3. List of Kernel Rootkits

3.1. Rootkits loaded via /dev/kmem

SucKIT is a rootkit presented in Phrack issue 58, article 0x07 ("Linux on-the-fly kernel patching without LKM", by sd & devik). This is a fully working rootkit that is loaded through /dev/kmem (i.e. it does not need a kernel with support for loadable kernel modules. It provides a password protected remote access connect-back shell initiated by a spoofed packet (bypassing most of firewall configurations), and can hide processes, files and connections.

3.2. Loadable Kernel Modules

Except for the SucKIT rootkit, all published rootkits are LKM rootkits and use the method of syscall table modification (see Section 2.2>). The following list provides an overview of these rootkits.

Rial by techno[k] (technok at pkcrew dot org) hides files, file parts, and connections. No backdoor is provided. Hiding of file parts is buggy, less will hang. RIAL does not hide itself (use lsmod or cat /proc/modules to detect).

heroin by Runar Jensen (zarq at opaque dot org) hides files and processes. No backdoor is provided. Cannot be removed with rmmod, and tries to hide itself, but can be found by

    bash$ cat /proc/ksyms | grep heroin

afhrm by Michal Zalewski (lcamtuf at boss dot staszic dot waw dot pl) redirects (and hides) files. No backdoor is provided. Runs on 2.2 with some work, but file hiding seems to have bugs. Can hide itself, but method appears to be inappropriate for 2.2 kernels (results are rather suspicious).

Synapsis (v. 0.4) by Berserker (berserker dot ncl at infinito dot it) Hides files, processes, and users. Gives root privileges to a user with a pre-defined UID (default 666). Hides ports. Can be controlled via cat password command. Hides itself from lsmod, but can be found by cat /proc/modules. File hiding and control interface have bugs.

adore by Stealth hides files, processes, services, and can execute a process (e.g. /bin/sh) with root privileges. Controlled with a helper program ava. Adore hides itself, and cannot be removed by rmmod.

knark by Creed (creed at sekure dot net) hides files, processes, services, redirect commands, and can give root privileges. Creed is controlled with a set of helper programs, and can execute commands sent from a remote host. It hides itself and cannot be removed by rmmod.

itf by plaguez (dube0866 at eurobretagne dot fr) has been published in Phrack issue 52. It hides files and processes, redirect commands, hides the PROMISC flag (i.e. sniffers), and can give root privileges. It installs a backdoor, hides itself and cannot be removed by rmmod.

kis by optyx (optyx at uberhax0r dot net) is a client/server system to remotely control a machine, with a kernel rootkit as the server on the remotely controlled machine. It can hide processes, files, connections, redirect execution, and execute commands. It hides itself and can remove security modules already loaded.