mempodippy / vlany Goto Github PK

i'm test this root in centos 6.5,but when i finshed, there have many error when i execute command,
[root@localhost vlany]# ls -la
ERROR: ld.so: object '/lib/libc.so.rootkit.89/SHWpgWVMsYw9.so.$PLATFORM' from /etc/.7AguPgE5g6 cannot be preloaded: ignored.
total 156
drwxr-xr-x. 5 root root 4096 Nov 11 00:45 .
drwxr-xr-x. 3 root root 4096 Nov 11 00:34 ..
-rw-r--r--. 1 root root 23147 Nov 11 00:36 config.py
drwxr-xr-x. 8 root root 4096 Nov 11 00:36 .git
-rwxr-xr-x. 1 root root 16517 Nov 11 00:36 install.sh
-rw-r--r--. 1 root root 35141 Nov 11 00:36 LICENSE
drwxr-xr-x. 2 root root 4096 Nov 11 00:39 misc
-rw-r--r--. 1 root root 16 Nov 11 00:41 new_preload
-rw-r--r--. 1 root root 31401 Nov 11 00:36 README
-rw-r--r--. 1 root root 1858 Nov 11 00:36 README.md
drwxr-xr-x. 23 root root 4096 Nov 11 00:36 symbols
-rw-r--r--. 1 root root 15392 Nov 11 00:36 vlany.c
[root@localhost vlany]#
it obvious show something

Great job... I just have one feature request, and I'm not sure if you'll like it.
In newer versions of Umbreon, we modify ld.so itself to change the location of ld.so.preload, and then hide this modification.
You may wanna do the same.

Seriously though, GREAT JOB ON THIS. I'm too busy with real life to really work on cool stuff like this anymore.

I've a version of vlany installed on a test machine and I want to update vlany to the latest version served on Github.
Is there a proper way to do that or I've to reinstall the rootkit?

Hi,

When testing Vlany I noticed that Snodew installation fails.

Installation has finished. Would you like to setup the experimental snodew root reverse shell backdoor? (YES/NO) (case-sensitive) [YES]:
cat: magic_gid: No such file or directory
--2016-12-25 19:30:48-- https://github.com/mempodippy/snodew/archive/master.tar.gz
Resolving github.com (github.com)... 192.30.253.112, 192.30.253.113
Connecting to github.com (github.com)|192.30.253.112|:443... connected.
HTTP request sent, awaiting response... 302 Found
Location: https://codeload.github.com/mempodippy/snodew/tar.gz/master [following]
--2016-12-25 19:30:48-- https://codeload.github.com/mempodippy/snodew/tar.gz/master
Resolving codeload.github.com (codeload.github.com)... 192.30.253.121, 192.30.253.120
Connecting to codeload.github.com (codeload.github.com)|192.30.253.121|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: unspecified [application/x-gzip]
master.tar.gz: No such file or directory

Cannot write to ‘master.tar.gz’ (No such file or directory).
rm: cannot remove ‘master.tar.gz’: No such file or directory
Error: master.tar.gz doesn't exist. Exiting.

Hey bro,
first of all thank you so much because of your great job,
actually I installed it on Ubuntu/Linaro 4.6.3-1ubuntu5, the progress done without any error, even my Apache and SSH service restarted , but nothing work, like I do nothing !?

Am I miss something ? I do as your wizard, any idea?
and is there any video or youtube link for the installation ? maybe I done something wrong ?
thanks a lot.

Hi,
Following log entries are written when using the ssh backdoor (login and log off).
Tested on Ubuntu 16.04.

/var/log/auth.log:
Dec 18 10:12:01 test systemd: pam_unix(systemd-user:session): session opened for user root by (uid=0)
Dec 18 10:12:01 test systemd-logind[856]: New session c3 of user root.
Dec 18 10:12:43 test systemd-logind[856]: Removed session c3.

