PoC rootkit Curing evades traditional Linux detection systems
Researchers created a PoC rootkit called Curing that uses Linux’s io_uring feature to evade traditional system call monitoring. Armo researchers have demonstrated a proof-of-concept (PoC) rootkit named Curing that relies on Linux asynchronous I/O mechanism io_uring to bypass traditional system call monitoring. “Curing is a POC of a rootkit that uses io_uring to perform different tasks without using any syscalls, […]
Researchers created a PoC rootkit called Curing that uses Linux’s io_uring feature to evade traditional system call monitoring.
Armo researchers have demonstrated a proof-of-concept (PoC) rootkit named Curing that relies on Linux asynchronous I/O mechanism io_uring to bypass traditional system call monitoring.
“Curing is a POC of a rootkit that uses io_uring to perform different tasks without using any syscalls, making it invisible to security tools which are only monitoring syscalls. The project was found effective against many of the most popular security tools such as Linux EDRs solutions and container security. tools.” reads the description provided by the researchers on GitHub.”The idea was born at the latest CCC conference #38c3, therefor the name Curing which is a mix of C and io_uring.”
io_uring is a Linux API for asynchronous I/O that uses shared ring buffers between user and kernel space, letting applications perform actions without system calls, making syscall-based security tools ineffective.
The io_uring was introduced in the Linux kernel version 5.1 in March 2019.
“The rootkit demonstrates communication between a C2 server and an infected host to pull commands and execute them without making any system calls relevant to its operations.” reads the report published by the experts. “The main idea was to show that io_uring allows so many important operations that you can write an entire rootkit on top of.”
The researchers explained that at the time of writing, io_uring supports 61 operations, including network and file system tasks. Researchers built a fully functional rootkit that relies entirely on io_uring to demonstrate the real-world risk.
The Curing PoC code for bypassing Falco and Tetragon runtime detection systems is available here.
Researchers speculate that many Linux EDRs are not able to monitor io_uring-based activity. Falco proved blind to such operations, but plans to add LSM hook support. Tetragon could detect io_uring if users manually configure Kprobes or LSM hooks. Microsoft Defender failed to detect various malicious actions like file reads, EICAR drops, and crypto miners, with only basic FIM alerts triggered. SentinelOne confirmed that its agent can detect and neutralize the attacks. Many commercial vendors were either vulnerable or unresponsive, suggesting io_uring rootkits pose a broad risk to current Linux security solutions.
“Today, many security vendors are shifting towards building eBPF-based agents, largely because eBPF is considered “safe” for use in products like EDR and CWPP.” concludes the report. “However, working with eBPF comes with inherent challenges and constraints, particularly due to its verifier, which imposes strict limitations on what code can be safely loaded. This makes the placement of hooks a critical decision.”
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, Curing)
