Staog was able to infect Linux despite its security-oriented design which requires users and programs to login as root before any drastic operations can be taken. It worked by exploiting some kernel vulnerabilities to stay resident. Then, it would infect executed binaries.
Staog was written in assembly by the cracker group VLAD. It attempts to stay resident and infect binaries as they are executed by any user. Staog tries to subvert root access via three known vulnerabilities (mount buffer overflow, tip buffer overflow and one suidperl bug). VLAD is an Australian virus group, which also wrote the first Windows 95 virus, Boza.
Staog can be detected by searching all binaries for the following hex search string: