FlipSwitch Rootkit Bypasses Linux Kernel 6.9 Defenses with Surgical Bytecode Hooking

Amid the ongoing duel between Linux kernel developers and authors of malicious modules, each kernel release reshuffles the balance of power. A recent example is the FlipSwitch rootkit module, which employs an unusual technique to intercept system calls under the stringent constraints introduced in kernel 6.9. Rather than relying on the familiar substitution of pointers in the sys_call_table, this approach performs a surgical modification of the kernel’s machine code itself — and it functions even after the classic technique has been rendered impotent.

For many years, rootkits such as Diamorphine or PUMAKIT concealed themselves by rewriting system call pointers in sys_call_table, disabling write-protection and replacing, say, sys_kill with a malicious counterpart. But beginning with the 6.9 release for x86-64, system calls are no longer dispatched via that table; the kernel now uses a switch-based construct that invokes handlers directly through hard-coded instructions. Consequently, tampering with sys_call_table no longer alters system behavior, depriving rootkits of their habitual entry point.

The underlying logic that dispatches the appropriate functions, however, still exists — it has merely been hidden inside x64_sys_call. FlipSwitch exploits that by first obtaining the original function’s address (for example, sys_kill) via kallsyms_lookup_name, which is itself typically inaccessible but can be located indirectly using a kprobe mechanism. With a pointer to the desired symbol in hand, the module scans the bytecode of x64_sys_call until it finds a call instruction marked by the 0xe8 opcode and an offset that precisely targets the needed handler.

Upon locating that call, the module temporarily disables memory-protection by manipulating bit 16 of the CR0 register, enabling modification of protected code regions. It then replaces just four bytes — redirecting the call from the original sys_kill to a malicious analog that faithfully mimics the legitimate function while enabling filtering or result substitution. The rest of the system-call handlers remain untouched, rendering the intervention exceedingly stealthy.

FlipSwitch’s hallmark is its selectivity and finesse. The modifications are reversible: unloading the module restores the original state and leaves little trace. That very reversibility, however, makes post-load detection extremely difficult. To aid detection, Elastic’s team produced a YARA signature able to spot characteristic patterns in memory or on disk that betray the presence of this prototype.

FlipSwitch offers a striking illustration of how shifts in system architecture spur malware authors toward inventive workarounds. Even the abandonment of direct sys_call_table manipulation could not entirely close the avenue of attack — a precisely targeted alteration of the right instruction suffices to reclaim control over kernel dispatch.

Support Our Threat Intelligence

If you find our technology report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal Crypto

USDT (TRC20):

TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm Copy

USDT (ERC20):

0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce Copy