[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[ISN] Hands-on testing of the new Linux virus


By Joe Barr and Joe Brockmeier 
April 17, 2006

Thanks to one of our readers, NewsForge has obtained a copy of the
widely reported Windows/Linux cross-platform "proof of concept" virus.  
News reports thus far on the code have contradicted themselves: some
reported the virus can replicate itself on both Windows and Linux,
others saying it has a viral nature only on Windows. Testing by both
NewsForge staff and Hans-Werner Hilse may reveal why the confusion.

Our tests shows the code's viral nature is sometimes -- but not always
-- effective on both platforms, depending on the kernel being used. Of
course, it's impossible for us to test every version of the kernel out
there, but thus far, it looks like those prior to version 2.6.16 are
susceptible, and at least some of those after that release are not.  
Here's how we tested at NewsForge.

Our first test was run on an AMD64 box with a fresh install/update of
Ubuntu Dapper Flight 5 386 with the 2.16.15-20-386 kernel, with the
WINE and GHex -- a binary viewer/editor -- packages also installed.  
After unzipping the viral package (clt.zip) into an empty directory,
we tested CLT.EXE by executing it under WINE in a subdirectory
containing only a small executable and linkable format (ELF) file,
called hello, written in assembler, that we created for the test. We
ran CLT.EXE, and a small window popped up saying that the "dropper" --
as the code calls itself -- had executed successfully.

When we examined the hello ELF file with GHex, however, it showed no
signs of contagion -- not even the lines of text which were supposedly
installed in lieu of the virus itself when run on Linux. We soon
learned that the reason hello remained uninfected in the first test
was that the hello executable file is too small, not because the viral
code could not replicate on Linux. Another NewsForge staffer testing
CLT.EXE under VMWare found that it did infect larger ELF files.

Next, we copied the programs more, date, and ls from /bin into the
test directory. When we ran CLT.EXE again, all three of those ELFs
were infected. Each was 4,096 bytes larger than it had been before the
test. But did those 4,096 additional bytes actually contain the viral
code? Would the ELF files still execute? Those questions became the
basis for our next test scenario.

Instead of running CLT.EXE under WINE, we repeated the tests in a
different directory, using uninfected copies of the same target
programs, and then executing an infected version of ls in that
directory. The only difference we could detect was that the pop-up
window no longer appeared: more, ls, and date were all infected and
hello remained untouched.


InfoSec News v2.0 - Coming Soon!