VX Heaven

Library Collection Sources Engines Constructors Simulators Utilities Links Forum

Source code of computer viruses

LoTek - Virus for Linux by Wintermute

Virus for Linux

Show all viruses by this author


Download (2611 bytes) or browse online

Released in 29A#5

Author's notes

LoTek is an ELF cavity infector which hides itself in the ".note" section in order to replicate without changing file size.

It's a runtime virus that replicates by using memory file mapping syscalls (mmap), copying itself to this .note section just after the .bss one (which is in the same offset as another hole, .comment, less easy to infect cuz of that), changing data segment permissions in order to make it execute. This ".note" section is used by software developers in order to indicate compatibility/etc of the file, and is almost always never used.

Payload is chaging machine hostname one of each thirty-two executions (reading the processor tsc).

I just wanna remark this is a "test" virus, just trying an infection on Linux; it was writed in order to show an easy example on Linux infection in HackMeeting Barcelona'00 to complete a speak I made about Linux viruses and their risks (to silence those "Linux-never-can-get infected" people).

PD: So, you can imagine where the name "LoTek" came from :)

By accessing, viewing, downloading or otherwise using this content you agree to be bound by the Terms of Use! aka