xorl %eax, %eax

ELF Infection by Appending Still Works

with 2 comments

I was cleaning up one of my desktops’ hard disc drives and there was a nice ELF infection tool which was written something like 6 years ago. So, I read it again and then I tested it. I admit that I’m still a little bit of surprised that this simple infection technique introduced by Silvio Cesare still works even after 10 years from its public disclosure at the amazing article: “UNIX Viruses” on 1999. Here is a simple test to see this infection with a parasite code working:

sh-3.2$ cat good.c
#include <stdio.h>

return printf("Innocent C proggie.\n");

sh-3.2$ gcc good.c -o good
sh-3.2$ cat para.c
#include <stdio.h>

return printf("Evil parasite code.\n");

sh-3.2$ gcc para.c -o para
sh-3.2$ ./good
Innocent C proggie.
sh-3.2$ ./para
Evil parasite code.
sh-3.2$ cat para >> good
sh-3.2$ ./good
Innocent C proggie.

A useful parasite code will have to know its size, then using lseek(2) or fseek(3) it can move to the end of the good proggie to the offset of the evil one and execute the parasite/virus code. Of course applications like tripwire are able to detect such infections but … this is 10 years old technique and still works on every default installation!!!! Tripwire will detect it since the file has changed because of the appended parasite code, you can see this really easily like this:

sh-3.2$ gcc good.c -o new-good
sh-3.2$ diff good new-good
Binary files good and new-good differ
sh-3.2$ ls -l *good
-rwxr-xr-x 1 xorl xorl 12446 2009-01-16 00:49 good
-rwxr-xr-x 1 xorl xorl  6223 2009-01-16 00:55 new-good

Yeap, the size of the infected good is good + evil since we appended the evil parasite code.

Written by xorl

January 15, 2009 at 22:56

Posted in C programming

2 Responses

Subscribe to comments with RSS.

  1. theres one other really interesting aspect about the GAP infection silvio described, where you load your code in the extra space at the end of the TEXT segment before the DATA segment begins for ELF. just append data to the end of your file, and it ends up there under certain conditions. you don’t need to modify any ELF headers. a parasite can then just pick an arbitrary branch to hijack control flow. works for linux + bsds and who knows what else

    similar things also happen with macho


    June 21, 2009 at 21:53

  2. here is an old append infector intercepter.nerf.ru/x25/ES/code/4553-invader-2.1.1.tar.gz

    also some more interesting ELF infectors i found there:


    September 1, 2009 at 10:59

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s