/var/log/syslog:
Dec 18 10:09:05 test systemd[1]: Created slice User Slice of root.
Dec 18 10:09:05 test systemd[1]: Starting User Manager for UID 0...
Dec 18 10:09:05 test systemd[1]: Started Session c2 of user root.
Dec 18 10:09:05 test systemd[6375]: Reached target Paths.
Dec 18 10:09:05 test systemd[6375]: Reached target Sockets.
Dec 18 10:09:05 test systemd[6375]: Reached target Timers.
Dec 18 10:09:05 test systemd[6375]: Reached target Basic System.
Dec 18 10:09:05 test systemd[6375]: Reached target Default.
Dec 18 10:09:05 test systemd[6375]: Startup finished in 19ms.
Dec 18 10:09:05 test systemd[1]: Started User Manager for UID 0.
Dec 18 10:09:15 test systemd[6375]: Reached target Shutdown.
Dec 18 10:09:15 test systemd[6375]: Starting Exit the Session...
Dec 18 10:09:15 test systemd[6375]: Stopped target Default.
Dec 18 10:09:15 test systemd[6375]: Stopped target Basic System.
Dec 18 10:09:15 test systemd[6375]: Stopped target Paths.
Dec 18 10:09:15 test systemd[6375]: Stopped target Timers.
Dec 18 10:09:15 test systemd[6375]: Stopped target Sockets.
Dec 18 10:09:15 test systemd[1]: Stopping User Manager for UID 0...
Dec 18 10:09:15 test systemd[6375]: Received SIGRTMIN+24 from PID 6404 (kill).
Dec 18 10:09:15 test systemd[1]: Stopped User Manager for UID 0.
Dec 18 10:09:15 test systemd[1]: Removed slice User Slice of root.

Hi :

I`m novice programmer 0.0 . I had two problems , when I using vlany.

My Machine Information :
kernel environment : Linux Ubuntu 12.04 32 Bit
kernel release : 3.2.0-126-generic-pae

1. I was run install.sh to installed vlany normally. However, My machine stopped here when it was rebooted.

Looking forward to your reply. thanks~

I have succesfully installed vlany on a clean centos box (a kvm vps), centos 6.8 x64 distro with the latest updates (the minimal install). Nothing else is running on that vps since is was specifically created to test your rootkit.

I am using sh ssh.sh username localhost port (it connects to the sshd daemon to the backdoor ssh port specified during rootkit install). But the user/pass combination always fails.

Any help would be really appreciated!

Keep developing this really nice rootkit!

Vlany failes to install on a fresh Debian 8 3.16.43-2 x86_64 VM with a quick_install.sh.
The installations works apparently:
...

Hidden directory: /lib/libc.so.xxx.92
Environment variable: DFUTUELYMIJR
Installation finished.

but

1. if you check the hidden directory:
   $> ls /lib/libc*
   ls: cannot access /lib/libc.so.xxx.92: No such file or directory

2. the /boot/grub/grub.cfg wasn't patched at all.

3. after the reboot the systems start the infinite loop:

A start job is running for udev Kernel device ... etc.

Don't know if the post reboot messages are cause of non-patched grub.cfg or are these symptoms of some other error.

BTW vlany works like a charm on Ubuntu 14.04, kudos for a great job.

I'm facing to an issue because Debian 7 Wheezy doesn't want to keep the package libssl-dev (64 bits) and libssl-dev:i386 (32 bits) at the same time because libssl is not multiarch compatible.

root@vlany:~# apt-get --yes --force-yes install libssl-dev:i386
Reading package lists... Done
Building dependency tree       
Reading state information... Done
The following packages were automatically installed and are no longer required:
  libssl-doc zlib1g-dev
Use 'apt-get autoremove' to remove them.
Recommended packages:
  libssl-doc:i386
The following packages will be REMOVED:
  libssl-dev
The following NEW packages will be installed:
  libssl-dev:i386
0 upgraded, 1 newly installed, 1 to remove and 27 not upgraded.
Need to get 0 B/1,626 kB of archives.
After this operation, 1,411 kB disk space will be freed.
(Reading database ... 37977 files and directories currently installed.)
Removing libssl-dev ...
Selecting previously unselected package libssl-dev.
(Reading database ... 37892 files and directories currently installed.)
Unpacking libssl-dev (from .../libssl-dev_1.0.1t-1+deb7u2_i386.deb) ...
Setting up libssl-dev (1.0.1t-1+deb7u2) ...

