gmonkey.gif (29622 bytes)

The SIILOV Virus is a Linux x86 parasitic ELF virus.  Its argueably the most complete Unix virus seen before the year 2000.  It infects files via two distinct methods.  This never seen befer method uses residency for the life of the process running the virus.  It modifies the Procedure Linkage Table (PLT) of the running executeable to redirect 'execve' calls which then are used to infect new executeables that are called in this library call.  If the superuser runs the virus, then /sbin/init becomes infected, which will then infect effectively the entire system as every process is a descendant of init. Likewise, if any system shells become infected, much damage can be caused, but the shells are not specifically attacked.  The other method of infection is standard direct infection which tries to infect executeables in the current directory.  The actual method of ELF infection is again new to the Unix virus arena.  Data infection is used, which has the decisive advantage that the parasitic virus can be of any length; remember the VIT Virus was limited to 4096 bytes as a maximum, and much less to be effective.  This virus is strip safe as a new section (.data1) is added; which appears after the dynamic section making it rather suspicious.  This is also how the virus determines if an executeable has already been infected - via the presence of a .data1 section.  The .bss section changes also, in that the size becomes zero and instead a pseudo bss section is filled in after the end of the original data segment (then follows the virus code).  The entry point of an infected program doesnt actually change when it becomes infected.  Instead, the entry point code changes so it jumps to the end of the data segment (the location of the main virus code).  The virus code is then responsible for reconstructing the original code and jumping back when the virus has finished its work.  Although not seen from the end point of view, the SIILOV Virus starts a new breed of developing viruses.  It can be compiled straight out of the box and run as a complete virus.  It is developed in 95% portable C code and 5% platform dependant code (assembler).  It infects hosts by extracting the virus directly from the processes memory image compared to seeking to the virus in the infected binary (as does the VIT Virus).