Maximize
Bookmark

VX Heaven

Library Collection Sources Engines Constructors Simulators Utilities Links Forum

Source code of computer viruses

SuperVixen - Virus for Linux by JPanic

Virus for Linux

JPanic
Show all viruses by this author

2014-00-00

Comments
Download supervixen.zip (8306 bytes) or browse online

SuperVixen is a 1964 byte long parasitic virus targeting executables on Raspberry Pi boards running 'Raspbian' - Debian based Linux.

The virus is written in ARM v6 assembler and targets appropriate ELF32 binaries using pure Linux syscalls.

To build: as supervixen.s -o supervixen.o
ld.exe supervixen.o -N -o supervixen

When an infected binary is executed the virus creates an ELF32 dropper at "~/cherry.lips/supervixen", where '~' is the HOME environment variable, and executes it. The dropper consists of the virus body begining with an ELF32 Ehdr, then a single Phdr.

If geteuid() returns "0" or the dropper already exists as SUID root, a normal execve() call is used to execute it. Otherwise the execve() call executes it as a command line parameter of "/usr/bin/sudo". To force root. (Note that on a default Raspbian installation, "sudo" does not ask for a password or anyother form of authentication). Once the dropper is run as root, it sets itself SUID 0, so "sudo" does not have to be used again.

When the supervixen dropper is executed, it attempts to infect all suitable ELF32 binaries in ".", "/usr/bin" and "/bin". Infection of a system seems reasonably fast. The virus executes the dropper with no command line parameters. If the user were to execute it with any number of command line parameters, the dropper will simply display an 'activation' message and exit.

Infection method of ELF32 binaries is fast and simple: if the file is suitable the virus is appended, the PT_NOTE Phdr is changed to a PT_LOAD containing the virus and e_entry is hooked in the Ehdr. The virus is appended on a 32-byte boundary, hence the infection marker is: filesize % 32 == virussize % 32.

The virus does not infect files with a period ('.') in their name, or files beginning with "sudo".


By accessing, viewing, downloading or otherwise using this content you agree to be bound by the Terms of Use! vxer.org aka vx.netlux.org