Challenge 5: Simple File Infector

A virus is a program that reproduces its own code by attaching itself to other executable files in such a way that the virus code is executed when the infected executable file is executed. Although thousands of viruses exist today, only a fraction of them are really a serious threat at any given time. Nevertheless, there exists enough malware that causes significant damages to unsuspecting users and careless administrators. Hence, the virus threat has to be taken seriously by any security specialist. The aim of this challenge is to give students some practical insight into the techniques that viruses use to infect other programs to propagate and survive.

Your task is to write a simple Linux virus that infects one Linux ELF executable at a time in the directory that it is started in (and only in this directory). Your virus may be coded in any language that is available on the lab computers (e.g., scripting languages, C, etc.). Your virus may also make use of temporary files to achieve its purpose. However, if you use temporary files, then make sure that you clean up after your program (and be sure to only use the /tmp directory for these temporary files).

The "payload" of your virus is a simple message: That is, every time an infected application is started, it must print the string Hello! I am a simple virus! followed by a newline character to <stdout>. The message can be printed before or after the infected program performs its normal task. For example, suppose that your simple virus has infected the executable /bin/echo. After the infection, when echo is invoked as:

  echo test
    

it should display:

  test
  Hello! I am a simple virus!
    

or...

  Hello! I am a simple virus!
  test
    

Needless to say, the original functionality of the host application (the program that got infected) should not change. Also, all command-line arguments should work. However, for the sake of simplicity, you can ignore environment variables (we will not test this). Note that if an ELF file is write protected, your virus should not crash or display weird messages, instead it should attempt to infect the next file in the current directory. When there are no clean (uninfected) ELF executables left in the current directory, then the virus will not spread any further. Note that your virus should only infect ELF executables and not executable scripts or data files. Furthermore, files that have already been infected must not be infected again (and this includes your virus dropper, see below).

To launch the virus, it must be embedded in a "bootstrap" application (a virus dropper) that is written in C and called virus.c. Once compiled and started, the virus dropper program must infect the first Linux ELF executable that it finds in the current directory. Then, when this newly infected file is executed, your virus code is supposed to run. This means that another file is infected (if possible), and the message string is printed.

Please note that whatever virus you decide to write, it must work in our lab environment. Test your virus on the lab machines and make sure that it works there before you submit it to us. Here is the Makefile that we will use to compile your application.

• There are many techniques for writing viruses. We give you the flexibility to solve this challenge as you like.
• Probably the simplest way of writing a trivial "virus" is to concatenate two executables together. For example, look at the following commands:

  	  user@host:~> cat /bin/echo /bin/date > file
  	  user@host:~> chmod u+x file
  	  user@host:~> ./file test
  	  test
  	

  What happened? The command date was appended to the end of the command echo ... and echo is still working as before. You might see that this is a simple mechanism that one could use to write a trivial sort of virus. If echo had been the virus program, knowing its own size, it could have extracted the date command and execute it, of course only after infecting another file. There you go, a simple form of file infection.
• If you decide to use execve(), then make sure that you have read its documentation. In particular, the manual page says "execve() does not return on success", and that may have implications on the output of your virus. Check to see if the output of your virus is really printed to <stdout>, for example, by issuing a command such as:

  	  ./echo Hello > 1.txt; cat 1.txt
  	

  where echo is the infected file.
• You can assume that we will compile your code with the same compiler version that you have on bandit.

To submit your challenge solution to us, you need to follow these steps:

1. Copy your virus.c file to your lab account.
2. In the directory where your files are located, call /usr/local/bin/submit5
3. Read any error or success messages. Then, wait a couple of minutes and read your e-mails on bandit to view the results of the automatic grading program.

This is an individual project. The project is due on Thursday, 19.05.2011, 23:59:59 PST.