"
"
The virus begins to spread byattaching itself to a “healthy” ELFbinary using a variation of SilvioCesare's technique described here • the viral code inserts itselfbetween code segment and datasegment;• the viral code is modified to jumpto original entry point afterwards;• the entry point of the executableis changed to run the viral code;• some field of ELF header areadjusted (code segment size forexample) and other data are movedto the end of the virus.Afterwards the virus forks and theparent runs the original code whilethe child acts in evil way. It spawnsa backdoor listening on UDP port 5503(the RST.b variant use an EGP rawsocket realizing a more hiddencommunication channel). Specialpackets enable the backdoor toexecute remote commands with theprivileges of the process.
0 التعليقات:
إرسال تعليق