Pestilence is a second elf 64 bits virus (evolution of Famine). The virus will infect every files under /tmp/test and /tmp/test2 by adding itself to the targeted binary and it signature: Pestilence version 1.0 (c)oded by lmartin. Then when you will run binary that were under /tmp/test or /tmp/test2, they will infect every binary under /tmp/test and /tmp/test2 as well. :)
The difference with Famine is the code obfuscation: you can't run gdb or strace on it, and if you try to remove the code that block gdb or strace, the virus routine will be obfuscated. As my Famine version, if you run cat or gdb while launching the virus or a infected binary, the virus will not launch it infection routine.
make fsocietywill compile a Pestilence version that will infect everything from the root directory (⚠️ Please run it on a VM - you can run it as root tho :) )make fsocietywill also do abind shellon port4444when itself or a infected file is launched as root :3- Pestilence will pack a part of his code when executing on host using a LZSS compression and depack itself to copy the packed part on the infected binary
make
./Pestilence
Pestilence will copy itself (and pack itself on host) after the PT_LOAD executable of the targeted binary if there is enough space between the segment and the next one to fit. It will also change the previous entry of the program by itself and enhance p_filesz and p_memsz of the segment to be executable. It will also add to it replication, some tips of the targeted file like the previous entry to jump on it after it execution.
-----------------------
| HEADER |
-----------------------
| ... |
-----------------------
| |
| PT_LOAD |
| [R E] |
| |
| - - - - - - - - - - |
| PARAMS |
| - - - - - |
| SIGNATURE |
| - - - - - |
| |
| PESTILENCE |
| |
-----------------------
| ... |