gmonkey.gif (29622 bytes)

The VIT virus is a Linux x86 parasitic ELF infector style virus.  It wasdeveloped in October 1998 by the author Silvio Cesare.  It is heavily documented in the accompying article UNIX ELF VIRUS AND PARASITES.  ELF infection is carried out by inserting code into the text segment padding of the executeable.  To do this, the virus code is inserted into the executeable at the end of the text segment (making sure that the space between the text and data segment is greater than the size of the virus - which happens to be 2250
bytes).  The program and section headers are then modified accordingly to reflect the changes in the files structure.  The entry point of the executeable
changes to point into the new code, and the virus transfers control back to the original host entry point (which is stored at byte offset 2221).  The .rodata section in the executeable is extended to include the virus code so the virus remains strip safe.  The actual size of the executeable increases by 4096 bytes not 2250 bytes.  This is because the p_offset and p_vaddr must be congruent to modulo the page size (4096 bytes).  Extraction of the virus in replication is made by seeking to the viruses file offset in the infected host, and copying the 2250 bytes into memory, then using this for infection.  The actual method of replication is simple, executebles in the current directory are randomly selected and attempts at infection are followed through.