|
Take any good program (for which virus has write privileges) and take instruction at location L1.
|
|
Replace this by a jump to L2.
|
|
Insert the dreadful code at location L2 followed by original code at location L1. Worry about saving and restoring registers while doing this.
|
|
Insert a jump to location L1+1 at end of bad code.
|
|
Net result is a program that does all the old program did plus whatever else bad is inserted
|
|
This naïve approach can be detected by presence of distinctive byte codes formed by code at L2 or more precisely by checking that a particular program has unexpected length or modify time.
|
|
The hacker who entered NPAC installed a trapdoor into UNIX command ps in a way that left length of ps unchanged!
|
|
First entered NPAC by "sniffing" somebody's password and using UNIX bugs to get root permissions.
|
