Security researchers pinpoint a new Linux Kernel rootkit, Syslogk, which is capable of using magic packets to activate backdoors and allowing attackers to execute remote commands. Avast security researchers David Álvarez and Jan Neduchal published a new report about the rootkit and stated that it is based on Adore-Ng, an open-source rootkit released in 2004. The rootkit provides the attacker full control over the compromised system. A rootkit is a type of malware installed as kernel modules.
Magic packets
The new rootkit is capable of force-load modules by using the force flag, hiding directories and network traffic, and loading a backdoor named Rekoobe. Rekoobe, a piece of code implanted in a legitimate server, is embedded in a fake SMTP server that spawns a shell when it receives a specially crafted command. While it is hard to detect, it is also hard to code it compared to other malware.
Once it is revealed, the rootkit can be removed from memory with the rmmod Linux command. Syslogk can completely hide the malicious payload by taking the following actions:
- The hk_proc_readdir function of the rootkit hides directories containing malicious files, effectively hiding them from the operating system.
- The malicious processes are hidden via hk_getpr – a mix of Adore-Ng functions for hiding processes.
- The malicious payload is hidden from tools like Netstat; when running, it will not appear in the list of services. For this purpose, the rootkit uses the function hk_t4_seq_show.
- The malicious payload is not continuously running. The attacker remotely executes it on demand when a specially crafted TCP packet (details below) is sent to the infected machine, which inspects the traffic by installing a netfilter hook.
- It is also possible for the attacker to remotely stop the payload. This requires using a hardcoded key in the rootkit and knowledge of some fields of the magic packet used for remotely starting the payload.
Avast security researchers said,
« One of the architectural advantages of security software is that it usually has components running in different privilege levels; malware running on less-privileged levels cannot easily interfere with processes running on higher privilege levels, thus allowing more straightforward dealing with malware.
On the other hand, kernel rootkits can be hard to detect and remove because these pieces of malware run in a privileged layer. This is why it is essential for system administrators and security companies to be aware of this kind of malware and write protections for their users as soon as possible. »