OSF.8759

From Wikipedia, the free encyclopedia

OSF.8759 is a computer virus that infects ELF binaries on Linux systems.

[edit] Design

The size of the files infected by the virus increases by 8759 bytes with 3979 bytes being the size of the virus itself and the rest, of a backdoor attached at the end of the binary. The backdoor is designed such that it is not linked to the ELF structure so that modified versions of it can be easily incorporated later.

The virus attempts to infect all the files in the current directory recursively and if run from a root account, will try to infect all files in the /bin directory. In any case, no more than 201 files are infected in one run. Moreover the virus avoids infecting the files under /dev, /proc and all the files with a suffix ps such as in maps. The backdoor attempts to listen on UDP port 3049 and provides many internal commands to execute files on the target system. Upon execution, the virus tries to modify the firewall rules so that they do not interfere with the backdoor's operation. It also attempts to evade debugging by spawning a debugger itself. If the virus fails to spawn its own debugger, it assumes that the system already has a running debugger and will terminate its execution immediately.