Singularity: LKM rootkit for modern kernels (6x)
12 hours ago
- #linux
- #cybersecurity
- #rootkit
- Singularity is a Linux Kernel Module (LKM) rootkit designed for modern kernels (6x).
- Once loaded, the module hides automatically and cannot be removed without restarting the machine.
- Processes can be hidden using 'kill -59 PID', making them invisible to tools like 'ps', 'top', and 'ls'.
- Files and directories can be hidden by editing 'include/hiding_directory_def.h'.
- Root privileges can be obtained using the magic word 'MAGIC=mtz bash'.
- Hidden ports (e.g., 8081) are invisible to 'ss', 'netstat', and 'lsof'.
- Tested on kernels 6.8.0-79-generic and 6.12; other versions may not work.
- Singularity bypasses standard detection tools like 'unhide', 'chkrootkit', and 'rkhunter'.
- For forensic evasion, use '/dev/shm' (tmpfs) and 'shred' to minimize disk traces.
- Persistence can be enabled, but the module becomes visible in 'debugfs'.
- Features include process hiding, filesystem hiding, network stealth, and kernel log sanitization.
- Rootkit Researchers community focuses on rootkits, malware, red teaming, and cybersecurity.
- Singularity was developed for educational purposes and controlled demonstrations.