oss-sec mailing list archives
Re: Vlany: A Linux (LD_PRELOAD) rootkit
From: Rich Felker <dalias () libc org>
Date: Thu, 10 Nov 2016 10:56:54 -0500
On Thu, Nov 10, 2016 at 01:18:44PM +0200, eov eov wrote:
Features: Process hiding User hiding Network hiding LXC container Anti-Debug Anti-Forensics Persistent (re)installation & Anti-Detection Dynamic linker modifications Backdoors accept() backdoor (derived from Jynx2) PAM backdoor PAM auth logger vlany-exclusive commands Download: https://github.com/mempodippy/vlany
At a quick glance, this would be trivially noticed by using strace. It also badly breaks thread-safety and AS-safety of lots of the interfaces it overrides, so you would expect deadlocks and crashes and other weird behavior in multithreaded processes and processes which make significant use of signal handlers, which would suggest to the user that something is badly wrong (and probably trigger them to try strace or gdb) without them actively scanning for anything. Rich
Current thread:
- Vlany: A Linux (LD_PRELOAD) rootkit eov eov (Nov 10)
- Re: Vlany: A Linux (LD_PRELOAD) rootkit Rich Felker (Nov 10)