2023 Source Zero Con

Current State of Linux Rootkits

Friday, June 23  |  11:45 a.m. - 12:30 p.m. ET

Linux rootkits are a type of malicious software that have been around for decades. They are a post-exploitation tool designed to enabled persistent access to a system, while hiding its own presence or the presence of any object on the system. As the world races towards increased digitization, threat actors have grown increasingly sophisticated -- and the rootkits they develop have grown with them.

Rootkits are particularly insidious in how they infect the underlying OS itself. By gaining administrator-level access, rootkits can modify system settings, execute hidden commands, steal sensitive information, and disrupt normal operations without the end user even realizing anything is wrong.

In recent years, the evolution of Linux rootkits has accelerated, driven by a growing segment of malicious threat actors on the Internet. In addition to utilizing some extended capabilities of the Linux OS (such as eBPF), many rootkits are being built in a more modular approach, allowing for rootkits to be combined with other types of malware to amplify their impact (i.e., ransomware, cryptominers, or spyware). In this talk we'll discuss 3 Linux rootkit archetypes, how they work, and how you can detect them.

  1. LD_PRELOAD rootkits
  2. Kernel module rootkits
  3. eBPF-based rootkits

The importance of understanding these threats and protecting against them cannot be overstated. With the growing adoption of cloud services (and the fact that Linux systems form the backbone of the cloud), it is essential that users and organizations take steps to protect their systems and their data.


Phillip Haas