Azazel is a userland rootkit written in C based off of the original LD_PRELOAD technique from Jynx rootkit. It is more robust and has additional features, and focuses heavily around anti-debugging and anti-detection. Features include log cleaning, pcap subversion, and more.
FeaturesAnti-debugging
Avoids unhide, lsof, ps, ldd detection
Hides files and directories
Hides remote connections
Hides processes
Hides logins
PCAP hooks avoid local sniffing
Two accept backdoors with full PTY shells.
Crypthook encrypted accept() backdoor
Plaintext accept() backdoor
PAM backdoor for local privesc and remote entry
Log cleanup for utmp/wtmp entries based on pty
Uses xor to obfuscate static strings
Download:
git clone https://github.com/chokepoint/azazel.gitSource and More information:http://blackhatlibrary.net/Azazel
