Please describe yourself briefly!

I am known with the pseudonym 'cyneox' and I'm writing viruses for Linux.
I'm not a bad human, who wants to destroy the work of ther people with his
own creations. With my work I try to discover new vulnerabilities and try Anti Virus
developer to improve the security of every single of their products.

Originally, I am from Romania. I've started to write viruses one year ago for the
single reason, that I really wanted to know, how a computer virus works. This ideology
of viruswriting just fascinated me, and is still fascinating me...

    Why are you using Linux?
Linux, for myself, was/is the best alternative for Windows. The principle of OpenSouce,
which is responsible for the whole project, motivated me to learn more of this
Operating System, and also to discover new things in this field.

I've been using Linux for about two years. There has, of course, been also negative
experiences, which motivated me even more to get known that system.
One summerday finally I've decided to learn a programming language. These days I've
started to learn the C-computer language and one of my friends assured me, Linux would
be the best platform, where I can use all possibilities of these programming language.
Furthermore I was anxious to use a new operating system. One month later, SuSE 8.0
was installed on my harddisk.

Nowadays, Windows is used by most people. I did not want to belong to these people,
and wanted to try something different. It can be seen, that it was a good decision
and that Linux was perfect for me. The system was/is difficult to understand for
beginners, but the longer I've worked with it, the faster I was able to understand
the system of Linux: Linux Torvalds has developed a fascinating system, which is used
in a great number in today's servers and which is a real opponent for Microsoft.

Linux is developing very fast. 3-4 months pass, and we can already see a new
distribution or a new version of another distribution for sale. No doubt, it
has become more user-friendly and the user may not have that amount of computer
knowledge to install the system at all. To future Linux users I can just say one
thing: Have a lot of fun...

   How and when did you start to write viruses?

As I have already mentioned above, C was my very first programming language, which
I've learned. In the beginning I've written a huge number of programs and I feeled
that I have to specialize or concentrate on one special field.

While surfing in the internet, I came across the web site of '29a'. In my view, '29a'
is the best viruswriting group at all. The web site was full of viruses and source
codes. Most of them have been writing in assembler, but that time I didn't know
assembler. Therefore I started to search for viruses, which have been written with
C, that I could analyse the code and understand the functions of such a computer virus

It started to interest me and soon I've written my very first virus for Linux. I
can still remember it how much time I had to invest, until I've understood the
structure and the structures of the ELF format (Executable and Linking Format).
ELF is the format of executeable files, libraries etc. In the course of time my
knowledge of ELF increased a lot, which helped me very much to develope new

In July 2004 my first virus, written in assembler language, was released. Assembler
was a great challange for me, but soon I was able to understand assembler-source
codes very well. I began writing assembler-programms and since that time I'm
trying to develope new techniques and to write better and better viruses.

   Why do you write computerviruses for Linux, even Microsoft Windows is much
   more widespread and has due to that fact more users?

I dont want that some users get infected with the binaries or that the whole
system gets fucked up. I simply want to find new infection techniques and go
over the limits of virus writing.

Linux is an exotic operating system and has a lot of potential. Up to now
I've wrote only ELF viruses/trojans etc. I wanted to concentrate on the
standard. But perhaps I'll find a new way out how to infect executables.

All of my viruses are quite harmless and were by the AVer classified as not
being hazardously.

   What are you doing with your finished viruses?

My viruses will be released at my website, where the great importance are the
source codes. The source code with the binary are archived and uploaded to
my server. That's definitively also the reason, why my viruses are already
analysed and detected by most common antivirus companies: The binary form
is also offered, however, this has no destructive purpose. The binaries'
reasons aren't some script kiddies, who can download some viruses and execute
them later on.

I just want to share my knowledge with other interested persons by releasing
the source code and I hope that it will be used for educational purpose only.

` How do your viruses work exactly? Please describe them!

I'll concentrate on one single virus, Linux.Binom, which I have written some months
ago. As you can see from the name, it concerns two variants of the virus, where
the "wished" version of the virus has to be given at the compiling process. This
will be reached with the help of macros, which tell the compiler, what and how
the virus has to be compiled. There are macros, which are responsible for the
process of the first versions, and macros, which are responsible for the process
of the second version.

Here you can see a small overview of the feature of the virus:

             Option        |    FUCK_USER      |      FUCK_SYSTEM
         Path to infect    | "."               |       "/bin"
            File type      |      ELF          |         ELF
         Required rights   |  normal           |       root
           Infecting       | SPI + Abuse of    |   SPI + Abuse of
          technique        | _libc_start_main  |   shard libraries
                           |  yes(calculating  |      yes
              EPO          |return addr using  |
                           |relative offsets)  |
            Payload        |   yes(print msg)  |     yes(print msg)
                           |  no (change       |  no(change push
            Change entry   | call instruction  |  instruction in the
             point         | in the startup    |  startup routine
                           | routine)          |
           Files nr. to    |       all         |         all
             infect        |                   |
           Invisible       |  yes(foking to    |  yes(froking to back-
                           |    background)    |    ground)

Here I will also just write about the "FUCK_USER", which is the user-mode.
When the virus is compiled with this opion, the virus will just concentrate
on programs, where it has write-access. If the virus also affected also
important system-directories, there could be the danger that the administrator
would recognice its behaviour, which would means the death for our virus.

