Key Features • How To Use • Infection Process • Technical Details • Architecture • Educational Purpose • License
⚠️ PLEASE DON'T BE STUPID: DO NOT RUN THIS ON YOUR SYSTEM.⚠️ This is a real virus for educational purposes only.
- Metamorphic Engine - Each infection generates unique code variants
- Dynamic register reassignment and instruction substitution
- Anti-Debugging Protection - Multiple evasion techniques
- Process tracing detection and debugger presence checks
- ELF64 Binary Infection - Advanced binary manipulation
- PT_NOTE to PT_LOAD conversion and header modification
- RC4 Encryption - Encrypted payload components
- Signature Evolution - Dynamic signature mutation with each infection
- Process Filtering - Intelligent target selection and process avoidance
- Memory Layout Manipulation - Direct ELF structure modification
- Polymorphic Transformation - Register shuffling and junk code insertion
- Recursive Root Infection - Systematic propagation from filesystem root
- Complete filesystem traversal starting from root directory (/)
- Cross-platform Assembly - Pure x86_64 assembly implementation
Death represents the culmination of my advanced malware research series, building upon the foundational techniques I developed in my predecessor viruses: War, Pestilence, and Famine. This final iteration incorporates the most sophisticated anti-analysis and metamorphic capabilities, making it exceptionally resistant to reverse engineering through advanced instruction substitution techniques. Death inherits and enhances all features from my previous projects, so reviewing my War README.md, Pestilence README.md, and Famine README.md is essential to understanding the complete feature set integrated into this implementation.
This project creates an advanced ELF executable capable of embedding its polymorphic code within target binaries. Death employs a comprehensive recursive infection strategy, systematically traversing the entire filesystem starting from the root directory (/). This approach ensures maximum propagation by discovering and infecting all accessible ELF64 binaries throughout the system hierarchy. A file is considered "infected" when it contains the complete virus payload that executes transparently without altering the host's original functionality or producing detectable output, ensuring stealth operation to avoid security detection.
Post-infection, targeted files contain an evolved signature format: Death version 1.0 (c)oded by jdecorte:alexafer - XXXXXXXXXXXXXXXX:XXXXXXXXXX.XXXXXXXXXX, where:
- Infection Index: Sequential identifier tracking infection propagation order across processes
- Encryption Key: Dynamic RC4 key used for payload encryption during each replication cycle
- Mutation Signature: Computed by XORing 32-byte segments of the entire metamorphic payload
- Temporal Signature: Timestamp-based component ensuring unique identification per infection
The signature's final component represents a significant advancement over my War methodology. Instead of XORing only the decryptor code (_virus to _decrypt), Death XORs the complete encrypted and metamorphic payload. This approach ensures that every instruction mutation performed by the metamorphic engine generates a unique signature, creating an evolutionary fingerprint that changes with each code transformation cycle.
Death inherits comprehensive capabilities from my previous virus implementations including debugger detection mechanisms, decryptor mutation algorithms, recursive root filesystem infection, and advanced evasion techniques. The complete technical foundation requires understanding the architectural evolution documented in my War, Pestilence, and Famine README files to fully comprehend Death's integrated feature matrix.
To compile and run this educational virus, you'll need NASM and GCC installed on a Linux x86_64 system. IMPORTANT: Only run in isolated virtual machines.
# Clone this repository
$ git clone https://github.com/jdecorte-be/D34TH
# Go into the repository
$ cd D34TH
# Build the virus
$ make
# Run in isolated environment ONLY
$ ./Death1. Target Discovery
The virus initiates a recursive scan of the filesystem, beginning at the root directory (/). It systematically explores subdirectories and examines each file encountered. For each file, the virus checks:
- If it is an ELF64 binary (Linux 64-bit executable format)
- If the file is not in a filtered list (e.g., security tools and known analysis programs are skipped)
- If the file is not already infected (by searching for its unique evolutionary signature)
2. Binary Analysis
Once a potential target is found, the virus parses the ELF header and segment tables of the binary. The analysis includes:
- Verifying the ELF magic bytes and architecture (ELF64)
- Checking for existing infection signatures to avoid reinfection
- Ensuring the binary is writable and executable (suitable for code injection)
- Locating an appropriate segment (e.g., converting a
PT_NOTEtoPT_LOAD) for payload injection
3. Code Generation (Metamorphic Mutation)
For every infection attempt, the virus mutates its payload, creating a new, functionally equivalent but bytewise-unique variant. Mutation strategies include:
- Register reassignment (changing which registers are used by the code)
- Instruction substitution (e.g., replacing
ADDwithSUBor using different ways to clear a register) - Junk and NOP code insertion to further obfuscate the payload
4. Header Modification
The virus alters the ELF headers to ensure its payload is executed first. Actions include:
- Updating the binary's entry point (
e_entry) to point to the injected payload - Modifying or creating a program segment (e.g.,
PT_LOAD) to contain the payload and ensure it is marked executable
5. Payload Injection
The mutated payload is encrypted using RC4 with a unique key for every infection. The virus then:
- Injects the encrypted payload into the chosen segment of the binary, without overwriting the host's original code
- Ensures the payload is mapped into memory for execution
- Preserves the host functionality and output, so the infection remains undetectable during normal use
6. Signature Evolution
After a successful infection, the virus appends a unique signature to the infected file. This signature contains:
- An infection index to track propagation order
- An RC4 encryption key fragment used for this instance
- A mutation signature, generated by XORing 32-byte chunks of the payload (covering all code, not just the decryptor)
- A timestamp-based value for additional uniqueness
Summary:
D34TH discovers and analyzes ELF64 binaries, generates a new metamorphic and encrypted payload for every infection, modifies ELF headers, injects the payload without disrupting the host's behavior, and marks the infected file with a unique evolving signature.
The virus consists of several key components:
- Death.s - Main virus entry point and control logic
- Death.inc - System call definitions and data structures
- Deathf.s - File system traversal and infection routines
- rc4.s - RC4 encryption implementation
- encrypt_start.s - Encrypted payload section
- functions/ - Modular infection and utility functions:
infection.s- Core binary infection logicprepare_infection.s- Pre-infection validation and setupcheck_forbidden.s- Process filtering and detection avoidanceupdata_signature.s- Signature evolution mechanismsparse_dir.s- Directory parsing utilities
- Makefile - Build system with encryption integration
For transparency and educational value, here is a sample VirusTotal analysis of a compiled binary from this project.
Note: Detection rates may vary depending on metamorphic mutations and the scanning date.
- VirusTotal report link
- Detection Ratio: 0/65 (as of June 2025)
Educational and Research Use Only - See project files for detailed terms.
42 School · GitHub @jdecorte-be