Home

vlany is a ring-3 (userland) rootkit which uses the LD_PRELOAD feature to make sure it loads before any shared library and therefore is able to hide from regular users and system administrators efficiently. Its main focus is being stealthy and efficient, giving various tools for the user to use. It's being actively developed here on GitHub and is a completely open source for anyone to use and edit.

Resources

Features

• Process hiding
• User hiding
• Network hiding
• LXC container
• Anti-Debug
• Anti-Forensics
• Persistent (re)installation & Anti-Detection
• Dynamic linker modifications
• Backdoors
  • accept() backdoor (derived from Jynx2)
  • PAM backdoor
    • PAM auth logger
  • snodew reverse shell backdoor
• vlany-exclusive commands

LD_PRELOAD

• LD_PRELOAD is an environment variable used by the dynamic linker which points to a list of shared libraries, usually separated by colons but also can be separated by spaces.

• Once LD_PRELOAD isn't empty, the dynamic linker will attempt to load the libraries in the environment variable. Any libraries loaded will be used in all dynamic userland processes as the very first dynamic libraries to refer to, and any userland symbols used in processes will be called from the loaded libraries.

• This is obviously vulnerable to malicious attack if you can externally manipulate the behaviour of the libc wrappers for the majority of system calls in the Linux kernel.

• This doesn't apply to any statically compiled binaries however, since statically compiled binaries don't rely on the dynamic linker to resolve and use symbols.

• Now since LD_PRELOAD obviously only applies to the current environment, we utilise the lovely little system wide implementation of LD_PRELOAD in /etc/ld.so.preload.

• This file format follows the same format as the LD_PRELOAD environment variable, and is automatically used by every new userland process on the system.

• The /etc/ld.so.preload file could be used for legitimate purposes, but it's just unlikely.

• Most rootkits don't do this - /etc/ld.so.preload is the default file that the dynamic linker uses to preload any required libraries - but vlany modifies the dynamic linker's libraries to overwrite the /etc/ld.so.preload strings in the dynamic linker with a new random file string. So any box with an installation of vlany won't be affected by any of the data inside /etc/ld.so.preload at all - it becomes useless.

• LD_PRELOAD is often used for other kinds of useful stuff, such as game hacking and debugging.

• Any library symbols can be hooked, such as the libx11 symbols.

Learning materials

• http://haxelion.eu/article/LD_NOT_PRELOADED_FOR_REAL/
• https://www.youtube.com/watch?v=oYgmwwlcLc0 (probably one of my favourite)
• https://www.youtube.com/watch?v=cTETqvEn_EM (game hacking related, but still indirectly explains how LD_PRELOAD would work to hook other functions)
• http://volatility-labs.blogspot.co.uk/2012/09/movp-24-analyzing-jynx-rootkit-and.html
• https://www.reddit.com/r/linuxadmin/comments/23vhtd/anyone_seeing_weird_ssh_user_accepted_logs/
• Mac OS X (Darwin) equivalent of LD_PRELOAD trickery