KoviD: Red-Team Linux kernel rootkit

by ddos · Published · Updated

KoviD is a Loadable Kernel Module (LKM) designed for Linux Kernel version 5 and later. Key features include:

  • Self-hiding from SysFS.
  • Provides reverse shell backdoors.
  • Conceals processes from the proc file system.
  • Handles child processes, newly created processes.
  • Hides KauditD logs, syslogs, user presence.
  • Conceals CPU usage for all hidden tasks.
  • Grants root privileges.
  • Hides files and directories.
  • Explore Demos repository.

Features

Hide itself (module)

KoviD hides itself, making it challenging to detect. It customizes kernel code to evade anti-rootkit detectors and disappears
from /sys/module listings.

Hide files and directories

KoviD hides files and directories effectively by hijacking filldir and filldir64 kernel functions, significantly simplifying the process.

Function and syscall hijacking: Ftrace

KoviD leverages Ftrace, a legitimate method for function and syscall hijacking in Kernel v5+. This approach offers greater stability compared to traditional hooking techniques.

Backdoors

KoviD incorporates popular and reliable methods for backdooring systems, such as port-knocking with custom packets.
These open connections to Netcat, OpenSSL, and Socat sessions.

Firewall Evasion

KoviD sends magic packets and establishes reverse shell connections. These packets trigger netfilter hooks and instruct KoviD to create a reverse shell connection. These outgoing packets bypass iptables rules, ensuring effective evasion.

Tasks

Hiding processes is a crucial feature, giving KoviD the ability to run undetected. It provides full support for children processes, ensuring that no hanging processes are left behind.

Logs

KoviD’s hidden tasks result in missing logs, making it even more challenging for administrators to detect its presence. It eliminates logs generated by userland tools like w, lsmod, ps, who, ls.

TCP/UDP logs

KoviD hides network connections and manipulates network logs to maintain stealth for back-doors. Libpcap+recvmsg.
(ss, tcpdump, netstat…)

r00t

Gain root privileges easily with kill -SIGCONT 666.

CPU – hiding/mining

KoviD hides CPU consumption, making its processes invisible as heavy consumers. However, be cautious not to max out the CPU, as this can lead to unusual usage patterns.

Persistence

KoviD offers persistence via Volundr. It can infect executables, like SSHD, to ensure KoviD loads on reboot. You can also use your preferred tool, Volundr use here is just a suggestion.

Base address

KoviD allows for the retrieval of base addresses of other executables without needing to open /proc/<pid>/maps.

BPF

KoviD can evade few anti-rootkit tools that rely on BPF
(Berkeley Packet Filter) for detecting rootkits.

Tested against:
https://github.com/pathtofile/bpf-hookdetect.git

Tainted

$ sudo insmod ./kovid.ko
$ cat /proc/sys/kernel/tainted
0

Download & Use

Tags: Linux kernel rootkit