virus will sniff the network , if the window size of the TCP packet is found to be equal to 55808, a file is generated in the current directory < file name: R> Every 24 hours, the virus detects if there is a file "R", and if so, tries to connect a fixed IP address < A client that may be a Trojan If the connection succeeds, the virus deletes the file:/tmp/....../a and exits
　
4. Virus name:
　
W32/linux.bi Category: WL virus
　
Virus data: W32/linux.bi is a cross-platform virus, 1287 bytes in length, infected with Linux, Windows X, Windows 98, Windows Me, Windows NT, Windows Serv Er 2003, the Windows XP operating system, which infects the executable file of the current directory according to the operating system type. When this virus is received and opened, the following behavior occurs:
　
A infects an executable file in the current directory between 4K and 4M, (does not infect DLL files under Windows)
　
5. Virus Name:
　
LINUX.PLUPII.C Category: Linux virus
　
Virus data: LINUX.PLUPII.C is a Linux virus, the virus length 40,7576 bytes, infected with Linux, Novell Netware, UNIX system, it spreads through system vulnerabilities, the phenomenon of this virus infection is:
　
A opens the backdoor on UDP Port 27015, allowing hackers to remotely control the computer
　
B generate the IP address, add the following to generate the URL address
　
/cvs/
　
/articles/mambo/
　
/cvs/mambo/
　
/blog/xmlrpc.php
　
/blog/xmlsrv/xmlrpc.php
　
/blogs/xmlsrv/xmlrpc.php
　
/drupal/xmlrpc.php
　
/phpgroupware/xmlrpc.php
　
/wordpress/xmlrpc.php
　
/xmlrpc/xmlrpc.php
　
C sends an HTTP request to the above address, attempting to propagate through the following vulnerabilities
　
PHP XML-RPC Remote injection Attack (see vulnerability list ID 14088
　
http://www.securityfocus.com/bid/14088)
　
Awstats log plug-in Parameter input determination Vulnerability (see vulnerability list ID 10950
　
http://www.securityfocus.com/bid/10950)
　
Darryl perimeter Remote Execution Command Vulnerability (see vulnerability list ID 13930
　
http://www.securityfocus.com/bid/13930)
　
D when a vulnerable computer is found, the virus exploits the vulnerability from 198.170.105.69DownloadScript file to a vulnerable computer and execute
　
EDownloadThe following virus to the/tmp/.temp directory, infecting the computer
　
CB (Virus LINUX.PLUPII.B)
　
HTTPS (Perl script backdoor virus)
　
Ping.txt (Perl script Shell Backdoor virus.) ）
　
httpd
　
F attempt to connect to TCP port 8080 of the intended address, open a shell backdoor
　
G Open the IRC backdoor and connect to the following IRC servers
　
eu.undernet.org
　
us.undernet.org
　
195.204.1.130
　
194.109.20.90
　
Virus lookup join channel containing Lametrapchan string, wait for hacker command
　
6. Virus Name:
　
Linux.mare Category: Linux virus
　
Virus data: The virus is variable in length, infects Linux, it spreads through PHP's Phpbb_root_path vulnerability, and opens the backdoor for hackersDownloadThe remote file is executed when the virus is infected with the following hazards:
　
A dozen back door connect to the following servers
　
81.223.104.152
　
24.224.174.18
　
B accept and execute the remote hacker issued the following command
　
Update virus
　
Execute command
　
Stop the virus
　
C download from the above server to execute remote file listen
　
D download Execute remote update file Update.listen
　
E record information to file Listen.log
　
F-Scan via PHP Phpbb_root_path vulnerability
　

G perform the following command on the scanned computer http://209.136.48.69/[deleted]/cvac

