Discover LinuxSecurity Features
What You Need to Know About Linux Rootkits [Updated]
Rootkits are an effective way for attackers to hide their tracks and keep access to the machines over which they have gained control. Read on to learn about rootkits, how to detect them and how to prevent them from being installed on your system in the first place.
What is a Rootkit?
A rootkit is a group of software tools used by an attacker to cover his or her tracks. Rootkits can also contain software which allows the attacker to obtain root access and steal or remove files on a system. This works by using a vulnerable program to obtain root privileges as a regular user, called privilege escalation. This occurs by tricking this vulnerable application, or a person using the vulnerable application, to do something it shouldn’t, ultimately resulting in root privileges.
One of main goals of the threat actor is often to maintain access to a hijacked computer - and rootkits can be very helpful in doing this. Rootkits can also be leveraged to steal sensitive information on a compromised computer or to conceal other malware. In some cases, rootkits are used to turn a hijacked computer into a “Zombie” computer, which can be used to launch attacks on other systems and operate botnets.
Modern rootkits are typically bundled with payloads, and are used to hide these payloads. Because the payloads that accompany these rootkits are malicious, the majority of modern rootkits are classified as malware.
Rootkits can either be installed on a system automatically, or by an attacker who has obtained root (or Administrative) access to a system. Root access can be gained through a direct attack on the system, the exploitation of a known vulnerability or a password that has been obtained using tactics such as cracking or phishing. In certain instances, rootkits are intentionally installed by an authorized user for purposes such as enforcing digital rights management (DRM), detecting threats - for instance, in a honeypot or honeynet - or enhancing security or emulation software.
Good rootkits are very difficult to detect and remove - they can be running on one's computer without his or her knowledge for an extended period of time. Just last month, researchers at Intezer identified an undetected Linux rootkit which hid SSH connections by hooking fopen on /dev/net/tcp and concealed itself via hooking readdir. At the time of discovery, the threat was undetected by all engines in VirusTotal.
In fact, one of the hashes was referenced in the discovery of the coinminer Kinsing botnet attack, where attackers exploited vulnerabilities in the popular SaltStack infrastructure automation software to infect cloud servers.
We spoke with Ari Eitan, VP of Research at the malware analysis company Intezer, who explains: "The Linux threat ecosystem is heavily concentrated with financial driven crypto-miners and DDoS botnet tools which primarily target vulnerable servers. Recently, we have seen an increase in sophisticated threats such as rootkits, which are a very effective way for attackers to hide their tracks on a victim’s machine.”
Rootkits are written for many different operating systems; however, this article will solely examine Linux rootkits.