Uninformed: Informative Information for the Uninformed

Vol 3» 2006.Jan

The Algorithm

Having the motives, tools and knowledge, here's the plan:

* Attach to process
> Wait for process to stop
    > Query process registers
    > Calculate previous stack page beginning
    > Store current EIP
    > Inject pre-virus and virus code
    > Set EIP to pre-virus code
    > Deattach from process


    * Register SIGALRM signal
> Schedule SIGALRM (14secs)
> Give control back to process


* SIGALRM handler invoked
> Check for /tmp/fluffy
    > Create fluffy.c
    > Compile fluffy.c
    > Remove /tmp/fluffy.c
    > Chmod /tmp/fluffy
> Jmp to pre-virus code

The infecting process is divided into two steps, the infector injects the virus and the pre-virus code to the infected process. Afterward it sets the process EIP to point to the pre-virus code. This independently registers to the SIGALRM signal within the infected process and calculates the virus location for the signal callback function. Then it schedules a SIGALRM signal and passes the control back to the process. Once the signal caught the virus it kicks in as the signal handler.