What You Need to Know About Linux Rootkits [Updated]

    Date 20 Jun 2020
    Posted By Brittany Day

    Article Index

    Rootkits are an effective way for attackers to hide their tracks and keep access to the machines over which they have gained control. Read on to learn about rootkits, how to detect them and how to prevent them from being installed on your system in the first place.

    What is a Rootkit?

    A rootkit is a group of software tools used by an attacker to cover his or her tracks. Rootkits can also contain software which allows the attacker to obtain root access and steal or remove files on a system. This works by using a vulnerable program to obtain root privileges as a regular user, called privilege escalation. This occurs by tricking this vulnerable application, or a person using the vulnerable application, to do something it shouldn’t, ultimately resulting in root privileges.

    One of main goals of the threat actor is often to maintain access to a hijacked computer - and rootkits can be very helpful in doing this. Rootkits can also be leveraged to steal sensitive information on a compromised computer or to conceal other malware. In some cases, rootkits are used to turn a hijacked computer into a “Zombie” computer, which can be used to launch attacks on other systems and operate botnets.

    Modern rootkits are typically bundled with payloads, and are used to hide these payloads. Because the payloads that accompany these rootkits are malicious, the majority of modern rootkits are classified as malware. 

    Rootkits can either be installed on a system automatically, or by an attacker who has obtained root (or Administrative) access to a system. Root access can be gained through a direct attack on the system, the exploitation of a known vulnerability or a password that has been obtained using tactics such as cracking or phishing. In certain instances, rootkits are intentionally installed by an authorized user for purposes such as enforcing digital rights management (DRM), detecting threats - for instance, in a honeypot or honeynet - or enhancing security or emulation software.

    Good rootkits are very difficult to detect and remove - they can be running on one's computer without his or her knowledge for an extended period of time. Just last month, researchers at Intezer identified an undetected Linux rootkit which hid SSH connections by hooking fopen on /dev/net/tcp and concealed itself via hooking readdir. At the time of discovery, the threat was undetected by all engines in VirusTotal.

    In fact, one of the hashes was referenced in the discovery of the coinminer Kinsing botnet attack, where attackers exploited vulnerabilities in the popular SaltStack infrastructure automation software to infect cloud servers.

    We spoke with Ari Eitan, VP of Research at the malware analysis company Intezer, who explains: "The Linux threat ecosystem is heavily concentrated with financial driven crypto-miners and DDoS botnet tools which primarily target vulnerable servers. Recently, we have seen an increase in sophisticated threats such as rootkits, which are a very effective way for attackers to hide their tracks on a victim’s machine.”

    Rootkits are written for many different operating systems; however, this article will solely examine Linux rootkits.

    LinuxSecurity Poll

    How do you feel about the elimination of the terms 'blacklist' and 'slave' from the Linux kernel?

    No answer selected. Please try again.
    Please select either existing option or enter your own, however not both.
    Please select minimum 0 answer(s) and maximum 3 answer(s).
    [{"id":"112","title":"I strongly support this change - racially charged language should not be used in the code and documentation of the kernel and other open-source projects.","votes":"7","type":"x","order":"1","pct":18.42,"resources":[]},{"id":"113","title":"I'm indifferent - this small change will not affect broader issues of racial insensitivity and white privilege.","votes":"4","type":"x","order":"2","pct":10.53,"resources":[]},{"id":"114","title":"I'm opposed to this change - there is no need to change language that has been used for years. It doesn't make sense for people to take offense to terminology used in community projects.","votes":"27","type":"x","order":"3","pct":71.05,"resources":[]}] ["#ff5b00","#4ac0f2","#b80028","#eef66c","#60bb22","#b96a9a","#62c2cc"] ["rgba(255,91,0,0.7)","rgba(74,192,242,0.7)","rgba(184,0,40,0.7)","rgba(238,246,108,0.7)","rgba(96,187,34,0.7)","rgba(185,106,154,0.7)","rgba(98,194,204,0.7)"] 350
    bottom 200

    Please enable / Bitte aktiviere JavaScript!
    Veuillez activer / Por favor activa el Javascript![ ? ]

    We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.