Advisories

Discover LinuxSecurity Features

What You Need to Know About Linux Rootkits [Updated] - Types of Rootkits

What You Need to Know About Linux Rootkits [Updated] - Types of Rootkits

Types of Rootkits

User-Mode Rootkits:

The simplest type of rootkit and the easiest type to detect and remove operates at the user level. These rootkits can replace a user application with a modified program of their own. They are fairly easy to detect because one can trust the kernel of the operating system. User-mode rootkits can be injected through a variety of different mechanisms including the use of vendor-supplied application extensions, the interception of messages, debuggers, the exploitation of security bugs or API patching.

Kernel-Mode Rootkits:

Another type of rootkit operates at the kernel level. These rootkits are harder to find and remove because one can't fully trust the kernel on which the rootkit has been installed. Malicious hackers have the ability to delete logs and replace system calls in order to hide their tracks. This type of rootkit is usually installed as a Linux Kernel Module (LKM).  Some common kernel-mode rootkit variants include bootkits - or rootkits that can infect startup code like the Master Boot Record, firmware and hardware. 

Here is a tutorial that explains how to write a very simple LKM that will allow you to get instant root on whichever machine it is installed on. Modules like this one can be used to masquerade the actions of a threat actor.

Here is a list of awesome user-mode and kernel-mode rootkits - mainly for older kernels - you’ll want to check out.

Comments (0)

There are no comments posted here yet

Please enable / Bitte aktiviere JavaScript!
Veuillez activer / Por favor activa el Javascript![ ? ]

We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.