Questions about this topic? Sign up to ask in the talk tab.
Difference between revisions of "Jynx Rootkit/2.0"
From NetSec
(→Configuration Options in Config.h) |
(→Configuration Options in Config.h) |
||
| Line 79: | Line 79: | ||
==CONFIG_FILE== | ==CONFIG_FILE== | ||
The CONFIG_FILE defaults to ld.preload.so, which is commonly located in the /etc directory. | The CONFIG_FILE defaults to ld.preload.so, which is commonly located in the /etc directory. | ||
| − | {{notice | + | {{notice| You can change CONFIG_FILE to further hide jynx2}} |
==HIGH_PORT and LOW_PORT== | ==HIGH_PORT and LOW_PORT== | ||
Revision as of 02:28, 17 March 2012
|
Jynx2 is an expansion of the original Jynx LD_Preload rootkit written in C with several modifications for multi-factor authentication, a more compatible shell drop, and additional hiding features. |
_ _,.-.' .-.
_ .' |,' ."".| |.""._
( || ,',"". `._`' ` ' `.
`\ | `" .-"`-..` . `.
| `..--.._ | \
_,| _...'_.' ,+. `.
,""'| `...-'..""(__.._ -" `"--.. `.
|`._,' ,' /\ .'""` .'""`. `. | `. \
' / / / || || |.`.`. . | \
`.__,'-._' /|` -"' `-.' \ \ \ `"-' \
' `. / /_| | |'""| | .-""'`'"`-,.-"\ .
. / .\ . / | | `._.' || ,' \ \
' / / |/ /_.-+._`-..--"-. . . \ `
/ /.' ' ,'""'-. `"."'""'`.. |. \ \
/ . | j . . | |\__," |. ` ' \
. | | | | ' | '| | ' ` \ \ .
| | | `.____,' ..____,' | | . \
| | | | ._ _..---._ _,' | . '
| | | | | "" . |`"' \ `.| ' ' ' .
| | | | | | | ` ` . . \ |
| | | | | ' | \ `. | | . |
' ' | | | . ` \ \ | | | |
\ ` | | | . `. | | | |
\ \ ' | ` ' ` `+..|___|___|_........
\ \ \| ' . `. `. |
`. \ . . ` `. `-. .'
_,'`. \' . \ `-.._ `._ ,'
_." `._ `.` | . `._ .
`._ _,`"--`. | . `. |
`-._ ,' | `. `|_
,' | | `. `.
.' __...__.| | \ __..._ _,..,.__ `.
`-`"' `._..--'-.__ .' `-..' ``'"--..-'
`"---'
/$$$$$ /$$ /$$ /$$ /$$
|__ $$ | $$ /$$/|__/ | $$
| $$ /$$ /$$ /$$$$$$$ /$$ /$$ | $$ /$$/ /$$ /$$$$$$
| $$| $$ | $$| $$__ $$| $$ /$$//$$$$$$| $$$$$/ | $$|_ $$_/
/$$ | $$| $$ | $$| $$ \ $$ \ $$$$/|______/| $$ $$ | $$ | $$
| $$ | $$| $$ | $$| $$ | $$ >$$ $$ | $$\ $$ | $$ | $$ /$$
| $$$$$$/| $$$$$$$| $$ | $$ /$$/\ $$ | $$ \ $$| $$ | $$$$/
\______/ \____ $$|__/ |__/|__/ \__/ |__/ \__/|__/ \___/
/$$ | $$
| $$$$$$/
\______/
Contents
Features
- Hiding from netstat
- Hiding from ps/top and /proc
- File hiding
- SSL connect accept() hook
- Multi-factor authentication
- Improved anti-removal features
Protip: It is possible to make Jynx2 even more difficult to remove by hooking C's link() function, therefore we recommend that any LD_Preload rootkit be removed using a LiveCD.
Archive Contents
[root@ares jynx2]# ls Makefile README config.h jynx2.c packer.sh reality.c
|
|
In this rendition of jynx, two shared libraries are built by the installation process. One, jynx2.so functions as the actual rootkit, while the other, reality.so, functions as a method for the remote access user to be able to see their own files and processes. |
Configuration Options in Config.h
|
Improper configuration of Jynx2 can result in severe system instability, including segmentation faults of nearly every process on the infected host. |
MAGIC_STRING
MAGIC_STRING is the name of the directory that you want to hide from the system.
For example, if you set your magic string to "hiddendir", jynx2 will hide the folder "hiddendir" in the root directory.
|
|
this can be used as a prefix to your main directory, as well as the files in that directory. |
MAGIC_GID and MAGIC_UID
- Similar to the original Jynx Rootkit, Jynx2 will automatically hide processes, files, and connections owned by the magic UID or GID.
Protip: Due to the fact that adding a user/group to the machine may set off a HIDS, we recommend that the MAGIC_UID and MAGIC_GID be set to a commonly unused service user's information (e.g. cupsd or lp) for maximum IDS Evasion, as no files will suddenly disappear and the least files in /etc/ will be modified.
REALITY_PATH
This is the path to install reality.so into.
CONFIG_FILE
The CONFIG_FILE defaults to ld.preload.so, which is commonly located in the /etc directory.
Notice: You can change CONFIG_FILE to further hide jynx2