So I ask you @mempodippy if it's needed to have the 32 bits libraries on a 64 bits system for vlany?

I have installed it a few time and made sure there was no typo or keyboard issue...
Whenever I try to connect with the ssh.sh script I get permission denied. I tried putting all my password to "abc" so I'm sure it's not me giving a wrong password...

Centos 6.1

I was install vlany in Ubuntu 16.04 VMWare but always shown a error
"Configuration Failed . Exitting "
when i use cli mode
Error was shown like this :
Traceback (most recent call last):
File "config.py", line 491, in
main()
File "config.py", line 481, in main
const_h_setup()
File "config.py", line 207, in const_h_setup
const_h += '#define VLANY_PASSWORD "' + xor(crypt.crypt(VLANY_PASSWORD, "$6%0s" % (''.join(random.choice(string.ascii_lowercase + string.ascii_uppercase + string.digits) for x in range(12))))) + '"\n'
File "config.py", line 169, in xor
return ''.join(list('\x'+hex(ord(x) ^ 0xac)[2:] for x in str_))
TypeError: 'NoneType' object is not iterable
Configuration failed. Exiting.

Please help me and thanks for your attention
Sorry for bad english

I found that during some search with Debian 7 that if vlany is installed on the box and then box is upgraded to Debian 8, vlany will no longer be installed / executed at reboot.
I don't really know why this is happening?
Proof:

Interesting parts at [00:00-00:50] & [08:25-09:30]

It seems that reboot is bricked when using GRUB 2 and systemd.

Hi,
I noticed that socket hiding does not work with the ss command. Tested on Debian 9.

EDIT: It's related to the latest commits because this bug appears on CentOS & Debian (and maybe on other Linux distros).

I performed an installation but the install.sh trowed an error about Configuration failed. Exiting., here is the output of the installation:

[root@vlany ~]# cd vlany-master && ./install.sh --cli
/usr/bin/ld: cannot find -lc
collect2: error: ld returned 1 exit status
Checking for current presence of (and removing, if necessary) ld.so.preload
./install.sh: line 12: misc/rm_preload: No such file or directory
rm: cannot remove ‘misc/rm_preload’: No such file or directory
Press enter to continue, or ^C to exit.
Installing vlany without a tui.
Do you want to compile or install vlany? (enter 'compile' or 'install'): install
Regularly installing vlany.
Installing prerequisite packages... Please wait.
Packages installed.
Patching dynamic linker.
Attempting to patch /lib/ld-2.17.so by replacing /etc/ld.so.preload with new string, /etc/.FNUN1ZHE
Traceback (most recent call last):
  File "misc/patch_ld.py", line 69, in <module>
    for x in locations.split("\n"): patch_lib(x, O_PRELOAD, n_preload)
  File "misc/patch_ld.py", line 42, in patch_lib
    print("old preload found in {0}: {1}".format(location, x))
NameError: global name 'location' is not defined
cat: new_preload: No such file or directory
rm: cannot remove ‘new_preload’: No such file or directory
Dynamic linker patched.
Beginning configuration. Please don't leave any options that don't have default values empty (options with default values have [VALUE] in them). I can't be bothered checking for empty input.
PAM backdoor username: backdoor
PAM backdoor password: backdoor
Hidden PAM port [8923]: 8923
Optional SSL encryption for accept() hook backdoor (Yes/No) [No]: Yes
accept() shell password: backdoor
accept() low port [463]: 463
accept() high port [465]: 465
execve command password: backdoor
Rootkit library name [e7Ky2C0vxXfK]: e7Ky2C0vxXfK
Hidden directory [/lib/libc.so.backdoor.14]: /lib/libc.so.backdoor.14
Environment variable [RIAYOGGVAGLT]: RIAYOGGVAGLT
Configuration failed. Exiting.

