Horse Pill: A New Type of Linux Rootkit

by Michael Leibowitz Sept. 15, 2017 via www.blackhat.com submitted by belen_caty

What if we took the underlying technical elements of Linux containers and used them for evil? The result a new kind rootkit, which is even able to infect and persist in systems with UEFI secure boot enabled, thanks to the way almost every Linux system boots. This works without a malicious kernel module and therefore works when kernel module signing is used to prevent loading of unsigned kernel modules. The infected system has a nearly invisible backdoor that can be remote controlled via a covert network channel. Hope is not lost, however! Come to the talk and see how the risk can be eliminated/mitigated. While this may poke a stick in the eye of the current state of boot security, we can fix it!

https://www.blackhat.com/us-16/briefings.html#horse-pill-a-new-type-of-linux-rootkit

Avatar
Steven Ulm 1 month ago

Once you take the Horse Pill , you never go back... lol

Reply