| Brundle | |
|---|---|
| Type | File virus |
| Creator | Konrad Rieck, Konrad Kretschmer |
| Date Discovered | 12-JUL-2001 |
| Place of Origin | Germany |
| Source Language | C |
| Platform | Linux |
| File Type(s) | ELF |
| Infection Length | ~1,900 bytes |
Brundle also known as Brundle Fly and Brunfly is a Linux virus. Described by its authors as "A good-natured Linux ELF virus", it was never released to the wild and had no destructive payload. Brundle takes advantage of Linux memory management by which programs are loaded into memory page-by-page (4,096 bytes at a time). Since programs are rarely broken down into a full 4,096 bytes, this leaves room for extra code to be appended to the page. This strategy limits the virus to a maximum size of 4,096 bytes.
Behavior
When Brundle is executed, it searches the current directory and the next two directories above it (../, and ../../) for files. It checks if the file is in fact an ELF file, that they are writable, and that the file has a large enough text segment. To keep its disk activity low and avoid being noticed, it infects every third file that meets its standards and randomly chooses which directory it searches, seeded by time(). It does not check to see if the host has already been infected, so a file can be infected mutiple times.
In order to jump over directories, Brundle checks whether the file it was executed from was called relatively, and if so, searches within a hard-coded path to itself. If it finds the file, it loads itself into memory and begins infection. This technique allows the virus get the virus far from its current working directory to multiple parts of the system.
When the virus has finds a potential victim, it leaves the ELF Header of the victim and determines the positions of the program header table and the section header table. The two tables and the ELF header are read in the memory and the virus looks for a text segment that is not exactly divided into pages. If it finds such a segment, it then begins infecting the file.
The starting point of an ELF file is determined by the variable "e_entry" marked within the ELF header. The virus sets this variable to its own starting point "virus_entry" and at the same time it changes its end point "host_entry", so after execution the virus is jumped back to the original starting point. A "v: marks an area that the virus uses, "s"" is the original starting point, "e" the starting point of the virus and "H" the end point of the virus.
In addition to the change in the variable described above e_entry, Brundle changes additional data in the original ELF file. Since it fits into a text segment, it has to be the size of the available space in this segment, both in memory and in file, which is done by changing the program header variables "p_memsz" and "p_filesz". The insertion of the virus also means that all infected programs header and section header now have a different offset at the beginning of the file. These Modifications will also be made for all of these headers, a change in the variables "sh_offset" and "p_offset"".
Variants
The original doesn't give any warnings about its presence, though both variants of the virus do. These appear to be prototypes of what would become the official Brundle virus.
Brundle-fly-default
This variant is about 1,400 bytes long. This variant only infects the host(?) and avoids other files (?). When the virus is executed, it sends a warning to STDOUT.
Brundle-fly propagation
This variant is much more aggressive and actually infects files and is 2,000 bytes long. Each time the virus is activated, it sends the same Warning to STDOUT as the previous version.
Origin
Brundle was coded by Konrad Rieck, Konrad Kretschmer as a final project in an operating systems course taken at their university. It was tested under Linux kernels 2.2.17, 2.4.1, 2.4.3, and 2.4.5. It is independent of libraries and can use any version of libc. Rieck and Kretschmer created three variants. The official release was never offered in binary form by the original creators, but as its source code was released, it was eventually compiled into a working virus. They dedicated to the virus to Seth Brundle, the Scientist from the remake of "The Fly".
The authors considered the virus to be related to the Bliss, Siilov, and Vit viruses, the latter two coded by Silvio Cesare. They considered it a direct successor to Vit.
Sources
Konrad Rieck, Konrad Kretschmer. BRUNDLE FLY A good-natured Linux ELF virus