OS details

• Tested on this OS : CentOS 7.2 & 6.8 x64
• SELinux state: disabled
• Kernel version: 3.10.0-327.36.3.el7.x86_64 SMP Mon Oct 24 16:09:20 UTC 2016

Hi,
Thank you for sharing this awesome rootkit project.
I tried some hiding features right after the installation on Ubuntu 16.04.4 server (4.4.0-116-generic) and they worked perfectly. However, when I rebooted the machine, the OS failed to boot into the default mode.
Could you help me to solve this problem? Thanks!

When I run the screen command, the owner of the machine (logged as root) can view the running command inside top/htop and can join the screen session.
I've the almost same behavior with tmux but the tmux running command isn't listed inside the "top"/"htop" command.

Is there a way to hide completely a screen/tmux session or does exist a multiplexer terminal program that doesn't allow other users to join the session?

I noticed that the su command segfaults when Vlany is installed (tested on Debian 8) but the su - command works fine.

Chkrootkit (chkdirs.c) uses this detection method.

I've seen some openssh backdoor that rely on private key to authenticate, maybe it could be great to add an option to use a public key instead of password in vlany? It would be more secure as passwords can be bruteforce while keys it's impossible.

Hi,

I installed the rootkit but at the very end it crashes and makes the whole server unusable...

*** Error in dialog': double free or corruption (fasttop): 0x000000000275b820 *** ./install.sh: line 402: 9313 Aborted dialog --title "$TITLE" --infobox "Installed." 7 20 3>&1 1>&2 2>&3 *** Error in sleep': double free or corruption (fasttop): 0x0000000001e9ccf0 ***
./install.sh: line 402: 9314 Aborted sleep 1
*** Error in dialog': double free or corruption (fasttop): 0x00000000006a0220 *** ./install.sh: line 402: 9315 Aborted dialog --title "$TITLE" --infobox "Setting up hidden directory and protecting files." 7 40 3>&1 1>&2 2>&3 *** Error in sleep': double free or corruption (fasttop): 0x0000000000f5f2f0 ***
./install.sh: line 402: 9316 Aborted sleep 1
*** Error in rm': double free or corruption (fasttop): 0x0000000004246ad0 *** ./install.sh: line 265: 9317 Aborted rm -rf *.so.* *.o *** Error in date': double free or corruption (fasttop): 0x0000000001020e20 ***
*** Error in mv': double free or corruption (fasttop): 0x0000000003472f20 *** ./install.sh: line 265: 9319 Aborted mv bashrc $INSTALL/.bashrc *** Error in mv': double free or corruption (fasttop): 0x000000000243a3c0 ***
./install.sh: line 265: 9320 Aborted mv shell_msg $INSTALL/.shell_msg
*** Error in mv': double free or corruption (fasttop): 0x000000000352c8c0 *** ./install.sh: line 265: 9321 Aborted mv bd_readme $INSTALL/README *** Error in cp': double free or corruption (top): 0x00000000018ab670 ***
./install.sh: line 265: 9322 Aborted cp misc/enter_lxc.c $INSTALL/enter_lxc.c
*** Error in cp': double free or corruption (top): 0x0000000003398ce0 *** ./install.sh: line 265: 9323 Aborted cp misc/ssh.sh $INSTALL/ssh.sh *** Error in setfattr': double free or corruption (fasttop): 0x0000000000936800 ***
./install.sh: line 265: 9324 Aborted setfattr -n user.${HIDDEN_XATTR_1_STR} -v ${HIDDEN_XATTR_2_STR} $NEW_PRELOAD
*** Error in setfattr': double free or corruption (fasttop): 0x0000000001156f90 *** ./install.sh: line 265: 9325 Aborted setfattr -n user.${HIDDEN_XATTR_1_STR} -v ${HIDDEN_XATTR_2_STR} $INSTALL $INSTALL/* $INSTALL/.profile $INSTALL/.bashrc $INSTALL/.shell_msg $INSTALL/.vlany_information *** Error in chattr': double free or corruption (fasttop): 0x0000000000bd8e80 ***
./install.sh: line 265: 9326 Aborted chattr +ia $INSTALL/.profile $INSTALL/.bashrc $INSTALL/.shell_msg $INSTALL/.vlany_information $INSTALL/${OBJECT_FILE_NAME}* $NEW_PRELOAD
*** Error in dialog': double free or corruption (fasttop): 0x00000000009b86f0 *** ./install.sh: line 404: 9330 Segmentation fault /etc/init.d/ssh restart &> /dev/null *** Error in clear': double free or corruption (fasttop): 0x00000000030f16d0 ***
./install.sh: line 405: 9331 Aborted clear
*** Error in `cat': double free or corruption (fasttop): 0x0000000001563ca0 ***
./install.sh: line 406: 9332 Aborted cat $INSTALL/.vlany_information
Thank you for choosing vlany.

