Introduction Until not so long ago, antiviruses were mostly relying on signatures to detect malware. What it means is that, whenever a file written to disk, downloaded or launched, the antivirus software checks if it is a known malware. To do so, it is doing two things. The first one is hashing the sample and check if that specific sample is present in the known malware database. But some type of malware are “naturally immune” to this kind of analysis.

Introduction To keep things simple, in cybersecurity operations, there are two teams : the blue team and the red team, the defenders and the attackers. Even though they seem completely different, each one’s goal is to make the other team’s job as hard as possible and eventually to defeat it. To do that, blue-teamers often use reverse-engineering to get a grasp on how malware works and how to mitigate its effect.

Introduction Now that we have made a stealthy infector that is able to infect any ELF binary present on our system, we now have to make it useful. Being able to propagate is a good thing but we want to make something out of it. A backdoor allowing remote access on the infected machine would be a great idea. How do we do that ? This actually quite simple. Here we won’t really take care about stealthiness but I might write an article about it at some point.

Introduction In our last post, we saw how to make a simple virus that propagates inside ELF 64-bits files but we saw at the end that the way we did it was not really stealthy and the whole point of a malware is to be stealthy to avoid being spotted and removed. To remedy to that, we will now use a new technique that won’t raise any suspicions when the infected binary is being inspected with the readelf command.

Introduction During this post, we will learn how to code a simple ELF infector on Linux. This infector will spread and sel-replicate inside the other binaries that it finds. It will get executed when infected binaries are launched so that it can spread even more. The payload will be harmless, just a signature to attest that the binary has been infected. This infector will be very basic and undisguised at all, any reverse-engineer could see that a file has been infected by executing a simple readelf command (We will get more into that later).