7. Virus Name:
　
LINUX.PLUPII Category: Linux virus
　
Virus data: The virus length 34,724 bytes, infected with the Linux system, the virus to exploit the Web server vulnerability spread, and open the backdoor for hackers, to when received, open the virus, the following hazards:
　
A send a notification message to a remote hacker via UPD Port 7222
　
B Open the backdoor for hacker action
　
C generates a URL with the following content
　
/cgi-bin/
　
/scgi-bin/
　
/awstats/
　
/cgi-bin/awstats/
　
/scgi-bin/awstats/
　
/cgi/awstats/
　
/scgi/awstats/
　
/scripts/
　
/cgi-bin/stats/
　
/scgi-bin/stats/
　
/stats/
　
/xmlrpc.php
　
/xmlrpc/xmlrpc.php
　
/xmlsrv/xmlrpc.php
　
/blog/xmlrpc.php
　
/drupal/xmlrpc.php
　
/community/xmlrpc.php
　
/blogs/xmlrpc.php
　
/blogs/xmlsrv/xmlrpc.php
　
/blog/xmlsrv/xmlrpc.php
　
/blogtest/xmlsrv/xmlrpc.php
　
/b2/xmlsrv/xmlrpc.php
　
/b2evo/xmlsrv/xmlrpc.php
　
/wordpress/xmlrpc.php
　
/phpgroupware/xmlrpc.php
　
/cgi-bin/includer.cgi
　
/scgi-bin/includer.cgi
　
/includer.cgi
　
/cgi-bin/include/includer.cgi
　
/scgi-bin/include/includer.cgi
　
/cgi-bin/inc/includer.cgi
　
/scgi-bin/inc/includer.cgi
　
/cgi-local/includer.cgi
　
/scgi-local/includer.cgi
　
/cgi/includer.cgi
　
/scgi/includer.cgi
　
/hints.pl
　
/cgi/hints.pl
　
/scgi/hints.pl
　
/cgi-bin/hints.pl
　
/scgi-bin/hints.pl
　
/hints/hints.pl
　
/cgi-bin/hints/hints.pl
　
/scgi-bin/hints/hints.pl
　
/webhints/hints.pl
　
/cgi-bin/webhints/hints.pl
　
/scgi-bin/webhints/hints.pl
　
/hints.cgi
　
/cgi/hints.cgi
　
/scgi/hints.cgi
　
/cgi-bin/hints.cgi
　
/scgi-bin/hints.cgi
　
/hints/hints.cgi
　
/cgi-bin/hints/hints.cgi
　
/scgi-bin/hints/hints.cgi
　
/webhints/hints.cgi
　
/cgi-bin/webhints/hints.cgi
　
/scgi-bin/webhints/hints.cgi
　
D sends an HTTP request using the URL connection generated above, attempting to propagate using the following Web vulnerability
　
PHP Remote Overflow Vulnerability xml-rpc (ID 14088)
　
AWStats Rawlog Plugin log file Input Vulnerability (ID 10950)
　
Darryl Burgdorf webhints Remote Execution Vulnerability (ID 13930)
　
F try Fromhttp://62.101.193.244/[deleted]/lupii Download execution virus
　
G save downloaded virus to/tmp/lupii
　
8. Virus Name:
　
linux.jac.8759 Category: Linux virus
　
Virus data: Infection Length: 8759 bytes
　
Virus Introduction: linux.jac.8759 is a virus that specifically infects files under the Linux system and can infect all executable files that are suffixed with the elf in its same-phase directory.
　
Technical features: When linux.jac.8759 is executed, it detects all of its files in the same directory, and if it finds executable files with writable permissions, it infects them. However, this virus does not infect files that end with the letter PS, nor does it infect files under the X86 platform.
　
The virus modifies the header of infected files in several places. One of the modifications is used as an infection marker, which makes the virus not feel the same file multiple times.
　
9. Virus Name:
　
Linux.Mighty.worm Category: Unix/linux worm
　
Virus data: Technical features:
　
This is a Linux worm, similar to the slapper of the previous period, all with the help of Linux running Apache Server Software
　
Machine for transmission. Once an infected machine is found, the worm takes advantage of the buffer overflow vulnerability of the OpenSSL server (443 port) to execute remote shell instructions. For more information about this vulnerability, you can browse http://www.kb.cert.org/vuls/id/102795.
