Jump to content
Tuts 4 You

Dual OS Virus

cyb3rl0rd1867

By cyb3rl0rd1867
in Malware Reverse Engineering

 Share

Recommended Posts

cyb3rl0rd1867

cyb3rl0rd1867

Posted
Posted

I recently heard about w32/simile virus that was dangerous for both linux and windows. More info here. I was curious to know what the header of such a file would look like, since microsoft uses Pe headers and linux uses elf headers. How would it be possible to make it compatible with both?

Link to comment
Share on other sites
Peter Ferrie

Peter Ferrie

Posted
Posted

I recently heard about w32/simile virus that was dangerous for both linux and windows. More info here. I was curious to know what the header of such a file would look like, since microsoft uses Pe headers and linux uses elf headers. How would it be possible to make it compatible with both?

It sounds like you're expecting the virus to exist as a single file on disk which would somehow be executable on both systems. This is not how it works. The virus is simply code in an infected file. There is no external file that is used.

When you introduce an infected file to a system, the virus will search for other files in both formats. Whichever format is found causes the virus to run the appropriate code: if Linux, run Linux infection; if Windows, run Windows infection.

Link to comment
Share on other sites
cyb3rl0rd1867

cyb3rl0rd1867

Posted
  • Author
Posted (edited)

But the external virus file would only be compatible with one OS, correct?

Edited by cyb3rl0rd1867
Link to comment
Share on other sites
Peter Ferrie

Peter Ferrie

Posted
Posted

But the external virus file would only be compatible with one OS, correct?

The infected file is compatible with only one OS, but the virus code inside it can search for files in either format.

It works this way:

An infected file for the current OS is executed. The virus code then searches for both Linux and Windows files on that system, and infects them regardless of which OS is active.

If the resulting infected file is for the current OS, then it can execute on that OS.

If the resulting infected file is for the other OS, then it cannot be run until it is copied onto that OS.

There is no single file that can run on both systems.

Link to comment
Share on other sites
Apuromafo

Apuromafo

Posted
Posted (edited)

maybe can be a java code, or batch code ..... but for pdf maybe is a autorun.inf in the usb, and the exe can be any link to dowload in temp o similar..

the other nfo was sayed by peter ferrie :) greetings..

i think thats not run in the other os, only can drop files..

because the text say

smile say Type: Directs action Win32

but peter is 100% in the way because:

Peter Ferrie is a Senior Virus Researcher at Symantec Security Response. He specializes in the

detection and repair of Win32 malware, reverse-engineering file formats, and the development of

engine enhancements for Symantec AntiVirus products.

Peter contributes to Virus Bulletin magazine. He joined the Computer Antivirus Research

Organisation (CARO) in 2001.

Edited by apuromafo
Link to comment
Share on other sites
  • 5 months later...
Dooms_day

Dooms_day

Posted
Posted

A while back there was a client side exploit in the latest version of firefox (3.5.0 i think) that worked well on all OS's, the only thing the attacker needed to do, was have a simple if() on a malicious php page that found the OS through the user agent, and deployed the corresponding shellcodes

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing
×
×
  • Create New...