|Place of Origin||Germany|
|Infection Length||4,096 bytes|
Binom, also known as Nibom is a Linux virus from 2004. It was quite similar to Rike, which had appeared in the previous year and also has similarities to Alqaeda. The virus is apparently able to also infect some ELF binaries under MacOSX. It was coded by Cyneox of the group DCA in Germany and the family has about four variants.
When a file infected with Binom is executed, it infects files in the current working directory. Due to bugs in the code, the file is unable to run after infection and produces an error message.
Inside the virus body, the following text strings can be found: "ELF file detected… " and "[[ Cyneox/DCA (C) Copyright 2004 ]]!".
Binom has at least three variants in addition to the original.
This 11,315 byte variant attempts to spawn a child process. If it fails, it will display the message "« ..You've been binomitized!..» by cyneox. »" and terminate. The child process attempts to retrieve the user ID and the group ID of the running malware process. It uses this to determine if it has the right to modify host files, since it can only infect as root and only goes for files in the /bin directory.
It first checks for the ELF marker to verify it is an ELF file. It also checks if there are 0x1000 (4,096 in decimal) bytes of empty space between code segments. If it doesn't find these, it moves on to the next potential file.
It does not modify the entry point. Being an entry point obscuring virus, it patches the first call instruction to ensure that its code executes.
Positive Technologies. SecurityLab,Virus.Linux.Binom.a. (Russian)
Antivirus.lv Binom – jauns vīruss priekš Linux. 2004.12.27 (Latvian)
Bryant Sy Tan. Trend Micro Antivirus, ELF_BINOM.C.
Interview with Cyneox 2005.02.20