Uninformed: Informative Information for the Uninformed

Current v9 v8 v7 v6 v5 v4 v3 v2 v1 All About
Vol 3» 2006.Jan


Next: Meet Fluffy Up: Runtime Process Infection Previous: Runtime Process Infection   Contents

The Algorithm

Having the motives, tools and knowledge, here's the plan: 
Infector:
---------

* Attach to process
> Wait for process to stop
    > Query process registers
    > Calculate previous stack page beginning
    > Store current EIP
    > Inject pre-virus and virus code
    > Set EIP to pre-virus code
    > Deattach from process

Pre-Virus:
----------

    * Register SIGALRM signal
> Schedule SIGALRM (14secs)
> Give control back to process

Virus:
------

* SIGALRM handler invoked
> Check for /tmp/fluffy
    > Create fluffy.c
    > Compile fluffy.c
    > Remove /tmp/fluffy.c
    > Chmod /tmp/fluffy
> Jmp to pre-virus code

The infecting process is divided into two steps, the infector injects the virus and the pre-virus code to the infected process. Afterward it sets the process EIP to point to the pre-virus code. This independently registers to the SIGALRM signal within the infected process and calculates the virus location for the signal callback function. Then it schedules a SIGALRM signal and passes the control back to the process. Once the signal caught the virus it kicks in as the signal handler.