| 1 |
Take any good program (for which virus has write privileges) and take instruction at location L1.
|
| 2 |
Replace this by a jump to L2.
|
| 3 |
Insert the dreadful code at location L2 followed by original code at location L1. Worry about saving and restoring registers while doing this.
|
| 4 |
Insert a jump to location L1+1 at end of bad code.
|
| 5 |
Net result is a program that does all the old program did plus whatever else bad is inserted
|
| 6 |
This naïve approach can be detected by presence of distinctive byte codes formed by code at L2 or more precisely by checking that a particular program has unexpected length or modify time.
|
| 7 |
The hacker who entered NPAC installed a trapdoor into UNIX command ps in a way that left length of ps unchanged!
|
| 8 |
First entered NPAC by "sniffing" somebody's password and using UNIX bugs to get root permissions.
|
