General purpose operating systems including Linux inevitably have kernel mode vulnerabilities that can be exploited. There is also the risk of installation of malicious kernel mode drivers that can compromise the system. Once a malicious module gains access to the kernel it can perform any number of actions including the deactivation of security software and settings in the Operating System. Though kernel mode malware today accounts for a small percentage of total malware detected, more and more malware attacks powered by kernel mode exploits are coming to light in recent times.
Malware attacks where rootkits are part of the attacker’s arsenal are typically high profile attacks where the payout is huge. According to the findings by Positive Technologies, most common targets are government agencies followed by research institutions. Financial institutions are obviously another lucrative target. There was the recent unearthing of a rootkit powered attack on ATM machines where the rootkit called CAKETAP was used to conceal network ports, malicious files and processes enabling the attack to continue for years. Developing a kernel mode exploit is a complex process but unfortunately that is not really a deterrent anymore. There are quite a bit of references with sample code available on the internet but what is really insidious are the availability of ready-made variants in the dark web with varying features based on the budget.
Linux is one of the most popular Operating Systems out there powering embedded systems, servers, desktop machines, IoT devices, cloud, super computers etc. Linux owing to its monolithic design and huge code base, has a very large trusted computing base (TCB). Compromising any area of the Linux kernel compromises the whole system. There are a huge number of Linux distributions and builds out there which are continuing to grow due to the scalability, support for multiple hardware designs and great performance that Linux offers. This had made Linux a lucrative target for threat actors. There are many advanced malware attacks detected in the wild against Linux. Malware kit Drovorub has a kernel module that can hide itself and other artefacts including specific files, directories, network ports and sessions etc. Another recent discovery is the FontOnLake malware family which has a kernel mode rootkit that is supposedly based on an open source rootkit project.
In the master’s thesis titled ‘Effectiveness of Linux Rootkit Detection Tools’ by Juho Junnila, there are details of how the most popular Linux rootkit detection tools performs against kernel mode rootkits available as open source projects. Interestingly, only Linux Kernel Runtime Guard (LKRG) is able to detect the presence of these rootkits. LKRG is a really cool tool and can detect various types of kernel exploits but is a kernel module and hence comes with certain limitations. As acknowledged by the developers themselves, LKRG executes at the same trust level as that of the kernel and hence is ‘bypassable by design’.
Mandating the loading of only signed modules is a good countermeasure against malicious kernel modules but the presence of multiple vulnerabilities in the kernel opens up various other exploitation possibilities. In the wonderful article titled “ Four Bytes of Power: Exploiting CVE-2021-26708 in the Linux kernel, the author shows how a vulnerability in the race conditions was exploited to eventually get root access in the system.
It is not a pleasant scenario to consider these advances in exploitation technologies in the light that today's world is increasingly becoming software centric with embedded systems too becoming more open, flexible and software defined.
It is fairly obvious that the security measures such as kernel hardening and sophisticated rootkit prevention measures such as LKRG are extremely useful but can be bypassed as these protections are executing at a privilege equal to that of the Operating System’s kernel.
SecurWeave’s CHESS platform was purpose built keeping in mind the evolution of malware as well as the inevitable shift towards software that is happening with many of the industries. There are crucial security and safety needs that are mandatory for the continuously evolving digital world and the security hypervisor in CHESS is designed and developed to satisfy the same. CHESS can not only detect the presence of kernel mode threats but also neutralise the exploits and notify the details of attempted attacks to any centralised alert management system.
To learn more about how CHESS can protect your system from advanced malware attacks, please use the ‘Contact Us’ option provided in the Products page.