caligula

Flash an ISO to a drive

$ caligula burn [path/to/image.iso]

$ caligula burn [path/to/image.iso] [[-s|--hash]] [hash]

While caligula itself is not a standard Linux command with a direct synopsis, its deployment typically involves compilation and insertion into the kernel as a module. A common 'invocation' pattern for such a rootkit would be:

make
sudo insmod caligula.ko [module_options]

Once loaded, it operates stealthily in the background, intercepting system calls and modifying kernel data structures without requiring further direct command-line interaction.

hide_pid
    A process ID (PID) to be hidden from system monitoring tools like ps and top.

hide_file
    A path to a file or directory that should be hidden from file system listings (e.g., ls).

magic_string
    A specific string that, when present in a process name or command, triggers rootkit actions, such as privilege escalation or opening a backdoor.

password
    A secret string used to authenticate and trigger privileged rootkit functionalities, like gaining a root shell.

Caligula is not a standard, user-facing Linux command found in typical distributions. Instead, it is a well-known proof-of-concept Linux kernel rootkit designed to demonstrate advanced kernel-level stealth and malicious functionalities. Operating as a Loadable Kernel Module (LKM), it integrates deeply within the operating system to achieve its objectives.

Its primary purpose is to provide an attacker with covert control over a compromised system. Typical functionalities include hiding processes from standard tools like ps, concealing files and directories from commands like ls, and obfuscating network connections. It may also provide mechanisms for privilege escalation, allowing an attacker to gain root access without detection. Due to its kernel-level operation, Caligula is notoriously difficult to detect and remove, as it manipulates the very data structures that security tools rely on to inspect system state. Its existence highlights critical vulnerabilities that can be exploited in the Linux kernel.

Using or deploying the Caligula rootkit (or any rootkit) on systems without explicit authorization is illegal and unethical, carrying severe legal consequences. It poses an extreme security risk, compromising system integrity, stability, and confidentiality. Detection is challenging, and complete removal often requires a full system reinstallation. It can also lead to system instability, kernel panics, and data corruption. This tool is intended for security research purposes only and should never be used maliciously.

Caligula typically functions by hooking system calls (e.g., read, readdir, getdents, kill) and modifying kernel data structures directly in memory. By intercepting these calls, it can filter out information (like hidden PIDs or files) before it's returned to user-space programs. It might also directly manipulate process lists or file system structures to achieve stealth, making it extremely difficult for standard user-mode tools to detect its presence or the presence of hidden objects.

Detecting Caligula and similar kernel rootkits is complex due to their low-level operation. Methods include:

1. Integrity Checking: Comparing hashes of critical system files and kernel modules against known good states.
2. Behavioral Analysis: Monitoring for unusual system behavior or resource consumption patterns.
3. Rootkit Hunter Tools: Specialized tools like chkrootkit or rkhunter attempt to find common rootkit traces or anomalies.
4. Memory Forensics: Analyzing kernel memory dumps for anomalies, hidden processes, or modified data structures.
5. Cross-View Detections: Comparing outputs from different commands (e.g., process list from ps vs. direct kernel traversal) to identify discrepancies that indicate hidden elements.

The name Caligula is derived from the notoriously tyrannical Roman emperor, fittingly suggesting the malicious and authoritarian nature of this software. It emerged in the realm of cybersecurity research primarily as a proof-of-concept, demonstrating the feasibility and techniques of advanced Linux kernel rootkits. Its development focused on exploiting kernel-level vulnerabilities to achieve stealth and persistence, serving as a cautionary example of sophisticated threats rather than a tool for legitimate system administration.

insmod(8), rmmod(8), lsmod(8), dmesg(1), lkm(7)