Vol. 8 No. 1 (2023): Proceedings of Botconf 2023
Conference proceedings

Syslogk Rootkit. Executing Bots via "Magic Packets"

PDF
  • David Álvarez Pérez
David Álvarez Pérez
Avast Software s.r.o. (Gen Digital Inc.)

Published 2023-05-02

Keywords

  • Syslogk,
  • Rootkit,
  • Botnet,
  • Netfilter

Copyright (c) 2023 David Álvarez Pérez (Author)

Creative Commons License

This work is licensed under a Creative Commons Attribution 4.0 International License.

How to Cite

Álvarez Pérez, D. (2023). Syslogk Rootkit. Executing Bots via "Magic Packets". The Journal on Cybercrime and Digital Investigations, 8(1), 41-48. https://doi.org/10.18464/cybin.v8i1.41

Download Citation

Abstract

The proliferation of open source Linux kernel rootkits allows malware writers to speed up the process of developing complex malware. This study analyzes the Syslogk Linux kernel rootkit family which reuses code of Adore-Ng. Syslogk allows to remotely execute arbitrary commands and a hidden bot in different modes via "magic packets". Analyzing "magic packets" in reasonable time is a challenging task. Furthermore, the hidden bot, implements a proxy mode that allows to hide the IP address of the attacker while executing commands in other infected machines. This new botnet structure can also inspire future Linux threats, including IoT threats.

PDF

References

  1. “Linux Threat Hunting ‘syslogk’ a kernel rootkit found under development in the wild.” Avast. Accessed: 2023-02-26.
  2. “Syslogk rootkit malware sample.” VirusTotal. Accessed: 2023-02-26.
  3. “Syslogk bot malware sample.” VirusTotal. Accessed: 2023-02-26.
  4. “Reptile linux kernel rootkit.” https://github.com/f0rb1dd3n/Reptile. Accessed: 2023-02-26.
  5. “RKDuck linux kernel rootkit.” https://github.com/QuokkaLight/rkduck. Accessed: 2023-02-26.
  6. “KoviD linux kernel rootkit.” https://github.com/carloslack/KoviD. Accessed: 2023-02-26.
  7. “Adore-NG linux kernel rootkit.” https://github.com/yaoyumeng/adore-ng. Accessed: 2023-02-26.
  8. R. Rosen and R. Rosen, “Netfilter,” Linux Kernel Networking: Implementation and Theory, pp. 247–278, 2014.
  9. J. Junnila, “Effectiveness of linux rootkit detection tools,” 2020.
  10. “Toy Linux kernel rootkit with basic keylogging and backdoor capabilities.” https://github.com/soad003/rootkit/blob/master/rootkit.c#L136. Accessed: 2023-02-26.
  11. “Out-of-Sight-Out-of-Mind-Rootkit linux kernelrootkit.” https://github.com/NinnOgTonic/Out-of-Sight-Out-of-Mind-Rootkit/blob/master/osom.c#L211. Accessed: 2023-02-26.
  12. X. Zhu, S.Wen, S. Camtepe, and Y. Xiang, “Fuzzing: a survey for roadmap,” ACM Computing Surveys (CSUR), vol. 54, no. 11s, pp. 1–36, 2022.
  13. “Syslogk research tools.” https://github.com/avast/ioc/tree/master/SyslogkRootkit/Research%20ToolsAvast. Accessed: 2023-02-26.
  14. “Microsoft z3 theorem prover.” https://github.com/Z3Prover/z3. Accessed: 2023-02-26.
  15. A. BOVE, A. KRAUSS, and M. SOZEAU, “Partiality and recursion in interactive theorem provers – an overview,” Mathematical Structures in Computer Science, vol. 26, no. 1, p. 38–88, 2016.
  16. G. Sutcliffe and C. Suttner, “Evaluating general purpose automated theorem proving systems,” Artificial Intelligence, vol. 131, no. 1, pp. 39–54, 2001.
  17. R. Love, Linux Kernel Development: Linux Kernel Development _p3. Pearson Education, 2010.
  18. “Kernel Probes documentation.” https://docs.kernel.org/trace/kprobes.html. Accessed: 2023-02-26.
  19. R. Krishnakumar, “Kernel korner: kprobes-a kernel debugger,” Linux Journal, vol. 2005, no. 133, p. 11, 2005.
  20. “Spotify KProbes examples linux kernel module.” https://github.com/spotify/linux/tree/master/samples/kprobes. Accessed: 2023-02-26.
  21. J. Wang, P. Zhao, and H. Ma, “Hacs: A hypervisor-based access control strategy to protect security-critical kernel data,” in 2nd International Conference on Computer Science and Technology (CST 2017). Guilin, China, DOI: https://doi.org/10.12783/dtcse/cst2017/12516, 2017.
  22. C. Kruegel,W. Robertson, and G. Vigna, “Detecting kernel-level rootkits through binary analysis,” in 20th Annual Computer Security Applications Conference, pp. 91–100, 2004.
  23. Z. Wang, X. Jiang, W. Cui, and P. Ning, “Countering kernel rootkits with lightweight hook protection,” in Proceedings of the 16th ACM Conference on Computer and Communications Security, CCS’09, (New York, NY, USA), p. 545–554, Association for Computing Machinery, 2009.
  24. C. Kruegel,W. Robertson, and G. Vigna, “Detecting kernel-level rootkits through binary analysis,” in 20th Annual Computer Security Applications Conference, pp. 91–100, IEEE, 2004.
  25. M. L. Bak, L. Buttyán, and D. F. Papp, “Tee-based remote platform attestation,‍
  26. R. Baldoni, E. Coppa, D. C. D’elia, C. Demetrescu, and I. Finocchi, “A survey of symbolic execution techniques,” ACM Computing Surveys (CSUR), vol. 51, no. 3, pp. 1–39, 2018.
  27. K. Sen, “Concolic testing,” in Proceedings of the twenty-second IEEE/ACMinternational conference on Automated software engineering, pp. 571–572, 2007.