30 May 2017

The Linux Virus: how it can be

Downloaded the virus for Linux.

Unzipped it.

Installed it under root.

It didn't start. Spent 2 hours googling. Realised that the virus instead of /usr/local/bin installed itself into /usr/bin where user malware does not have the write permissions. That's why the virus could not create a process file.

Found the patched .configure and .make files on the Chinese site. Recompiled, reinstalled. Virus announced that it needs the cmalw-lib-2.0 library. Found out that cmalw-lib-2.0 only exists for CentOs, but not for Ubuntu. Googled couple of hours, found a manual how to compile .deb from source. Compiled, installed, virus happily started, beeped in a speaker and terminated with a core dump.

The hour I spent reading syslog (via Papertrail) told me that the virus thought I have ext4 and called its api to encrypt the disk. This api is deprecated in btrfs, that's why Linux realised that inconsistency and made the partition read-only.

Opened the virus source code, grep'ped the bitcoin wallet and sent $5 just out of compassion.

Went to bed...

Source (in Russian), translation by DarkDuck

6 comments:

  1. Nice story! I enjoyed reading how you discovered the 'virus' triggering system dependencies.. Keep hacking!!

    ReplyDelete
  2. You had to try Arch, the latest and the greatest, for a posible newer patched version in the AUR. Or better still, Gentoo, with the necessary flags.

    ReplyDelete
  3. I meant that "virus for Linux", surely there must be some patched version in AUR. Perhaps I've forgot to put some "!!!".

    ReplyDelete
  4. I think you need to cross compile the virus in to ruby first, then install the latest cmalw-lib-2.0-ruby.gem library.. but you will also need
    cmalw-lib-bigdecimal (1.2.8)
    cmalw-lib-bluecloth (2.2.0)
    cmalw-lib-bluefeather (0.41)
    cmalw-lib-did_you_mean (1.0.0)
    cmalw-lib-io-console (0.4.5)
    cmalw-lib-son (1.8.3)
    cmalw-lib-minitest (5.8.4)
    cmalw-lib-net-telnet (0.1.1)
    cmalw-lib-power_assert (0.2.7)
    cmalw-lib-psycho (2.0.17)
    cmalw-lib-rake (10.5.0)
    cmalw-lib-rdoc (4.2.1)
    cmalw-lib-test-unit (3.1.7)
    ... to show the next 1024 lines press enter.

    ReplyDelete
  5. В мире свободного ПО так ведут себя не только вирусы, но и многое другое ПО.

    ReplyDelete