A Linux ELF virus designed to operate on both 64-bit and 32-bit systems, featuring anti-debugging techniques, conditional execution, and code obfuscation.
- โ๏ธ Warning
- โ What is it
- โ๏ธ How it works
- โญ Bonus features
- ๐ Prerequisites
- ๐ง Install
- ๐ Usage
The sharing of this project on my GitHub aims to help peoples to open their minds to new logics or help peoples in case of difficulty. In no way, that aims to copy and paste this work on your own repository.
This executable can do great damage to your computer if it is run, I strongly recommend that you run it in a separate and secure environment away from your personal data.
This project is a direct improvement of the previous virus Famine. Pestilence requires us to create a virus capable of concealing itself through anti-debugging techniques, conditional execution, and code obfuscation. Pestilence builds upon the features implemented in Famine, so I highly recommend reading Famine to grasp what is incorporated into Pestilence, as I will only explain new features in this README.
This project aims to create an ELF executable that can embed its own code within a target file.
In our case, our target is not a single file but two directories for the mandatory part.
Those directories are /tmp/test and /tmp/test2.
To consider a file "infected," the file must contain the virus code that we have coded.
It should be executed by the file when you run it without altering its original behavior and without printing anything.
Otherwise, our virus would be detected. After being infected, the targeted file will contain a signature in this form: Pestilence version 1.0 (c)oded by mamaurai:xchalle - 0000:11111111, where 0000 is just an index to determine the infection order of each process and 11111111 is the beginning of an encryption key used to encrypt the malicious payload every time the program is duplicated.
Before infecting a system, the virus will also check for the presence of any debugger. If a debugger is detected, it will print the message [DEBUGGER IS RUNNING...] and exit. Following this, the program will be decrypted, and it will check if any of the following processes are running: cat, vim, or grep. If any of these processes are detected, the infection will not proceed.
Again, I will only explain how the new mandatory features of Pestilence work. To understand how the virus infects other files, please refer to the Famine repository.
Let's start with the anti-debugging techniques. The first one involves a /proc/status/self check. The program will open the file and then check the TracerPID: line. If this line isn't set to 0, it indicates that a tracer process like strace or gdb is running, and the virus stops.
The second technique is the environment variable check. In gdb, when the program is running, two environment variables are set: COLUMNS and LINES. If these variables are set, most of the time, it indicates that a debugger is running.
The final check involves a ptrace check. The virus will fork a process to attach to it, and the PTRACE_ATTACH will return (-1) if the process is already attached to GDB.
Warning: Some VMs or containers may have limitations on the usage of ptrace. This limitation restricts the ptrace attachment from a child to its parent. If the virus consistently displays the debugging message, you have two options. First, disable this limitation by opening the file /etc/sysctl.d/10-ptrace.conf and changing the line kernel.yama.ptrace_scope = 1 to kernel.yama.ptrace_scope = 0. If the file doesn't exist, you can use this command:
$ echo "0" | sudo tee /proc/sys/kernel/yama/ptrace_scopeIf, for security reasons, you don't want to change it, you can compile the virus with this command:
$ make DISABLE_PTRACE=onAnd the ptrace check will be removed.
Now let's revisit Pestilence's features. The second one is conditional execution. This technique is employed to conceal the virus's execution and introduce more randomness.
To achieve this, the program opens the /proc directory and checks the name of every process in this folder, comparing them to the predefined process names set in our code. If a comparison is successful, the program exits. Quite simple.
And finally, the code obfuscation has been implemented by a CPP program that I created, but I'll keep it a secret ๐คญ (quite simple too).
This project opens the door to many potential bonuses. For this project, we have decided to implement six bonus features:
32 Bits Compatibility
We decided to leverage the wide possibilities of NASM preprocessing to create a coding approach that works on both 64-bit and 32-bit architectures. Here is how assemble it for 32bits:
$ make re ARCH=x86_32
$ ./Pestilence
Root Infection
At the beginning of the infection routine, the virus will query the kernel for the UID to determine whether the executable has been run with root privileges or via sudo. If the UID is greater than zero, the virus will only infect /tmp/test and /tmp/test2, as explained above. However, if the UID is zero, indicating root privileges, the virus will infect the following directories: /bin, /usr/bin, /usr/local/bin. Subsequently, almost all executables on the machine will be infected and capable of infecting other files. For example, if you run ls as root in the /home directory, the resulting subfiles will be infected, potentially leading to the corruption of personal files with our signature.
Non-Binary Infection
As mentioned above, if the virus is executed as root in the /home directory, it will infect non-binary files. In this project, the infection involves placing the virus signature at the top of every file and encrypted the entire file with an AES-256 encryption algorithm.
Packer
Our virus implements a packing algorithm called lzss. This algorithm is designed to minimize the size of the virus within the targeted ELF. The code will be unpacked during runtime. The algorithm is lossless and relies on the repetition of patterns within the code.
Backdoor
To make our virus even more impactful, we decided to implement a backdoor routine. This routine is executed after decryption and is designed to initiate a malicious process on your machine, which can be highly advantageous for an unauthorized person seeking access or to exploit your machine for financial gain.
The backdoor routine is a reverse shell, the virus will open a port in a separate process and listen for incoming requests on this port. Each request sent to this port will be redirected to a bash process, creating a reverse shell with the same privileges as the executor.
AES Encryption
For enhanced obfuscation of the virus within an ELF, a significant portion of the virus is encrypted using the AES algorithm with a 256-bit key. The code is self-decrypted at runtime by leveraging the Intel Advanced Encryption Standard New Instructions implemented in 2008 on Intel and AMD, ensuring better optimization of this cryptographic algorithm.
This virus has been developed and tested on Debian 6.1.0-18-amd64. On other systems, some undefined behavior may occur or certain features may not work as intended.
makenasmld
$ git clone https://github.com/mathias-mrsn/pestilence.git# Run it in secure environment
$ cd pestilence
$ make
[...]
$ (sudo) ./Pestilence
React
Typescript
Django
Laravel
Facebook
Microsoft
Google
Alibaba
D3
Tencent