A new Linux kernel rootkit dubbed ‘syslogk’ has been spotted in the wild by Avast cybersecurity researchers.
According to an advisory by David Álvarez and Jan Neduchal, syslogk would be ready to cloak a destructive payload that could then be remotely managed by an adversary using a magic network visitors packet.
Avast discussed that the rootkit, at the moment beneath improvement, is closely primarily based on Adore-Ng (an more mature Linux rootkit) but incorporates new code and functionalities, thus earning the consumer-method software and the kernel rootkit more difficult to detect.
Protect and backup your data using AOMEI Backupper. AOMEI Backupper takes secure and encrypted backups from your Windows, hard drives or partitions. With AOMEI Backupper you will never be worried about loosing your data anymore.
Get AOMEI Backupper with 72% discount from an authorized distrinutor of AOMEI: SerialCart® (Limited Offer).
➤ Activate Your Coupon Code
“After loading it, you will discover that the destructive driver does not show up in the listing of loaded kernel modules when utilizing the lsmod command.”
This is because the rootkit employs a operate of the kernel API to take away the module from the joined list of kernel modules.
Moreover, Syslogk can also disguise directories that contains malicious information, jointly with destructive processes and payloads.
From a technological standpoint, Avast explained that Syslogk’s destructive payload is not continuously running.
“The attacker remotely executes it on demand from customers when a specially crafted TCP packet […] is sent to the infected equipment, which inspects the site visitors by setting up a netfilter hook.”
In addition, the attacker can also remotely end the payload by working with a hardcoded critical in the rootkit and some fields of the magic packet used for remotely setting up the payload.
Even with these perilous features, the Avast scientists claimed Syslogk could be noticed and its payload stopped.
“Fortunately, the rootkit has a functionality executed in the proc_generate function that exposes an interface in the /proc file procedure which reveals the rootkit when the price 1 is created into the file /proc/syslogk.”
When disclosed, the rootkit can be eradicated applying the rmmod Linux command.
“Kernel rootkits can be hard to detect and remove since these pieces of malware operate in a privileged layer,” the Avast researchers warned.
“This is why it is crucial for program directors and security providers to be conscious of this type of malware and generate protections for their customers as soon as achievable.”
Some components of this article are sourced from: