#52 An alternative way to detect diamorphine rootkit

[Nong Hoang Tu]

Background story: I tested the Diamorphine on my system (Kernel 5.18.2 Debian, Rkhunter version 1.4.6-9 on Debian repository). Rkhunter couldn't detect this rootkit. The interesting part is Rkhunter actually detected this rootkit when I disabled hide module. After reading rkhunter's source code, I found out rkhunter uses kernel's symbol check to detect if the rootkit is loaded.
After some researches, I found out we are able to detect this rootkit by checking
- Listing all loaded modules in /sys/module/. Command lsmod can't find diamorphine module which was loaded into the kernel, but ls /sys/module/ | grep diamorphine works just fine
- All loaded symbols are available at /sys/kernel/tracing/available_filter_functions

$sudo cat /sys/kernel/tracing/available_filter_functions | grep diamorphine
hacked_getdents [diamorphine]
hacked_kill [diamorphine]
hacked_getdents64 [diamorphine]
get_syscall_table_bf [diamorphine]
find_task [diamorphine]
is_invisible [diamorphine]
give_root [diamorphine]
module_show [diamorphine]
module_hide [diamorphine]

Ofc it's hidden in /proc/kallsyms and i suppose this is where rkhunter is using to find malware

I haven't tested any other rootkit samples so it's unclear if this method can detect other rootkit families. It's unknown if there's any other location in sysfs that rootkit leaves the trace.

So I think checking kernel symbols in available_filter_functions could be a better way to detect rootkits inside infected system and rkhunter can use this method.