Add after this, all command is useless...

root@ns3026835:/var/lib/vim/addons/vlany-master# ls
*** Error in `ls': double free or corruption (top): 0x00000000022e75a0 ***
Aborted

Any idea how to fix this ?

If a box with vlany installed and running on Debian 7 upgrade to Debian 8 the box will never reboot because of the bug with udev (a component of systemd) or if a box running any distribution switch to another init manager (Gentoo gives the ability to do this: https://elatov.github.io/2015/02/upgrade-gentoo-to-use-systemd/) the same bug will appears.

There are a few method to prevent the brick:

• On Debian based distribution, force wheezy by default: APT::Default-Release.
• Scanning the box each minute to detect systemd binaries and if detected apply a patch (?).
• Detecting changes made to the bootloader by for example on Grub2 scanning if the argument GRUB_CMDLINE_LINUX is modified and if detected apply a patch.
• Another idea (?)

I have a copy of your earlier work (as it seems) and in the execve.c file, at the end you have:

            if(!strcmp(argv[i], "-static")) // trying to statically compile a binary.. eww
            {
                // This works and removes the -static flag from the gcc execution but for some reason gcc throws a "not found error" with an empty string
                // printf("gcc -static flag detected. overwriting -static flag\n");
                // strncpy(argv[i], "", strlen(argv[i]));
                // printf("-static flag overwritten\n");
                // For now, let's just return a kernel memory error
                // Sigh...

                errno = ENOMEM;
                return -1;
            }

I think GCC returns error, because it gets it's argument/option/parameter which is empty now. And when it parses it, the parser does not recognize it as a option, starting with '-', so it decides it's a file to compile. But empty filename is "not found".
Just a wild guess... try to replace it with some pointless option like '-Wvarargs' (which is by default anyway).
I guess this should work...

(Sorry for not testing it myself, I was just reading what you've done there and I though to share my wild guess, but I do not have time or need to try it myself)

hey man !
what's up ?
unfortunately https://github.com/naworkcaj/bdvl not working anymore
do you have another link for that?
thnx a lot

Hi,
/run is mounted as tmpfs (not persistent) and /sys is not writable. Tested on Debian 8 and Ubuntu 16.04.

It would be nice to add asciinema tutorial.

HI,

I am new to rootkit testing and github. I tried your malware on UBuntu 15+ (15.04/16.04/16.10). I was able to connect to ssh via backdoor, but you said that vlany can hide its packets from the network sniffers like wireshark. I was running wireshark on the vlany system, and I saw all packets of ssh that were sent and received by the backdoor. Maybe they have patched Ubuntu, could you tell the most basic version of OS and kernel that I should try vlany so that I could connect via backdoor and wireshark does not detect the packet?

Hi,

I have noticed this bug when testing vlany on debian 8, ubuntu 14.04 and 16.04 (using virtualbox)
See following screenshot:

Hi, my lsrootkit should detect your rootkit, but first cause a proces crash: your readdir code.

https://github.com/David-Reguera-Garcia-Dreg/lsrootkit

Left: normal rootkit without your readdir code.

Right: your rootkit.