/KoviD

Linux kernel rootkit

Primary LanguageCOtherNOASSERTION

KoviD LKM

 ██ ▄█▀ ▒█████   ██▒   █▓ ██▓▓█████▄
 ██▄█▒ ▒██▒  ██▒▓██░   █▒▓██▒▒██▀ ██▌
▓███▄░ ▒██░  ██▒ ▓██  █▒░▒██▒░██   █▌
▓██ █▄ ▒██   ██░  ▒██ █░░░██░░▓█▄   ▌
▒██▒ █▄░ ████▓▒░   ▒▀█░  ░██░░▒████▓
▒ ▒▒ ▓▒░ ▒░▒░▒░    ░ ▐░  ░▓   ▒▒▓  ▒
░ ░▒ ▒░  ░ ▒ ▒░    ░ ░░   ▒ ░ ░ ▒  ▒
░ ░░ ░ ░ ░ ░ ▒       ░░   ▒ ░ ░ ░  ░
░  ░       ░ ░        ░   ░     ░
                     ░        ░

1 - About

KoviD is a Loadable Kernel Module (LKM) designed for
Linux Kernel version 5 and later. Key features include:

Self-hiding from SysFS.
Provides reverse shell backdoors.
Conceals processes from the proc file system.
Handles child processes, newly created processes.
Hides KauditD logs, syslogs, user presence.
Conceals CPU usage for all hidden tasks.
Grants root privileges.
Hides files and directories.
Explore Demos repository.

Watch KoviD Demos

Read Phrack magazine where g1inko works on some challenges posed by KoviD

1.1 Mostly tested against

CentOS Linux release 8.3.2011
4.18.0-240.22.1.el8_3.x86_64 #1 SMP Thu Apr 8 19:01:30 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
gcc (GCC) 8.3.1 20191121 (Red Hat 8.3.1-5)

Debian GNU/Linux 10
Linux debian10teste 4.19.0-18-amd64 #1 SMP Debian 4.19.208-1 (2021-09-29) x86_64 GNU/Linux
gcc (Debian 8.3.0-6) 8.3.0

Ubuntu 18.04.5 LTS
Linux ubuntu 5.4.0-89-generic #100~18.04.1-Ubuntu SMP Wed Sep 29 10:59:42 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
gcc (Ubuntu 7.5.0-3ubuntu1~18.04) 7.5.0

Ubuntu 20.10
Linux ubuntu 5.8.0-55-generic #62-Ubuntu SMP Tue Jun 1 08:21:18 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
gcc (Ubuntu 10.3.0-1ubuntu1~20.10) 10.3.0

Ubuntu 22.04 LTS
Linux 5.15.0-43-generic #46-Ubuntu SMP Tue Jul 12 10:30:17 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux
gcc (Ubuntu 11.2.0-19ubuntu1) 11.2.0

Ubuntu 22.04.1 LTS
Linux hash-virtual-machine 5.19.0-41-generic #42~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC
UTC 2 x86_64 x86_64 x86_64 GNU/Linux

Linux Standard-PC-Q35-ICH9-2009 5.15.0-43-generic #46-Ubuntu
SMP x86_64 x86_64 x86_64 GNU/Linux

2 - Features

2.1 Hide itself (module)

KoviD hides itself, making it challenging to detect. It customizes kernel
code to evade anti-rootkit detectors and disappears
from /sys/module listings.

2.2 Hide files and directories

KoviD hides files and directories effectively by hijacking filldir and
filldir64 kernel functions, significantly simplifying the process.

2.3 Function and syscall hijacking: Ftrace

KoviD leverages Ftrace, a legitimate method for
function and syscall hijacking in Kernel v5+.
This approach offers greater stability compared
to traditional hooking techniques.

2.4 Backdoors

KoviD incorporates popular and reliable methods for backdooring systems,
such as port-knocking with custom packets.
These open connections to Netcat, OpenSSL, and Socat sessions.

2.5 Firewall Evasion

KoviD sends magic packets and establishes reverse shell connections.
These packets trigger netfilter hooks and instruct KoviD to create a
reverse shell connection. These outgoing packets bypass iptables rules,
ensuring effective evasion.

2.6 Tasks

Hiding processes is a crucial feature, giving KoviD the
ability to run undetected. It provides full support for
children processes, ensuring that no hanging processes are left behind.

2.7 Logs

KoviD's hidden tasks result in missing logs, making it
even more challenging for administrators to detect its
presence. It eliminates logs generated by userland tools
like w, lsmod, ps, who, ls.

2.8 TCP/UDP logs

KoviD hides network connections and manipulates network logs
to maintain stealth. It also addresses issues with libpcap
showing connections initiated before task hiding.

2.9 r00t

Gain root privileges easily with kill -SIGCONT 666.

2.10 CPU - hiding/mining

KoviD hides CPU consumption, making its processes invisible
as heavy consumers. However, be cautious not to max out the CPU,
as this can lead to unusual usage patterns.

2.11 Persistence

KoviD offers persistence via Volundr. It can infect executables,
like SSHD, to ensure KoviD loads on reboot. You can also use your
preferred tool, Volundr use here is just a suggestion.

2.12 Base address

KoviD allows for the retrieval of base addresses of other executables
without needing to open /proc/<pid>/maps.

2.13 BPF

KoviD can evade few anti-rootkit tools that rely on BPF
(Berkeley Packet Filter) for detecting rootkits.

Tested against:
    https://github.com/pathtofile/bpf-hookdetect.git

2.14 Tainted

$ sudo insmod ./kovid.ko
$ cat /proc/sys/kernel/tainted
0

3 - Usage

Before compiling and loading KoviD, edit the Makefile to choose a unique
name for /proc/<name>. Compile and load KoviD using sudo insmod kovid.
Ensure the chosen name for /proc/<name> is not easily predictable.

3.1 /proc/ interface

To enable the /proc/mytest interface, use the command:
$ kill -SIGCONT 31337.
The interface will disable itself after 120 seconds and can be
reactivated using the same command.

3.2 Tasks

You can hide/unhide processes using the /proc/mytest interface.
For example, to hide a task, run: $ echo 14886 >/proc/mytest.
If a task is a backdoor that needs tcp hiding, run:
    $ echo "-bd <pid>" >/proc/mytest.
Unhiding is the same as for regular tasks:
    $ echo "<PID>" >/proc/mytest

3.3 Hide module

To hide the KoviD module, use the command: `$ echo -h >/proc/mytest`.
In release mode, the module is hidden by default,
and a key can be displayed by running `$ cat /proc/mytest`.

3.4 Hide/unhide/list files and directories

To hide a file or directory, use: $ echo '-a name' >/proc/mytest.
To unhide, use: $ echo '-d name' >/proc/mytest. You can list hidden files
and directory names with: $ echo listname >/proc/mytest.

3.5 SSH/FTP TTY sniffer

KoviD can snoop SSH sessions via tty keystrokes and steal passwords
and commands effectively.

3.6 Backdoors

For instructions, run 'scripts/bdclient.sh' and a help list is displayed.

4 - Bugs

As with any software, KoviD may have bugs.
If you encounter issues or oopses, please report them in detail for
potential fixes. Test KoviD extensively, preferably in a VM that
mimics the target environment.

Disclaimer: The use of KoviD in a real target is discouraged