Awesome Linux Rootkits
The following is a quote from wikipedia.
A rootkit is a collection of computer software, typically malicious, designed to enable access to a computer or an area of its software that is not otherwise allowed (for example, to an unauthorized user) and often masks its existence or the existence of other software. The term rootkit is a compound of "root" (the traditional name of the privileged account on Unix-like operating systems) and the word "kit" (which refers to the software components that implement the tool). The term "rootkit" has negative connotations through its association with malware.
Linux rookit has been published a lot on GitHub. This page is a summary of them.
LD_PRELOAD rootkit
- mempodippy/vlany: Linux LD_PRELOAD rootkit (x86 and x86_64 architectures)
- chokepoint/azazel: Azazel is a userland rootkit based off of the original LD_PRELOAD technique from Jynx rootkit. It is more robust and has additional features, and focuses heavily around anti-debugging and anti-detection.
- chokepoint/jynxkit: JynxKit is an LD_PRELOAD userland rootkit for Linux systems with reverse connection SSL backdoor
- chokepoint/Jynx2: JynxKit2 is an LD_PRELOAD userland rootkit based on the original JynxKit. The backdoor has been replaced with an "accept()" system hook.
- ChristianPapathanasiou/apache-rootkit: A malicious Apache module with rootkit functionality
- unix-thrust/beurk: BEURK is an userland preload rootkit for GNU/Linux, heavily focused around anti-debugging and anti-detection.
Kernel Module rootkit
- mncoppola/suterusu: An LKM rootkit targeting Linux 2.6/3.x on x86(_64), and ARM
- m0nad/Diamorphine: LKM rootkit for Linux Kernels 2.6.x/3.x/4.x
- nurupo/rootkit: Linux rootkit for Ubuntu 16.04 and 10.04 (Linux Kernels 4.4.0 and 2.6.32), both i386 and amd64
- QuokkaLight/rkduck: Linux v4.x.x Rootkit
- David-Reguera-Garcia-Dreg/enyelkm: LKM rootkit for Linux x86 with the 2.6 kernel. It inserts salts inside system_call and sysenter_entry.
- trimpsyw/adore-ng: linux rootkit adapted for 2.6 and 3.x
Ramdisk rootkit
- r00tkillah/HORSEPILL: HORSEPILL rootkit PoC
- us-16-Leibowitz-Horse-Pill-A-New-Type-Of-Linux-Rootkit.pdf
Rootkit checker
- chkrootkit -- locally checks for signs of a rootkit
- The Rootkit Hunter project
- ossec/ossec-hids: OSSEC is an Open Source Host-based Intrusion Detection System that performs log analysis, file integrity checking, policy monitoring, rootkit detection, real-time alerting and active response.
Materials
- Malware Memory Analysis of the Jynx2 Linux Rootkit (Part 1): Investigating a Publicly Available Linux Rootkit Using the Volatility Memory Analysis Framework
- SANS Institute: Rootkit Detection with OSSEC
- The Horse Pill Rootkit vs. Forcepoint Threat Protection for Linux | Forcepoint
- The magic of LD_PRELOAD for Userland Rootkits | FlUxIuS' Blog
- Linux Rootkit Internals - Speaker Deck