Horse Pill: A New Type of Linux Rootkit

Presented at Black Hat USA 2016, Aug. 4, 2016, 12:10 p.m. (50 minutes).

What if we took the underlying technical elements of Linux containers and used them for evil? The result a new kind rootkit, which is even able to infect and persist in systems with UEFI secure boot enabled, thanks to the way almost every Linux system boots. This works without a malicious kernel module and therefore works when kernel module signing is used to prevent loading of unsigned kernel modules. The infected system has a nearly invisible backdoor that can be remote controlled via a covert network channel. Hope is not lost, however! Come to the talk and see how the risk can be eliminated/mitigated. While this may poke a stick in the eye of the current state of boot security, we can fix it!

Presenters:

• Michael Leibowitz / @r00tkillah - Intel   as Michael Leibowitz
  Michael Leibowitz (@r00tkillah) has done hard-time in real-time. An old-school computer engineer by education, he spends his days championing product security for a large semiconductor company. Previously, he developed and tested embedded hardware and software, dicked around with strap-on boot roms, mobile apps, office suites, and written some secure software. On nights and weekends he hacks on electronics, writes Blackhat CFPs, and contributes to the NSA Playset.

Links:

• https://www.blackhat.com/us-16/briefings.html#horse-pill-a-new-type-of-linux-rootkit
• https://infocon.org/cons/Black Hat/Black Hat USA/Black Hat USA 2016/Horse Pill - A New Type of Linux Rootkit.mp4
• https://www.youtube.com/watch?v=wyRRbow4-bc
• https://www.blackhat.com/docs/us-16/materials/us-16-Leibowitz-Horse-Pill-A-New-Type-Of-Linux-Rootkit.pdf

Similar Presentations:

• REcon 2011 / Advances in rootkit technology - Atmosphere: A network-covert, remote FreeBSD hidden kernel-thread rootkit
• ShmooCon X (2014) / The Evolution of Linux Kernel Module Signing
• DEF CON 10 (2002) / Linux Kernel Security with LIDS