Avast researchers have spotted a Linux rootkit that has the ability to hide malicious processes. The new Linux rootkit, called Syslogk, works by using magic packets to activate a dormant backdoor on the device. This rootkit has not been spotted in the wild yet as it’s still in its development stages.
What is Syslogk?
According to the researchers, Syslogk is a Linux rootkit based on Adore-Ng, a classic open-source rootkit. Initially, Adore only supported kernel 2.x, however, recent updates have made it possible to target kernel 3 and above. Adore-Ng is unique because it uses sophisticated techniques to allow attackers to deploy various process hiding actions.
Syslogk rootkit installs itself on infected devices as a kernel module. These modules can intercept Linux commands in real-time to perform the process hiding. It’s often hard to identify Syslogk once it’s loaded as a kernel module due to the rootkit eliminating its entry from the installed modules list. The only way to identify the presence of the rootkit is via an interface, which the proc_write function exposes. You can find this interface in the /proc file system.
What is Rekoobe?
Syslogk can hide various directories, processes, and network traffic on the affected devices. Apart from that, this rootkit can also inspect all TCP traffic, stop payloads and start payloads remotely on demand.
Furthermore, Syslogk can load Rekoobe, a backdoor designed based on an open-source Unix backdoor called TinySHell. Rekoobe functions primarily by providing an attacker with a remote shell on the affected device.
Syslogk’s ability to load Rekoobe is only possible with the help of magic packets sent from the threat actors. Without these magic packets, the Rekoobe backdoor will continue to lay dormant on the compromised device. However, once the rootkit receives the magic packets, it’ll stop/start the backdoor and will normally fly under the radar from any security services/manual audits.
As mentioned earlier, the discovery of Syslogk came from Avast researchers. Here’s what the researchers said about the new rootkit:
“We observed that the Syslogk rootkit (and Rekoobe payload) perfectly align when used covertly in conjunction with a fake SMTP server. Consider how stealthy this could be; a backdoor that does not load until some magic packets are sent to the machine. When queried, it appears to be a legitimate service hidden in memory, hidden on disk, remotely ‘magically’ executed, hidden on the network. Even if it is found during a network port scan, it still seems to be a legitimate SMTP server.”
How does Syslogk hide malicious payloads?
As mentioned earlier, Syslogk can hide malicious payloads on compromised devices. For the rootkit to perform this function, it needs to take a few actions. These actions include:
- Syslogk has an “hk_proc_readdir function”. This function helps to conceal the directories which contain the malicious files.
- Another function you need to know about is the hk_getpr function. It is responsible for hiding all the malicious processes.
- Syslogk uses the hk_t4_seq_show function to conceal malicious payload from power tools, such as Netstat.
- The malicious payloads remain dormant, running until the attacker uses TCP packets to execute them on demand.
Syslogk is still believed to be in its development stages. As such, it’s uncertain whether this rootkit is a threat. However, there’s a high chance that it will be deployed in real attacks in the future.
After further investigation, it looks as though the concept of this rootkit was first posted on seclist.us. The source can be found on saod003’s Github.