Thomas Strömberg

This weekend I was nerdsniped into adding detection for #eBPF #rootkits to the sunlight project:

https://github.com/tstromberg/sunlight

Probably the most difficult part was just getting any eBPF-based rootkit to function. Most open-source PoC's fail miserably in recent Ubuntu LTS builds. Almost none of them build properly on arm64, either.

As an added bonus, the latest release also does a better job detecting signals-based rootkits, like #Diamorphine.

GitHub - tstromberg/sunlight: Linux #rootkit and #malware revealer

Linux #rootkit and #malware revealer. Contribute to tstromberg/sunlight development by creating an account on GitHub.

GitHub
Oct 24, 2023 at 12:20amWeb
Show threadThomas StrömbergOct 24, 2023

There is no technical reason that makes eBPF or any other rootkit technology detectable, it just happens that every available example leaves visible traces .

The detection bar on Linux is so low that it doesn’t really matter. I’d wager that less than 1% of hosts have active malware detection, and less than 1% of those have a human reviewing alerts.