David Álvarez Pérez
Last known affiliation: Gen™
Bio: David Álvarez Pérez is malware analyst at Avast and author of the book Ghidra Software Reverse Engineering for Beginners. He has more than 7 years of experience in IT. He started working for a company mostly reverse engineering banking malware and helping to automate the process. After that, he joined the critical malware department of an antivirus company and later, he worked as security researcher in another company for more than three years. He is currently working as senior malware analyst at Gen™.
David Álvarez Pérez 🗣
Abstract (click to view)
In November 2022, we discovered a new version of the Syslogk Linux kernel rootkit affecting x86 and x86_64 processor architectures (udis86 disassembler dependency). We were not surprised, as the first version we found was likely still under development in the wild.
Like other rootkits, Syslogk hides from the list of Linux kernel modules, and hides directories containing malicious files, malicious processes, and the listening connections from the bot running in the infected machine (i.ex. Netstat doesn’t show the connections). These features are probably inspired by Adore-Ng. We identified many similarities between both rootkits’ codes.
What makes Syslogk interesting is that the hidden bot does not continuously run in the system. Instead, it starts or stops on-demand, remotely via magic packets. In other words, the attacker can start the bot on-demand by sending a specially crafted packet to the victim’s machine.
The new version we discovered was developed for a newer Linux kernel version (3.10.0-957.el7.x86_64) and uses more complex magic packets, 10 encryption keys, and three different encryption algorithms.