A new Linux kernel rootkit dubbed ‘syslogk’ has been spotted in the wild by Avast cybersecurity researchers.
According to an advisory by David Álvarez and Jan Neduchal, syslogk would be able to cloak a malicious payload that could then be remotely controlled by an adversary using a magic network traffic packet.
Avast explained that the rootkit, currently under development, is heavily based on Adore-Ng (an older Linux rootkit) but incorporates new code and functionalities, thus making the user-mode application and the kernel rootkit harder to detect.
“After loading it, you will notice that the malicious driver does not appear in the list of loaded kernel modules when using the lsmod command.”
This is because the rootkit uses a function of the kernel API to remove the module from the linked list of kernel modules.
Additionally, Syslogk can also hide directories containing malicious files, together with malicious processes and payloads.
From a technical standpoint, Avast explained that Syslogk’s malicious payload is not continuously running.
“The attacker remotely executes it on demand when a specially crafted TCP packet [...] is sent to the infected machine, which inspects the traffic by installing a netfilter hook.”
Moreover, the attacker can also remotely stop the payload by using a hardcoded key in the rootkit and some fields of the magic packet used for remotely starting the payload.
Despite these dangerous features, the Avast researchers said Syslogk could be spotted and its payload stopped.
“Fortunately, the rootkit has a functionality implemented in the proc_write function that exposes an interface in the /proc file system which reveals the rootkit when the value 1 is written into the file /proc/syslogk.”
Once revealed, the rootkit can be removed using the rmmod Linux command.
“Kernel rootkits can be hard to detect and remove because these pieces of malware run in a privileged layer,” the Avast researchers warned.
“This is why it is essential for system administrators and security companies to be aware of this kind of malware and write protections for their users as soon as possible.”