　
The worm is made up of four files:
　
a.script.sh: initial shell script to download, compile, and execute other components;
　
B.DEVNUL:32 bit x86 elf executable file, about 19050 bytes, it is used by worms to scanInternetThe main part;
　
C.SSLX.C: Using the OpenSSL vulnerability source code files, compiled by script.sh for Devnul use;
　
The d.k:32-bit x86 elf executable, approximately 37237 bytes, is the Linux port for the Kaiten backdoor and DDoS tools.
　
When the shell program (script.sh) runs, it downloads three components of the worm, compiles the vulnerability code file (SSLX.C) into a binary file sslx, executes the Kaiten backdoor (K), and runs the Devnul file. and Devnul will scanInternetOn a vulnerable machine, once the unpatched machine is found, it runs the buffer Overflow Vulnerability code in the SSLX program.
　
Once the worm enters a new system and runs successfully on this system, it downloads and executes the shell script (script.sh) so that the worm's self-propagation process is complete.
　
10. Virus Name:
　
Linux.simile Category: Win32 virus
　
Virus data: Infection Length: variable
　
Hazard Level: Low
　
Affected systems: Windows, Windows 98, Windows NT, Windows $, Windows XP, Windows Me, Linux
　
Unaffected systems: Windows, Microsoft IIS, Macintosh, Unix
　
Technical Features:
　
This is a very complex virus that leverages the fuzzy ingress endpoint, warp and polymorphic encryption techniques, and is the first polymorphic strain virus that can infect Windows and Linux platforms. It does not contain destructive payloads, but after infecting a file, it pops up a dialog box on a specific date, which makes you feel bored. The virus is the fourth variant of the Simile family, introducing a new infection mechanism under the Intel Linux platform that infects 32-bit ELF files (the standard UNIX binary format). This virus can infect the PE and elf files under Linux and Win32 systems.
　
After the virus first runs, it checks the current system date, and if the virus is attached to the main file is a PE file, and on the day of March or September 17, a message box will appear:
　
If the main file is in elf format, then in March 17 or May 14 This day, the virus will output a text message similar to the following to the control Panel:
　
The virus has been proven to infect red Hat Linux6.2, versions 7.0 and 7.2, and is highly likely to infect other versions. The infected file increases by an average of 110K bytes, but the number of bytes grown varies with the virus's deformation engine shrinking or expanding and inserting.
　
11. Virus Name:
　
Linux.slapper.b Category: Unix/linux worm
　
Virus data: Hazard level: Medium
　
Propagation Speed: Medium
　
Technical Features:
　
This is a network worm that infects Linux systems, similar to the original LINUX.SLAPPER.A, but with some new features. It searches the system running the Apache server and, once it finds an infected machine, uses the buffer overflow vulnerability of the OpenSSL server to execute remote shell commands. For more information about this vulnerability, browse: http://www.kb.cert.org/vuls/id/102795
　
When the variant is propagated, it will carry its own source code and compile it on each victim machine to make it into an executable file. The virus source code file is called ". Cinik.c "will be copied to the"/tmp "directory, and its compiled file is called". Cinik ", stored in the same directory, and as the uuencoded version of the source code. This variant also contains a shell script/tmp/.cinik.go that searches for files on the infected system, and then overwrites the searched files with the worm's two code. The script also sends information about the local machine and the network to a mail address with a suffix of yahoo.com.
　
If the virus source file/tmp/cinik.c is deleted by the user, it will download a copy of the source file from a site, and the file name is also called CINIK.C.
　
In addition, the infected system runs a backdoor server program on UDP port 1978. Similar to all backdoors, the server side responds to special instructions sent by the remote unauthorized user to perform various actions according to the instructions, for example, one of the instructions is to search the email address on the infected machine.
　
It will scan all directories (except for three/proc,/dev and/bin) for all files to find valid email addresses. And it contains the string ". HLP "and the same address as" [email protected] "will be ignored, and all other e-mail addresses will be sent as a list to the IP address specified by the remote user at the beginning.
