KNOWLEDGE SERIES

We record all our sessions so that you can watch at your convenience

SYSLOGK LINUX KERNEL ROOTKIT: EXECUTING BOTS VIA “MAGIC PACKETS”

24 August 2023 | 5:30 PM SGT

Syslogk Linux kernel rootkit: Executing Bots via “Magic Packets” 

David Álvarez
Senior Malware Analyst, Avast
Author, Ghidra Software Reverse Engineering for Beginners

David Álvarez is a senior malware analyst bringing more than 8 years’ experience in the IT industry and deep knowledge of IoT malware to Avast. He is also author of the book “Ghidra Software Reverse Engineering for Beginners”.

In November 2022, we discovered a new version of the Syslogk Linux kernel rootkit affecting x86 and x86_64 processor architectures (udis86 disassembler dependency). We were not surprised, as the first version we found was likely still under development in the wild. 

Like other rootkits, Syslogk hides from the list of Linux kernel modules, and hides directories containing malicious files, malicious processes, and the listening connections from the bot running in the infected machine (i.ex. Netstat doesn’t show the connections). These features are probably inspired by Adore-Ng. We identified many similarities between both rootkits’ codes. 

What makes Syslogk interesting is that the hidden bot does not continuously run in the system. Instead, it starts or stops on-demand, remotely via magic packets. In other words, the attacker can start the bot on-demand by sending a specially crafted packet to the victim’s machine. 

The new version we discovered was developed for a newer Linux kernel version (3.10.0-957.el7.x86_64) and uses more complex magic packets, 10 encryption keys, and three different encryption algorithms. 

The presentation will cover Syslogk Linux kernel rootkit and its evolution. 

Disrupt the thought, and address the cause

Ken Soh
Group Chief Information Officer & CEO, Athena Dynamics
SGTech Cyber Security Chapter Chair, Singapore

Ken Soh holds concurrent appointments as Group CIO of BH Global since 3 March 2014 and as the founding CEO of the Athena Dynamics Pte Ltd (“Athena Dynamics “) since 15 July 2014. Ken has more than 30 years of working experience in the Information and Communication Technologies (ICT) industry. Prior to joining BH Global, Ken held various C-level positions in public and private sectors with operational and business leadership responsibilities in ICT Master Planning and P&L responsibilities.

Today, it is unfortunate that our cyber threat landscape is unprecedentedly challenging. Serious breaches continue to reach headlines despite substantial investment in cyber protection technologies. This presentation focuses on the common oversights of mainstream paradigms, and address the cause rather than the effect in the perspectives of Infra Sec, App Sec and DFIR (Digital Forensic and Incident Response).