Linux.Jac.8759

Linux.Jac.8759 is a virus which infects ELF executable files. When an infected file is executed, it will first execute the back door portion of it code.

It attempts to bind to UDP port 3049 and listen for commands. If it cannot bind to port 3049, it will try to bind to the next higher port and continue to do so until it is successful in binding to a port. After binding to a port, it will access /proc/net/ip_fwchains and remove any rules that might prevent it from communicating on that port. The virus will then enter an infinite loop which waits for any specially crafted UDP packets. These packets can contain one of five commands:
The first command executes a supplied command using /bin/sh -c. The attacker does not see the results of the command.

The second will cause the victim to listen on a supplied TCP port number with /bin/sh. The virus attempts to give the shell root privileges, through the use of the setreuid () call. It will also edit the firewall to remove any ipchains rules which block access to that port from the outside.

The third command causes the virus to delete the first active firewall rule. Repeated use of this command will cause all firewall rules to be deleted.

The fourth command causes the virus to connect out to an attacker-supplied TCP port and IP address. The connection gives the other host network access to /bin/sh -i with root privileges if possible.

The fifth command will cause the victim to act as a remote sniffer. It will connect to an IP address and TCP port supplied by the attacker, and begin forwarding portions of packets captured by the victim. The attacker can specify which interface they wish to monitor with, and the virus will place that interface into promiscuous mode. The attacker also specifies which layer 4 protocol they wish to monitor and which port. The attacker can also set a ?filtering? flag. The victim completes the TCP connection (back to the attacker), and virus sends "SESSION STARTED:". Following that, the victim forwards a portion of any packets that match the specified protocol and port. The code monitors packets with that port as either the source or destination port. When a match is found, the virus checks to see if it's TCP. If so, it forwards just the data portion of the packet. If it's not TCP, it forwards everything from the layer 4 header on. The filter flag controls whether every byte is sent to the attacker, or just bytes whose value is less than 128 (7-bit ASCII).

Next, the infection routine is executed. It will infect up to 201 ELF files in the same directory from which the infected file was executed. If the file was executed as root, it will additionally infect up to 201 more ELF files in the /bin directory. Before infecting, OSF will check the system uptime by reading the /proc/uptime file and checking the first value. If this value is greater than 299, the virus will proceed with its infection routine, otherwise if it is less than 299, the virus will exit. This insures that if the virus is executed during the boot process, it will not attempt to infect before all drives are mounted. Only files that have write permissions will be infected.

The virus will not infect any files with a name ending in "ps". Whether this was intentionally done by the author or if it is due to an error in the code is not clear.

Finally, the virus will return control to the host executable.

Summary