Vol. 9 No. 1 (2024): Proceedings of Botconf 2024
Additional articles

CMK Rootkit. Identifying the ”magic packet” requirements via pattern recognition

PDF
  • David Álvarez Pérez,
  • Manuel Fernández-Veiga
David Álvarez Pérez
Gen Digital Inc. Pikrtova 1737/1a, 140 00 Praha 4, Czech Republic.
Manuel Fernández-Veiga
AtlanTTic, I& C Lab, Escuela de Ingeniería de Telecomunicación. Campus Universitario s/n, Vigo, 36310, Spain

Published 2025-06-05

Keywords

  • cmk rootkit,
  • syslogk,
  • magic packets,
  • botnet,
  • Netfilter

Copyright (c) 2024 David Álvarez Pérez, Manuel Fernández-Veiga (Author)

Creative Commons License

This work is licensed under a Creative Commons Attribution 4.0 International License.

How to Cite

Álvarez Pérez, D., & Fernández-Veiga, M. (2025). CMK Rootkit. Identifying the ”magic packet” requirements via pattern recognition. The Journal on Cybercrime and Digital Investigations, 9(1), A1-A15. https://doi.org/10.18464/cybin.v9i1.48

Download Citation

Abstract

The present paper analyzes the CMK Linux Kernel Rootkit. It demonstrates that it is possible to unpack the rootkit using emulation to avoid inserting the module in a real Linux distribution matching specific Linux kernel requirements. CMK Rootkit implements "magic packets", this study also demonstrates that it is possible to extract the requirements for the "magic packets" based on assembly language patterns. We provide the implementation for both, the Linux kernel rootkit unpacker and a Ghidra script for extracting the requirements of the "magic packets".

