top | item 38596899

(no title)

Jenda_ | 2 years ago

> Syscall hooking kernel root kits largely only vary in how exactly they hook the syscalls

I don't understand how this survives major kernel upgrades. I have problems keeping out-of-tree modules working, intentionally. Do rootkits ship with fancy DKMS these days? Do the authors test with upcoming versions of major distros and push an upgrade to support the new release?

discuss

fullspectrumdev|2 years ago

Most authors of kernel rootkits target a subset of versions and then give up or are stuck maintaining a codebase that is a mess of ifdefs for different versions.

At one of my old jobs we had a kernel rootkit we used on occasional red team exercises that ended up having forks for 2.6, a couple of forks for 3.x, and a couple more forks for 4.x - maintenance of that was an absolute nightmare and frankly, not worth the effort in the long run, so it was not maintained into 5.x and replaced with a few much simpler userland backdoors.

That’s why you will see malware such as the one in the article shipping with stuff cobbled together from several different rootkit projects to try obtain some semblance of compatibility.