The VIT virus is a Linux x86 parasitic
ELF infector style virus. It wasdeveloped in October 1998 by the
author Silvio Cesare. It is heavily documented in the accompying
article UNIX ELF VIRUS AND PARASITES. ELF infection is carried out
by inserting code into the text segment padding of the executeable.
To do this, the virus code is inserted into the executeable at the end
of the text segment (making sure that the space between the text and data
segment is greater than the size of the virus - which happens to be 2250
bytes). The program and section
headers are then modified accordingly to reflect the changes in the files
structure. The entry point of the executeable
changes to point into the new code,
and the virus transfers control back to the original host entry point (which
is stored at byte offset 2221). The .rodata section in the executeable
is extended to include the virus code so the virus remains strip safe.
The actual size of the executeable increases by 4096 bytes not 2250 bytes.
This is because the p_offset and p_vaddr must be congruent to modulo the
page size (4096 bytes). Extraction of the virus in replication is
made by seeking to the viruses file offset in the infected host, and copying
the 2250 bytes into memory, then using this for infection. The actual
method of replication is simple, executebles in the current directory are
randomly selected and attempts at infection are followed through.