The infection works in several steps:

1) First, in the current directory "." all files are scanned, with no attention
   which file it is. After that, the virus searchs for specific criterions:
     a) Is the file a ELF-File?
        a) Is the file executable?
           (It must be regared, that even libraries use the ELF format. But
           these file are unimportant for us, for that reason it has to be checked,
           if the founden file can be executed.)

     b) Has the user, who has executed the virus, write access on the specific file?

   If all these criterioms came true, the infection routine can be started.

2) To understand the following steps, I have to introduce you to ELF-theory,
   explain the sturcture and to illustrate the prinzip more exactly.

     Inner Structure of ELF-Files
     ELF Header                 :  contains important information of the

     PHT (Program Header Table) :  Stucture, which is responsible for the
                                   executeable process

     Segment 1  ------------|     -Code-Segment: contains executeable code
                            |     -Data-Segment: contains various values
     Segment 2              |---- -NOTE-Segment: not that important
                            |      .....
     ....       ------------|

     SHT (Section Header Table) : Contains important informations about
                                  each section

   Next, the virus compares some stuctures of the ELF-Header with the target-file
   (the file, which shall be infected), to ensure that the ELF-Header of the
   target-file is not damaged or does not contain any false information. The
   ELF-Header looks nearly equal at all executeable files.

   The virus uses that fact, and this way it saves quite a lot of time, while
   comparing he information of its own host file (the file, which contains the
   virus) with the target-file. Using that fact, there are no values which have
   to be defined and saved in the virus, and compared after that with the ELF-
   header of the target-file. Everything should be as dynamic as possible, for
   the reason of decreasing the size of the virus to a minimum.

3) The following model should make our infection more clearly

     Program before it is infected
     [ ELF Header ]
     _libc_start_main :                   : The main function of the program.
                                            The offset of this function is the
                                            same in each ELF-file

                        call 0xYYYYYY     : This command calls a function.
			                    Usually it is one of the functions
                                            of the Shared-Libraries.

			ret               : Closes the program

     [ Programm Header Table ]
     [ Segment 1 ]
     [ Segment 2 ]
     [   ....    ]
     [ Sections Header Table ]

     Program after it is infected
     [ ELF Header ]                       : Here some changes happenend.

                        call 0xVVVVVV     : Now the offset of the virus will
                                            be called


     [ Programm Header Table ]            : This table has to be patched or
                                            renewed, as some things of the
                                            program's process have been changed.

     [ Segment 1 ]                        : The virus has to be in the code-segment,
                                            otherwise it can not be executed.

     0xVVVVVV				  : The offset, which is called by

     virus_code :
                        pusha             : Pushes the value of all registers to
                                            the stack

                        ....              : Further commands...

			popa              : Restore the registers with the
                                            original values.

			jmp 0xYYYYYY      : Call the offset, which has been canged
			                    in the _libc_start_main - function.
					    Now everything works as nothing would
                                            have ever been happend.

     [ Segment 2 ]
     [    ....   ]
     [ Sections Header Table ]            : The table has to be actualised.

 What is quite important to mention is the fact, that the size of the code-
 segment is limited. By that reason, also the size of the virus is limited,
 as it has to be copied to the code-segment.

 I hope that my explanation was exactly enough. I want to mention again one
 important thing: This is a simple example, how the infection methode can
 be done. If anybody wants to know me, feel free to contact me!

  Many Linux users don't know or don't believe that there are even computer
  viruses for this operating system, and as a matter of fact, they dont protect themselves.
  Do you protect yourself? If yes, how?

 To be honest: No, i don't protect myself at all. I have not installed any
 Antivirus-program at my harddisk. It has already happened some times
 that I've infected myself with my own viruses. Linux.Binom caused that
 much damage, that I had to reinstall my system. However, and old proverb
 says: "Shit happens!"

 But on the other side I take much care, what and where I download something,
 as you can never know, what hides as a harmless tool. I think, now i will
 install an antivirus programm immediatly.

   Which advise would you give to a Linux user to protect his system
   as good as possible?

 Good question. He should always be distrustful of executeable files,
 and he should always run an updated antivirus-program.

 You should NEVER, really NEVER and i repeat it once again:
 Really NEVER execute unknown files as the root. As after that you
 just can pray that the file come from a guy like 'cyneox'... :)

 Outro `

     "The most important design issue is that Linux is supposed
      to be fun."
                                    By Linux Torvalds

     "Change your thought and the world around you changes."
                                    By Cyneox