Re: Vlany: A Linux (LD_PRELOAD) rootkit

[Rich Felker <dalias () libc org>]

On Thu, Nov 10, 2016 at 01:18:44PM +0200, eov eov wrote:
> Features:
>
> Process hiding
> User hiding
> Network hiding
> LXC container
> Anti-Debug
> Anti-Forensics
> Persistent (re)installation & Anti-Detection
> Dynamic linker modifications
> Backdoors
> accept() backdoor (derived from Jynx2)
> PAM backdoor
> PAM auth logger
> vlany-exclusive commands
>
> Download: https://github.com/mempodippy/vlany

At a quick glance, this would be trivially noticed by using strace. It
also badly breaks thread-safety and AS-safety of lots of the
interfaces it overrides, so you would expect deadlocks and crashes and
other weird behavior in multithreaded processes and processes which
make significant use of signal handlers, which would suggest to the
user that something is badly wrong (and probably trigger them to try
strace or gdb) without them actively scanning for anything.

Rich