　
In addition, remote unauthorized users may also send other instructions, such as:
　
A.dos attack (TCP or UDP);
　
B. Turn on or off the TCP proxy (1080 port);
　
C. Execution of arbitrary procedures;
　
D. Obtain the names of other infected servers;
　
This variant examines IP addresses that meet the following forms when scanning for potentially vulnerable machines:
　
A. B. 0-255.0-255
　
where B is any number between 0 and 255;
　
A is a randomly selected number from the following list:
　
3 4 6 8 9 11 12 13 14
　
15 16 17 18 19 20 21 22 24
　
25 26 28 29 30 32 33 34 35
　
38 40 43 44 45 46 47 48 49
　
50 51 52 53 54 55 56 57 61
　
62 63 64 65 66 67 68 80 81
　
128 129 130 131 132 133 134 135 136
　
137 138 139 140 141 142 143 144 145
　
146 147 148 149 150 151 152 153 154
　
155 156 157 170 171 172 173 174 175
　
176 177 178 179 180 181 182 183 184
　
185 186 187 188 189 190 191 192 193
　
194 195 196 198 200 201 202 203 204
　
205 206 207 208 209 210 211 212 213
　
214 215 216 217 218 219 220 224 225
　
226 227 228 229 230 231 232 233 234
　
235 236 237) 238 239
　
12. Virus Name:
　
LINUX.SLAPPER.C Category: Unix/linux worm
　
Virus data: Technical features:
　
This is a network worm that infects Linux systems, similar to the original LINUX.SLAPPER.A, but with some new features. It searches the system running the Apache server and, once it finds an infected machine, uses the buffer overflow vulnerability of the OpenSSL server to execute remote shell commands. For more information about this vulnerability, browse: http://www.kb.cert.org/vuls/id/102795
　
When the variant is propagated, it will carry its own source code and compile two executables on each victim machine. " Unlock.c "and" update.c ", both of which are created in the"/tmp "directory. The first successful compiled executable program is called "httpd", which is located in the same directory. The second executable "update" listens on port 1052 when the input is correct frethem/index.htm "target=" _blank "style= ' Text-decoration:underline;color: #0000FF ' > Password, it will allow a large number of interactive shell commands to pass. In addition, the variant sends the host name and IP address of the infected machine to the specified email address.
　
Like Slapper.a and Slapper.b, a system that has been infected by SLAPPER.C will run a backdoor server program on UDP 4156 port, which responds to special instructions sent by remote unauthorized users to perform a variety of operations according to the instructions, for example, A total of one instruction is to search the email address on the infected machine.
　
It scans all directories (except for the three special directories/proc,/dev and/bin) to find a valid email address. And it contains the string ". HLP "and the same address as" [email protected] "will be ignored, and all other e-mail addresses will be sent as a list to the IP address specified by the remote user at the beginning.
　
In addition, remote unauthorized users may also send other instructions, such as:
　
A.dos attack (TCP or UDP);
　
B. Turn on or off the TCP proxy (1080 port);
　
C. Execution of arbitrary procedures;
　
D. Obtain the names of other infected servers;
　
This variant examines IP addresses that meet the following forms when scanning for potentially vulnerable machines:
　
A. B. 0-255.0-255
　
where B is any number between 0 and 255;
　
A is a randomly selected number from the following list:
　
3 4 6 8 9 11 12 13 14
　
15 16 17 18 19 20 21 22 24
　
25 26 28 29 30 32 33 34 35
　
38 40 43 44 45 46 47 48 49
　
50 51 52 53 54 55 56 57 61
　
62 63 64 65 66 67 68 80 81
　
128 129 130 131 132 133 134 135 136
　
137 138 139 140 141 142 143 144 145
　
146 147 148 149 150 151 152 153 154
　
155 156 157 170 171 172 173 174 175
　
176 177 178 179 180 181 182 183 184
　
185 186 187 188 189 190 191 192 193
　
194 195 196 198 200 201 202 203 204
　
205 206 207 208 209 210 211 212 213
　
214 215 216 217 218 219 220 224 225
　
226 227 228 229 230 231 232 233 234
　
235 236 237) 238 239