rkduck is a Loadable Kernel Module rootkit for the latest Linux Kernels v4. This is still a work in progress.
- Stealth
- Hide files, directories, processes
- Communication
- SSH
- Direct shell (unencrypted)
- Reverse shell (unencrypted)
- Keylogger
- Recording of the keystrokes of every user.
- Information sent periodically
- Crumbs
- A user space CLI program allowing the user to control the rootkit configuration during its execution
- Requires an authentication to be used (hardcoded key stored in rduck, the configuration section has more information about it)
At the moment we didn't get the chance to test our rootkit on different versions of Linux to make sure everything is working as intended. If you want to report a bug feel free to create an issue or send us an email at [email protected].