awesome-linux-rootkits/details/rkduck.md
Ilya V. Matveychikov 63197cb654
Update rkduck.md
2018-07-04 18:32:44 +04:00

3.3 KiB

rkduck rootkit details

https://github.com/QuokkaLight/rkduck

Environment

  • x86, x86_64
  • Linux kernel 4.x
  • Debian/Ubuntu, RHEL/CentOS/Fedora

Persistency

Boot-time module loading using OS-specific startup files:

Rootkit module runs forever.sh helper script at the moment of module unloading:

Detection evasion

Rootkit is trying to evade from detection by:

  • hiding rootkit files by name

Management interface

Implemented via in-kernel netlink server (NETLINK_USER) :

Supported commands are:

Altering system behaviour

Hooking of system calls by patching syscall-handlers in sys_call_table[]:

Hiding of files and directories

Filtering of directory entries:

Hiding of processes and process trees

Filtering PID-like numeric entries while listing /proc:

Keylogger

Keylogger is implemented using register_keyboard_notifier():

Logged keystrokes are saved in file which periodically being sent to remote hos using scp:

Backdoor

...