Beurk - Experimental Unix Rootkit

Saturday, November 14, 2015

BEURK is an userland preload rootkit for GNU/Linux, heavily focused around anti-debugging and anti-detection.
NOTE: BEURK is a recursive acronym for EURK xperimental nix oot it

  • Hide attacker files and directories
  • Realtime log cleanup (on utmp/wtmp )
  • Anti process and login detection
  • Bypass unhide, lsof, ps, ldd, netstat analysis
  • Furtive PTY backdoor client

Upcoming features
  • ptrace(2) hooking for anti-debugging
  • libpcap hooking undermines local sniffers
  • PAM backdoor for local privilege escalation

  • Compile
    git clone
    cd beurk
  • Install
    ssh 'echo /lib/ >> /etc/'
  • Enjoy !
    ./ victim_ip:port # connect with furtive backdoor

The following packages are not required in order to build BEURK at the moment:
  • libpcap - to avoid local sniffing
  • libpam - for local PAM backdoor
  • libssl - for encrypted backdoor connection
Example on debian:
    apt-get install libpcap-dev libpam-dev libssl-dev

Subscribe via e-mail for updates!