A new covert Linux kernel rootkit named Syslogk has been spotted under development in the wild and cloaking a malicious payload that can be remotely commandeered by an adversary using a magic network traffic packet.
“The Syslogk rootkit is heavily based on Adore-Ng but incorporates new functionalities making the user-mode application and the kernel rootkit hard to detect,” Avast security researchers David Álvarez and Jan Neduchal said in a report published Monday.
Adore-Ng, an open-source rootkit available since 2004, equips the attacker with full control over a compromised system. It also facilitates hiding processes as well as custom malicious artefacts, files, and even the kernel module, making it harder to detect.
“The module starts by hooking itself into various file systems. It digs up the inode for the root filesystem, and replaces that inode’s readdir() function pointer with one of its own,” LWN.net noted at the time. “The Adore version performs like the one it replaces, except that it hides any files owned by a specific user and group ID.”
Besides its capabilities to hide network traffic from utilities like netstat, housed within the rootkit is a payload named “PgSD93ql” that’s nothing but a C-based compiled backdoor trojan named Rekoobe and gets triggered upon receiving a magic packet.
images from Hacker News