Kaal Bhairav is a terribly fearful form of lord shiva (The Destroyer within the trimurti). Considering the analogy, the application code was started on exploring the darker side of system programming on linux platform and ended up into an elf-infector. The virus code parses the linux filesystem and stealthily infects every system utility/program that falls through its sight with a parasite code (not a good news for host system)
Kaal Bhairav is based on technique similar to Silvio Cesare's segment padding trojan and infects both EXECUTABLE(ET_EXEC) and SHARED OBJECT(ET_DYN) binaries on Linux file system. There are few other infectors using entry point modification technique to infect binaries but they can no longer be used to stealthily infect binaries on modern linux distributions where almost all system utilities(bash, cp, ls to name a few) are compiled as shared objects (which uses offsets rather of absolute addresses).
Since this is the my first implementation to an ELF virus, the infector might be a bit buggy ;)
NOTE - If you have trouble understanding the virus theory or want to fill in some prerequisite required in understanding the source code you can refer to the article series on Malware Engineering.
This project is aimed at exploring the darker side of system programming and developing a offensive approach towards systems and machines which may result into a better understanding and approach towards analysing and mitigating threat (albeit this is nowhere near to modern threat which leverages a lot more sophisticated and more reliable techniques of spreading infection, maintaining persistence, avoiding detection etc by obfuscation, encryption, polymorphism and what not). Therefore, it doesn't promote destruction (in any context) rather only learning is promoted.
Patch the e_shoff ( Section Header Table offset in ELF header) (increase by a PAGE_SIZE)
Load Parasite into memory and -
Find CODE Segment and increase the bellow by a PAGE_SIZE -
For all segments bellow CODE segment in Program Header Table, increase the bellow by a PAGE_SIZE
Find the last section in CODE Segment and increase the bellow by a PAGE_SIZE -
For all section headers after the last section of CODE Segment, increase by a PAGE_SIZE -
Physically insert the parasite code at CODE segment's end & pad to the PAGE_SIZE -
Patch ELF Header's e_entry with parasite_address
Load parasite from file into memory
Find padding size between CODE segment and the NEXT segment after CODE segment. Increase its -
Patch host entry point.
Patch Section Header Table (SHT) : Find the last section in CODE Segment and increase -
Patch parasite offset. Find and replace parasite jmp-on-exit address with host entry point.
Inject Parasite @ host mapping
First clone the repository and move into the directory -
Next, Build the binaries. I've made a testing environment (infected_army directory), albeit the whole File System is a playground.
Finally running the binary with a <infection_directory_pathname> as parameter.
... Let's have a look @ infected binaries, I choose to run bash ! The parasite code doesn't itself intend any kind malicious behaviour (just throws up a code with signature to all the binaries it infects as a proof of arbitrary code being executed before the intended behaviour of our beloved host binary) but noone can stop anyone from modifying the poison pill and achieve different kind of malicious behaviour which is relatively trivial (imagination is the only limit of Arbitrary Code Execution).
NOTE - You wouldn't want to run the binary with root priveleges because any path you provide outside of your home directory may lead to corruption such that the system may end up being in an unstable state or may become entirely unsable. Also, righ now its not implemented to stop itself from corrupting its own directory so be careful with the path you provide as argument because if the path you provide is a parent or an ancestor just above Kaal bhairav, it may corrupt its own directory too !
Here are references to some of the resources I came accross and found out to be really helpful while writing the infection -
NAME : Abhinav Thakur (Mahakaal)
EMAIL : [email protected]