So, essentially, really poorly written malware? Given the number of assumptions it makes without any sort of robustness around system configuration it’s about as good as any first-pass bash script.
It’d be a stretch to call it malware, it’s probably an outright fabrication to call it a virus.
I wasn’t sure about it either. There’s security researchers out there who might genuinely want to get a virus to run in a VM.
But yeah, the cmalw-lib-2.0
gives it away…
I wasn’t sure about it either
It ends with them donating money to the malware’s creator…
I laughed and my partner ask why. I told her it’s some really nerdy humor. She was fine not hearing the joke, but I loosely explained it anyway. She humored me anyway. She’s a good woman.
It’s like that guy that posted an example Bitcoin miner on GitHub, then a bunch of script kiddies forgot to change his wallet info for their own before deploying… He made a good chunk of change by doing nothing malicious.
Text version:
Downloaded a virus for Linux lately and
unpacked it.
Tried to run it as root, didn’t work.
Googled for 2 hours, found out that
instead of /usr/local/bin
the virus
unpacked to /usr/bin
for which the
user malware doesn’t have any write
permissions, therefore the virus couldn’t
create a process file.
Found patched .configure and .make
files on some Chinese forum, recompiled
and rerun it.
The virus said it needs the library
cmalw-lib-2.0
.Turns out
cmalw-lib-2.0
is shipped with CentOS
but not with Ubuntu. Googled for hours
again and found an instruction to build
a.deb package from source.
The virus finally started, wrote some
logs, made a core dump and crashed.
After 1 hour of going through the logs
I discovered the virus assumed it was
running on ext4 and called into its disk
encryption API. Under btrfs this API
is deprecated. The kernel noticed and
made this partition read-only
Opened the sources, grep’ed the Bitcoin wallet and sent $5 out of pity.