Skip to content

Latest commit

 

History

History
79 lines (57 loc) · 3.3 KB

rkduck.md

File metadata and controls

79 lines (57 loc) · 3.3 KB

rkduck rootkit details

https://github.com/QuokkaLight/rkduck

Environment

  • x86, x86_64
  • Linux kernel 4.x
  • Debian/Ubuntu, RHEL/CentOS/Fedora

Persistency

Boot-time module loading using OS-specific startup files:

Rootkit module runs forever.sh helper script at the moment of module unloading:

Detection evasion

Rootkit is trying to evade from detection by:

  • hiding rootkit files by name

Management interface

Implemented via in-kernel netlink server (NETLINK_USER) :

Supported commands are:

Altering system behaviour

Hooking of system calls by patching syscall-handlers in sys_call_table[]:

Hiding of files and directories

Filtering of directory entries:

Hiding of processes and process trees

Filtering PID-like numeric entries while listing /proc:

Keylogger

Keylogger is implemented using register_keyboard_notifier():

Logged keystrokes are saved in file which periodically being sent to remote hos using scp:

Backdoor

...