PDF

References

  1. “Reptile Rootkit. github repository of the project.”
  2. https://github.com/f0rb1dd3n/Reptile.
  3. “Rootkit. nist glossary of terms..” https://csrc.nist.gov/glossary/term/rootkit.
  4. “Rootkits. enisa incident response glossary of terms..” https://www.enisa.europa.eu/topics/incident-response/glossary/rootkits.
  5. “Reptile Rootkit. 36/61 av engine detectionsw in virustotal.” https://www.virustotal.com/gui/file/cbe9107185c8e42140dbd1294d8c20849134dd122cc64348f1bfcc90401379ec/detection. Accessed: 2024-01-07.
  6. “Virustotal.” https://www.virustotal.com/.
  7. T. Brosch and M. Morgenstern, “Runtime packers: The hidden problem,” Black Hat USA, 2006.
  8. “CMK Rootit detections (10/12/2022).” https://www.virustotal.com/gui/file/54d8b09ffc15c657abf29a0c313b377df64988848f2c3814243b2478b4b881cc/detection.
  9. D. Alvarez-Perez, “Syslogk Rootkit. executing bots via "magic packets",” The Journal on Cybercrime & Digital Investigations, vol. 8, 2023.
  10. “Linux Threat Hunting ‘syslogk’ a kernel rootkit found under development in the wild.” https://decoded.avast.io/davidalvarez/linux-threat-hunting-syslogk-a-kernel-rootkit-found-under-development-in-the-wild/.
  11. Y. Dong, Z. Li, Y. Tian, C. Sun, M. W. Godfrey, and M. Nagappan, “Bash in the wild: Language usage, code smells, and bugs,” ACM Trans. Softw. Eng. Methodol., vol. 32, feb 2023.
  12. “systemd-hwdb. linux hardware database management tool.” https://man7.org/linux/man-pages/man8/systemd-hwdb.8.html.
  13. “pkill user command. oracle solaris 11.2 documentation.” https://docs.oracle.com/cd/E36784_01/html/E36870/pkill-1.html.
  14. “systemd-journald.service linux manual page.” https://man7.org/linux/man-pages/man8/systemd-journald.service.8.html.
  15. “insmod linux manual page..” https://man7.org/linux/man-pages/man8/insmod.8.html.
  16. “Linux Kernel. reproducible builds..” https://docs.kernel.org/kbuild/reproducible-builds.html.
  17. “R. Love, Linux Kernel Development: Linux kerneldevelopment _p3. pearson education, 2010..”
  18. “Debian 8.11 Jessie. press release.” https://www.debian.org/News/2015/20150426.
  19. A. Devi and G. Aggarwal, “Manual unpacking ofupx packed executable using ollydbg and importrec,” IOSR Journal of Computer Engineering,vol. 16, no. 1, pp. 71–77, 2014.
  20. F. Desclaux, “Miasm: Framework de reverse engineering,” Actes du SSTIC. SSTIC, 2012.
  21. “MIASM reverse engineering framework.” https://github.com/cea-sec/miasm.
  22. P. C. T. Ðang, M. S. Phan, and M. H. Phan, Building a Binary De-obfuscation Tool with Miasm Framework. PhD thesis, 2021.
  23. “sysinitmodule linux documentation.” https://man7.org/linux/man-pages/man2/init_module.2.html.
  24. “kallsymsoneachsymbol linux kernel documentation.” https://lore.kernel.org/all/20200221114404.14641-1-will@kernel.org/#rl.
  25. R. Rosen and R. Rosen, “Netfilter,” Linux Kernel Networking: Implementation and Theory, pp. 247278, 2014.
  26. J. Engelhardt and N. Bouliane, “Writing netfilter modules,” Revised, February, vol. 7, 2011.
  27. “Linux Kernel documentation. workqueues and kevents..” https://www.kernel.org/doc/html/v4.13/driver-api/basics.html#workqueues-and-kevents.
  28. “Out-of-sight-out-of-mind-rootkit linux kernel rootkit..” https://github.com/NinnOgTonic/Out-of-Sight-Out-of-Mind-Rootkit/blob/master/osom.c#L211. Accessed: 2023-02-26.
  29. J. Magnusson, “Survey and analysis of dns filtering components,” arXiv preprint arXiv:2401.03864, 2024.
  30. J. Junnila, “Effectiveness of linux rootkit detection tools,” Master’s thesis, J. Junnila, 2020.
  31. “Nick Newson Linux Kernel Rootkit.” https://github.com/nnewson/km/blob/master/src/rootkit.c.
  32. “Linux Kernel documentation, sysfs_unlink_sibling.” https://lore.kernel.org/netdev/m1lk0iihhp.fsf_-_@frodo.ebiederm.org/raw.
  33. “Linux Kernel documentation, sysfs_link_sibling.” https://lkml.kernel.org/netdev/20091029233848.GV3141@kvack.org/.
  34. “Linux Kernel documentation, kernfs_link_sibling.” https://lore.kernel.org/lkml/747aee3255e7a07168557f29ad962e34e9cb964b.camel@themaw.net/.
  35. “snprintf, _snprintf, _snprintf_l, _snwprintf, _snwprintf_l microsoft documentation.” https://learn.microsoft.com/en-us/cpp/c-runtime-library/reference/snprintf-snprintf-snprintf-l-snwprintf-snwprintf-l?view=msvc-170.
  36. “Linux Kernel documentation, call_usermodehelper.” https://archive.kernel.org/oldlinux/htmldocs/kernel-api/API-call-usermodehelper.html.
  37. D. Andriesse, Practical binary analysis: build your own Linux tools for binary instrumentation, analysis, and disassembly. no starch press, 2018.
  38. P. Guide, “Intel® 64 and ia-32 architectures software developer’s manual,” Volume 3B: system programming guide, Part, vol. 2, no. 11, pp. 1–64, 2011.
  39. “Linux Kernel documentation. filldir..” https://lore.kernel.org/lkml/lsq.1578512578.759211401@decadent.org.uk/.
  40. “The Linux Documentation Project. chapter 8. system calls..” https://tldp.org/LDP/lkmpg/2.4/html/c937.htm.
  41. “KUnkillable github repository.” https://github.com/spiderpig1297/kunkillable.
  42. I. A. Ilya V. Matveychikov, “Linux kernel rootkits advanced techniques,” 2018.
  43. “A collection of Linux kernel rootkits. linux rootkits..” https://github.com/R3x/linux-rootkits.
  44. R. Rosen, Linux kernel networking: Implementation and theory. Apress, 2014.
  45. E. Eliando and A. B. Warsito, “Lockbit black ransomware on reverse shell: Analysis of infection,”CogITo Smart Journal, vol. 9, no. 2, pp. 228–240, 2023.
  46. H. Sharma and H. Singh, Hands-on red team tactics: a practical guide to mastering red team operations. Packt Publishing Ltd, 2018.
  47. K. Thang and A. Nyberg, “Impact of fixed-rate fingerprinting defense on cloud gaming experience,” 2023.
  48. N. Gandotra and L. S. Sharma, “Exploring the use of iptables as an application layer firewall,” Journal of The Institution of Engineers (India): Series B, vol. 101, pp. 707–715, 2020.
  49. “KoviD github repository.” https://github.com/carloslack/KoviD
  50. F. Wang and Y. Shoshitaishvili, “Angr-the next generation of binary analysis,” in 2017 IEEE Cybersecurity Development (SecDev), pp. 8–9, IEEE, 2017.
  51. “Angr open-source binary analysis platform for python.” https://angr.io/.
  52. X. Zhang, C. Zhang, X. Li, Z. Du, Y. Li, Y. Zheng, Y. Li, B. Mao, Y. Liu, and R. H. Deng, “A survey of protocol fuzzing,” arXiv preprint arXiv:2401.01568, 2024.
  53. B. T. ODEHNAL, “Port block allocation for network address translation,”
  54. “Linux Kernel documentation. skbuff..” https://docs.kernel.org/networking/skbuff.html.
  55. A. David, Ghidra Software Reverse Engineering for Beginners: Analyze, identify, and avoid malicious code and potential threats in your networks and systems. Packt Publishing Ltd, 2021.
  56. C. Eagle and K. Nance, The Ghidra Book: The Definitive Guide. no starch press, 2020.
  57. “Ghidra a software reverse engineering (sre) suite of tools developed by nsa’s research directorate in support of the cybersecurity mission.” https: //ghidra-sre.org/.
  58. T. Æ. Mogensen, “Machine-code generation,” in Introduction to Compiler Design, pp. 161–172, Springer, 2024.
  59. “Kernel Probes documentation..” https://docs.kernel.org/trace/kprobes.html. Accessed: 2023-02-26.
  60. “R. Krishnakumar, Kernel korner: kprobes-a kernel debugger, linux journal, vol. 2005, no. 133, p. 11, 2005..”
  61. “Spotify KProbes examples linux kernel module..” https://github.com/spotify/linux/tree/ma
  62. ster/samples/kprobes. accessed: 2023-02-26.
  63. “Kprobes. blacklisted functions.” https://docs.kernel.org/trace/kprobes.html#kprobes-blacklist. Accessed: 2024-01-07.