OSF.8759
Encyclopedia
OSF.8759 is a computer virus
that infects ELF
binaries on Linux
systems.
increases the size of infected files by 8759 bytes, 4662 of which are a backdoor attached at the end of the binary. According to Viruslist.com, the backdoor is designed such that it "is not linked to the ELF structure" so that modified versions of it can be easily incorporated later.
The virus attempts to infect all the files in the current directory recursively and if run from a root account, will try to infect all files in the /bin directory. In any case, no more than 201 files are infected in one run. Moreover the virus avoids infecting the files under /dev, /proc and all the files with a suffix ps such as in maps. The backdoor attempts to listen on UDP
port 3049 and provides many internal commands to execute files on the target system. Upon execution, the virus tries to modify the firewall
rules so that they do not interfere with the backdoor's operation. It also attempts to evade debugging by spawning a debugger
itself. If the virus fails to spawn its own debugger, it assumes that the system already has a running debugger and will terminate its execution immediately.
Computer virus
A computer virus is a computer program that can replicate itself and spread from one computer to another. The term "virus" is also commonly but erroneously used to refer to other types of malware, including but not limited to adware and spyware programs that do not have the reproductive ability...
that infects ELF
Executable and Linkable Format
In computing, the Executable and Linkable Format is a common standard file format for executables, object code, shared libraries, and core dumps. First published in the System V Application Binary Interface specification, and later in the Tool Interface Standard, it was quickly accepted among...
binaries on Linux
Linux
Linux is a Unix-like computer operating system assembled under the model of free and open source software development and distribution. The defining component of any Linux system is the Linux kernel, an operating system kernel first released October 5, 1991 by Linus Torvalds...
systems.
Design
The virusVirus
A virus is a small infectious agent that can replicate only inside the living cells of organisms. Viruses infect all types of organisms, from animals and plants to bacteria and archaea...
increases the size of infected files by 8759 bytes, 4662 of which are a backdoor attached at the end of the binary. According to Viruslist.com, the backdoor is designed such that it "is not linked to the ELF structure" so that modified versions of it can be easily incorporated later.
The virus attempts to infect all the files in the current directory recursively and if run from a root account, will try to infect all files in the /bin directory. In any case, no more than 201 files are infected in one run. Moreover the virus avoids infecting the files under /dev, /proc and all the files with a suffix ps such as in maps. The backdoor attempts to listen on UDP
User Datagram Protocol
The User Datagram Protocol is one of the core members of the Internet Protocol Suite, the set of network protocols used for the Internet. With UDP, computer applications can send messages, in this case referred to as datagrams, to other hosts on an Internet Protocol network without requiring...
port 3049 and provides many internal commands to execute files on the target system. Upon execution, the virus tries to modify the firewall
Firewall (computing)
A firewall is a device or set of devices designed to permit or deny network transmissions based upon a set of rules and is frequently used to protect networks from unauthorized access while permitting legitimate communications to pass....
rules so that they do not interfere with the backdoor's operation. It also attempts to evade debugging by spawning a debugger
Debugger
A debugger or debugging tool is a computer program that is used to test and debug other programs . The code to be examined might alternatively be running on an instruction set simulator , a technique that allows great power in its ability to halt when specific conditions are encountered but which...
itself. If the virus fails to spawn its own debugger, it assumes that the system already has a running debugger and will terminate its execution immediately.