Re: A puzzle: CAPZLOQ TEKNIQ 1.0

From: Jan Engelhardt
Date: Wed Apr 19 2006 - 04:38:19 EST


>>The cross-platform viral proof-of-concept in the news last week does
>>indeed infect both Windows and Linux ELF binaries. At least it does on
>>some kernels. Some tests show it doesn't work on the latest versions.
>>
>>Hans-Werner Hilse is trying to puzzle out why. If anyone else wants to
>>play with it and see if they can figure out why it is sometimes viral on
>>Linux and sometimes not, drop me a note offlist.
>

>From LWN/Newsforge:

--->2.6.15.4
[0804744d] open("E", O_RDWR) = 4
...
[0804747e] old_mmap(NULL, 28672, PROT_READ|PROT_WRITE, MAP_SHARED, 4, 0) =
0xb7fca000
--->2.6.16.2:
[0804744d] open("E", O_RDWR) = 4
...
[0804747e] old_mmap(NULL, 32768, PROT_READ|PROT_WRITE, MAP_SHARED, 1, 0) =
-1 ENODEV (No such device)


Simple as that. open() returns fd 4, but old_mmap is called with fd 1,
which is usually stdout. Looks to me like a userspace problem.


Jan Engelhardt
--
| Software Engineer and Linux/Unix Network Administrator
| Alphagate Systems, http://alphagate.hopto.org/
| jengelh's site, http://jengelh.hopto.org/
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/