A Suite of Whitehat Rootkits for the Linux Kernel

29 Aug 2015 . tech . Comments
#security #opensource

Have you ever wondered what happens when an attacker gains complete control over your system? Rootkits are malicious programs that run at the kernel level of an operating system, essentially giving them god-like powers over your entire machine.

While you might think “I’d never give root access to an attacker,” the reality is that social engineering tactics and zero-day vulnerabilities can make this easier than you’d expect. Once installed, a rootkit can wreak havoc on your system by hiding files and processes, deploying additional malware, stealing passwords and certificates, and logging everything you do.

The scary part? Rootkits often modify the system call table, making their malicious activities completely invisible to you. You could be compromised and never know it.

To help protect against these threats, I developed a suite of kernel modules that can prevent and detect rootkit activities. Let me walk you through what I built and how it works.

The Security Suite

Here’s what I built to help defend against rootkits:

The Drip Dry Carbonite

This module acts as a guardian for your system call table and continuously logs snapshots of running processes. Think of it as a security camera that watches the most critical parts of your system. If anything tries to modify the system call table, the module immediately freezes the machine to prevent further damage.

Dresden

Dresden is like a bouncer at the kernel’s door. It blocks any attempts to insert new modules (including rootkits) into the kernel, while also dumping instruction memory and logging critical security events. As long as this module is loaded last during boot, it can prevent most rootkits from even getting a foothold.

Netlog

Network activity is often the first sign of compromise. Netlog monitors all network traffic by probing the kernel’s network stack, creating detailed logs that can be invaluable for forensic analysis if a security breach occurs.

What’s Next?

I’ll be sharing some interesting code snippets from these modules in future posts. The reality is that rootkits are constantly evolving, so defensive tools need to evolve too. These modules represent my approach to staying ahead of the threat landscape.

Have you ever encountered rootkit detection challenges in your own systems? I’d love to hear about your experiences and any additional defensive strategies you’ve found effective.


Me

Panos is an engineering leader at Panther, with over a decade of experience in cybersecurity and engineering leadership. His career includes security research at CERN, security engineering at Microsoft Office 365, and founding Blocktopus, a KYC/AML startup. He holds patents, has published research in security and machine learning, and has helped scale startups from pre-seed through Series B. On this blog, he writes about security, leadership, and developer productivity.