┌───────────────────────┐ ▄▄▄▄▄ ▄▄▄▄▄ ▄▄▄▄▄ │ │ █ █ █ █ █ █ │ │ █ █ █ █ █▀▀▀▀ │ │ █ █ █ █ ▄ │ │ ▄▄▄▄▄ │ │ █ █ │ │ █ █ │ │ █▄▄▄█ │ │ ▄ ▄ │ │ █ █ │ │ █ █ │ │ █▄▄▄█ │ │ ▄▄▄▄▄ │ │ █ │ DOING THE NASTY: Linux/Nasty │ █ │ ~ qkumba └───────────────────█ ──┘ I see a virus named "Nasty", and the song that comes to my mind is the one by Janet Jackson. I'm about 30 years too early. NASTY LIMITS The virus begins by opening the current directory, and reading as many entries into memory as will fit into a 1kb buffer on the stack. This might be only a few files if the names are very long. The virus exits if an error occurred, otherwise it accepts the returned value as the number of bytes that were read... NASTY BUGS However, here is the first bug: the virus continues if zero bytes were read. This is interpreted as a buffer of enormous size. The directory parser will then read uninitialised memory freely. The result is either an infinite loop, if a zero is read as the reclen value; or it will crash if a large value is read that causes the pointer to reach outside of the buffer. Of course, the trigger for this bug is a very unlikely scenario, and easy to miss. If the directory was read correctly, then the virus looks for regular file entries. If one is found, then the virus tries to open the file for read and write. Here is the second bug: the buffer pointer is saved on the stack prior to attempting to open the file, but it is not removed from the stack if an error occurs. That leads to an unbalanced stack on exit, which will prevent the host program from being able to access its command-line parameters and environment. The bug would not be visible if the host program is very simple, which is probably why it was not found. If the file can be opened for read and write, then the virus copies the filename to a buffer on the stack, immediately below the buffer that holds the directory entries. Fortunately for the virus author, the maximum length of a filename on Linux filesystems is most commonly 255 characters, so there is no risk of overrunning the 400 bytes large buffer. If the virus can create a memory-map of the file, then the virus parses the file contents. The virus is interested in files that are 64-bit x86 ELF format, and not infected already. The infection marker is the string "TMZ" in the padding field. For each file that is considered for infection, the virus searches the program header table for a loadable segment that is both readable and executable. EXPRESSION OF INTEREST For each program header that is not of interest, the virus adjusts the program header offset in the file in order to make room for the virus. After parsing all of the program header entries, the virus performs the same adjustment to all of the section header entries. If the virus finds a readable and executable program header, then the virus adjusts both the address and size in the entry to make room for the virus code. The assumption is that one, and only one, such segment will be found. This could be considered a bug for three reasons. One bug is that there might not be any executable segments, because the file might contain only data. The second bug is that the segment could also be writable, or have other attributes set. The third bug is that there might be more than one loadable segment, and the last one will be used, despite adjustments being made to the address and size of earlier ones. These changes alter the file permanently, even if the infection process is abandoned later. This complicates any clean-up effort, since the changes cannot be reversed without knowing that the virus has been run against those files. After parsing the section headers, the virus attempts to create a file named ".nty.tmp" in the current directory. If the file creation fails, then the mapped file is leaked. If the file creation succeeds, then the virus moves the location of the program header table and section header table up in memory, to make room for the virus code, and sets the new entrypoint to point to the original location of the program header table, adjusted for the introduced space for the virus code. The virus writes to the temporary file the new ELF header, then the virus code, and then the rest of the original file. If all goes well, then the virus unmaps the original file, and moves the ".nty.tmp" file to replace the original file. STOP. HAMMER TIME After all files in the directory buffer are examined, the virus displays its payload Nasty by TMZ (c) 2021 Nasty, nasty Triple X rated Nasty, nasty Justice, a waste-pit Nasty, nasty Deeper in the dirt Nasty, nasty Making bodies hurt These are lyrics from the song "Nasty" by The Prodigy. Then the virus executes the host original entrypoint code. CONCLUSION Debugging is the process of removing bugs from code. Therefore, programming is the process of adding bugs to code. Naming the virus "nasty" is appropriate on several levels.