Syslogk Linux Kernel Rootkit – Executing Bots via “Magic Packets”
In November 2022, we discovered a new version of the Syslogk Linux kernel rootkit affecting x86 and x86_64 processor architectures (udis86 disassembler dependency). We were not surprised, as the first version we found was likely still under development in the wild.
Like other rootkits, Syslogk hides from the list of Linux kernel modules, and hides directories containing malicious files, malicious processes, and the listening connections from the bot running in the infected machine (i.ex. Netstat doesn’t show the connections). These features are probably inspired by Adore-Ng. We identified many similarities between both rootkits’ codes.
What makes Syslogk interesting is that the hidden bot does not continuously run in the system. Instead, it starts or stops on-demand, remotely via magic packets. In other words, the attacker can start the bot on-demand by sending a specially crafted packet to the victim’s machine.
The new version we discovered was developed for a newer Linux kernel version (3.10.0-957.el7.x86_64) and uses more complex magic packets, 10 encryption keys, and three different encryption algorithms.