Azazel is a userland rootkit based off of the original LD_PRELOAD technique from Jynx rootkit. It is more robust and has additional features, and focuses heavily around anti-debugging and anti-detection.
It seems that there is a plethora of unhappiness on RHEL revolving around the PAM implementation. I've tried to address it, but have run out of time and don't know PAM all that well. So far i have found the following:
When running SU, pam_acct_mgmt calls to pam_sm_authenticate (when defined, but its not by default). Azazel defines this function, which means that the init function winds up with a NULL pointer for pam_sm_authenticate in the symbols table.
It seems that there is a plethora of unhappiness on RHEL revolving around the PAM implementation. I've tried to address it, but have run out of time and don't know PAM all that well. So far i have found the following:
When running SU, pam_acct_mgmt calls to pam_sm_authenticate (when defined, but its not by default). Azazel defines this function, which means that the init function winds up with a NULL pointer for pam_sm_authenticate in the symbols table.