cyb3rl0rd1867 Posted February 4, 2010 Posted February 4, 2010 I recently heard about w32/simile virus that was dangerous for both linux and windows. More info here. I was curious to know what the header of such a file would look like, since microsoft uses Pe headers and linux uses elf headers. How would it be possible to make it compatible with both?
Peter Ferrie Posted February 4, 2010 Posted February 4, 2010 I recently heard about w32/simile virus that was dangerous for both linux and windows. More info here. I was curious to know what the header of such a file would look like, since microsoft uses Pe headers and linux uses elf headers. How would it be possible to make it compatible with both?It sounds like you're expecting the virus to exist as a single file on disk which would somehow be executable on both systems. This is not how it works. The virus is simply code in an infected file. There is no external file that is used.When you introduce an infected file to a system, the virus will search for other files in both formats. Whichever format is found causes the virus to run the appropriate code: if Linux, run Linux infection; if Windows, run Windows infection.
cyb3rl0rd1867 Posted February 4, 2010 Author Posted February 4, 2010 (edited) But the external virus file would only be compatible with one OS, correct? Edited February 5, 2010 by cyb3rl0rd1867
Peter Ferrie Posted February 8, 2010 Posted February 8, 2010 But the external virus file would only be compatible with one OS, correct?The infected file is compatible with only one OS, but the virus code inside it can search for files in either format.It works this way:An infected file for the current OS is executed. The virus code then searches for both Linux and Windows files on that system, and infects them regardless of which OS is active.If the resulting infected file is for the current OS, then it can execute on that OS.If the resulting infected file is for the other OS, then it cannot be run until it is copied onto that OS.There is no single file that can run on both systems.
Apuromafo Posted February 9, 2010 Posted February 9, 2010 (edited) maybe can be a java code, or batch code ..... but for pdf maybe is a autorun.inf in the usb, and the exe can be any link to dowload in temp o similar.. the other nfo was sayed by peter ferrie greetings.. i think thats not run in the other os, only can drop files.. because the text say smile say Type: Directs action Win32 but peter is 100% in the way because: Peter Ferrie is a Senior Virus Researcher at Symantec Security Response. He specializes in thedetection and repair of Win32 malware, reverse-engineering file formats, and the development of engine enhancements for Symantec AntiVirus products. Peter contributes to Virus Bulletin magazine. He joined the Computer Antivirus Research Organisation (CARO) in 2001. Edited February 10, 2010 by apuromafo
Dooms_day Posted July 11, 2010 Posted July 11, 2010 A while back there was a client side exploit in the latest version of firefox (3.5.0 i think) that worked well on all OS's, the only thing the attacker needed to do, was have a simple if() on a malicious php page that found the OS through the user agent, and deployed the corresponding shellcodes
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now