Syslogk Rootkit. Executing Bots via "Magic Packets"
The proliferation of open source Linux kernel
rootkits allows malware writers to speed up the
process of developing complex malware. This
study analyzes the Syslogk Linux kernel rootkit
family which reuses code of Adore-Ng. Sys-
logk allows to remotely execute arbitrary com-
mands and a hidden bot in different modes via
"magic packets". Analyzing "magic packets" in
reasonable time is a challenging task. Further-
more, the hidden bot, implements a proxy mode
that allows to hide the IP address of the at-
tacker while executing commands in other in-
fected machines. This new botnet structure can
also inspire future Linux threats, including IoT
“Linux Threat Hunting ‘syslogk’ a kernel rootkit found under development in the wild.” Avast. Accessed: 2023-02-26.
“Syslogk rootkit malware sample.” VirusTotal. Accessed: 2023-02-26.
“Syslogk bot malware sample.” VirusTotal. Accessed: 2023-02-26.
“Reptile linux kernel rootkit.” https://github.com/f0rb1dd3n/Reptile. Accessed: 2023-02-26.
“RKDuck linux kernel rootkit.” https://github.com/QuokkaLight/rkduck. Accessed: 2023-02-26.
“KoviD linux kernel rootkit.” https://github.com/carloslack/KoviD. Accessed: 2023-02-26.
“Adore-NG linux kernel rootkit.” https://github.com/yaoyumeng/adore-ng. Accessed: 2023-02-26.
R. Rosen and R. Rosen, “Netfilter,” Linux Kernel Networking: Implementation and Theory, pp. 247–278, 2014.
J. Junnila, “Effectiveness of linux rootkit detection tools,” 2020.
“Toy Linux kernel rootkit with basic keylogging and backdoor capabilities.” https://github.com/soad003/rootkit/blob/master/rootkit.c#L136. Accessed: 2023-02-26.
“Out-of-Sight-Out-of-Mind-Rootkit linux kernelrootkit.” https://github.com/NinnOgTonic/Out-of-Sight-Out-of-Mind-Rootkit/blob/master/osom.c#L211. Accessed: 2023-02-26.
X. Zhu, S.Wen, S. Camtepe, and Y. Xiang, “Fuzzing: a survey for roadmap,” ACM Computing Surveys (CSUR), vol. 54, no. 11s, pp. 1–36, 2022.
“Syslogk research tools.” https://github.com/avast/ioc/tree/master/SyslogkRootkit/Research%20ToolsAvast. Accessed: 2023-02-26.
“Microsoft z3 theorem prover.” https://github.com/Z3Prover/z3. Accessed: 2023-02-26.
A. BOVE, A. KRAUSS, and M. SOZEAU, “Partiality and recursion in interactive theorem provers – an overview,” Mathematical Structures in Computer Science, vol. 26, no. 1, p. 38–88, 2016.
G. Sutcliffe and C. Suttner, “Evaluating general purpose automated theorem proving systems,” Artificial Intelligence, vol. 131, no. 1, pp. 39–54, 2001.
R. Love, Linux Kernel Development: Linux Kernel Development _p3. Pearson Education, 2010.
“Kernel Probes documentation.” https://docs.kernel.org/trace/kprobes.html. Accessed: 2023-02-26.
R. Krishnakumar, “Kernel korner: kprobes-a kernel debugger,” Linux Journal, vol. 2005, no. 133, p. 11, 2005.
“Spotify KProbes examples linux kernel module.” https://github.com/spotify/linux/tree/master/samples/kprobes. Accessed: 2023-02-26.
J. Wang, P. Zhao, and H. Ma, “Hacs: A hypervisor-based access control strategy to protect security-critical kernel data,” in 2nd International Conference on Computer Science and Technology (CST 2017). Guilin, China, DOI: https://doi.org/10.12783/dtcse/cst2017/12516, 2017.
C. Kruegel,W. Robertson, and G. Vigna, “Detecting kernel-level rootkits through binary analysis,” in 20th Annual Computer Security Applications Conference, pp. 91–100, 2004.
Z. Wang, X. Jiang, W. Cui, and P. Ning, “Countering kernel rootkits with lightweight hook protection,” in Proceedings of the 16th ACM Conference on Computer and Communications Security, CCS’09, (New York, NY, USA), p. 545–554, Association for Computing Machinery, 2009.
C. Kruegel,W. Robertson, and G. Vigna, “Detecting kernel-level rootkits through binary analysis,” in 20th Annual Computer Security Applications Conference, pp. 91–100, IEEE, 2004.
M. L. Bak, L. Buttyán, and D. F. Papp, “Tee-based remote platform attestation,”
R. Baldoni, E. Coppa, D. C. D’elia, C. Demetrescu, and I. Finocchi, “A survey of symbolic execution techniques,” ACM Computing Surveys (CSUR), vol. 51, no. 3, pp. 1–39, 2018.
K. Sen, “Concolic testing,” in Proceedings of the twenty-second IEEE/ACMinternational conference on Automated software engineering, pp. 571–572, 2007.
Copyright (c) 2023 David Álvarez Pérez
This work is licensed under a Creative Commons Attribution 4.0 International License.
Authors who publish with this journal agree to the following terms:
- Authors retain copyright and grant the journal right of first publication with the work simultaneously licensed under a Creative Commons Attribution License that allows others to share the work with an acknowledgement of the work's authorship and initial publication in this journal.
- Authors are able to enter into separate, additional contractual arrangements for the non-exclusive distribution of the journal's published version of the work (e.g., post it to an institutional repository or publish it in a book), with an acknowledgement of its initial publication in this journal.