Sunday, May 04, 2014

HOWTO : Azazel on Debian Wheezy

I know this rootkit - Azazel for some time; however, I am busy to give it a test. Recently, I am bored and take it a look.

Azazel is a linux userland rookit based on original LD_PRELOAD technique from Jynx (rootkit). Azazel has some features that are very useful for attackers, such as file hidden and anti-debugging.

I set up four virutalbox guests in Debian 7 (Wheezy), Ubuntu 12.04.4 LTS, Ubuntu 14.04 LTS and CentOS 6.5.

The Azazel can be compiled without problem if you installed the required libraries. You need root privilege to install this rootkit. Once installed, you are very hard to remove it unless you re-install your system. However, the developer sugguest to remove one of the files by booting from live cd.

After a very quick test on Azazel under the above mentioned Virtualbox (version 4.3.10 r93012) guests, only Debian can run it flawlessly. Ubuntu cannot be reboot. CentOS cannot be login after the reboot. Azazel cannot be ran properly in Ubuntu and CentOS too. I think no attacker will want to destroy the victim box unless s/he really want to.

After a quick look at the developer's products, I think that the developer is running Debian and his products should be tested on Debian only.

Meanwhile, only backdoor, anti-debugging and file hidden of Azazel on Debian are tested. Plaintext backdoor and Crypthook backdoor cannot be tested successful in my lab. Once the file is hidden, you cannot undo it and it can be access by Azazel only.

If you want to port this rootkit to other Linux distributions, you need to modify the source code. One of the reasons that Linux is harder to be attacked due to too many variants.


To compile Azazel on Debian or Ubuntu, you need to do the following :

apt-get install libpam0g-dev libssl-dev libpcap0.8-dev build-essential git

To compile Azazel on CentOS, you need to do the following :

yum install gcc make pam-devel openssl-devel libpcap-devel

That's all! See you.