In the rapidly evolving world of cyber threats, kernel-level rootkits continue to pose a critical challenge to system security. One such example is “KoviD,” a highly stealthy Loadable Kernel Module (LKM) rootkit for Linux Kernel version 5 and above. This blog breaks down how KoviD works, the mechanisms it abuses, and what defenders should learn from it.
Understanding Loadable Kernel Modules (LKM) and LKM Rootkits
➤ Loadable Kernel Modules (LKM)
Loadable kernel modules are pieces of code that can be dynamically loaded into the Linux kernel to extend its functionality without the need to recompile the kernel or even reboot. Loadable kernel modules are designed to be loadable at runtime, allowing adaptation of the kernel to different hardware configurations and supporting various devices and features without recompiling or modifying the main kernel code.
Relevant files and directories are:
- /lib/modules/ – Installed Kernel Modules
- /proc/modules – Shows all loaded modules (name, size, usage count)
- /sys/module/ – detailed per-module information
➤ LKM as Rootkits
LKM rootkits are malicious kernel modules loaded into the running Linux kernel to hide files, processes, network connections, or to intercept syscalls, thereby concealing the attacker’s presence and activities. LKM rootkits operate in kernel space.
LKM Rootkits Requirements
1. Kernel Access Requirements:
- LKM rootkits can only be loaded if the attacker has elevated privileges that allow direct interaction with the kernel (Requires root or equivalent privileges).
- Needs CAP_SYS_MODULE capability, which allows inserting/removing kernel modules.
2. Compilation Dependency on Kernel Headers:
Kernel modules must match the target kernel version precisely:
- Must be compiled with exact matching headers (/lib/modules/$(uname -r)/build)
- Incompatible modules will fail to load with errors like: Invalid module format
➤ Kernel functions hooking methods
Hijacking the control flow in the kernel space will come into practice by hooking “kernel functions or kernel-level syscalls”.
Once threat actors can insert a malicious LKM, they have complete control over the kernel space (hence, over the entire machine), and they can abuse different features in the kernel. Common methods used by attackers to hook kernel functions:
Kernel functions hooking methods
1. Syscall table modification
2. Kprobes (kernel probes)
3. Ftrace
4. VFS (Virtual File System) manipulation.
Knowing KoviD
The KoviD rootkit is a stealthy and modular Loadable Kernel Module (LKM) designed to target Linux Kernel versions 5 and above. It provides a powerful and evasive toolkit for attackers, enabling deep-rooted persistence, data exfiltration, and stealth at the kernel level. KoviD’s capabilities include hiding itself from system listings, intercepting kernel syscalls and functions, concealing files, directories, and network connections, backdooring systems via covert packet-based access, and even evading anti-rootkit tools that use eBPF or BPF-based hooks.
KoviD LKM Rootkit Capabilities
➤ Hide itself (module):
- KoviD hides itself, making it challenging to detect. It customizes kernel code to evade anti-rootkit detectors and disappears from /sys/module listings.
Command to hide: echo hide-lkm > /proc/mytest
/proc filesystem A virtual filesystem that shows kernel and process information.
/proc/<name> A custom entry created by a kernel module (e.g., /proc/mytest)
- This command triggers the hiding logic in the KoviD kernel module, making the rootkit invisible to standard user-space tools like:
- lsmod [Won’t list KoviD]
- /proc/modules [No folder for KoviD]
- /sys/module/ [No folder for KoviD]
- Security scanners that rely on those sources
Command to unhide: echo unhide-lkm > /proc/mytest
➤ Hide files and directories:
- Hide malicious files from the directory listing. Means if a LKM rootkit loads successfully, the ‘ls’ command will not display the malicious file, even if it exists.
- KoviD hides files and directories effectively by hijacking the filldir and filldir64 kernel functions.
Useful system calls and Kernel Functions for LKM rootkits like KoviD:
getdents64 – System Call
- Retrieves directory entries (e.g., when running ls) from a file descriptor pointing to a directory.
filldir() – Kernel Function
- Called from inside the kernel when the system is populating the list of files and subdirectories during a directory read.
- filldir() is not a syscall. It’s used by getdents64 internally as a callback to add file names and metadata into a buffer.
KoviD kernel rootkit hooks into filldir() to filter out specific filenames before they reach user space.
➤ Function and syscall hijacking: KoviD leverages Ftrace, a legitimate method for function and syscall hijacking in Kernel v5+.
➤ KoviD exploits the SIGCONT signal and a hardcoded PID to trigger root-level escalation. By sending kill -SIGCONT 666, any process can gain root access.
➤ Also, a signal-based activation (kill -SIGCONT 31337) temporarily registers the “/proc/mytest” interface for 120 seconds, further enhancing stealth by avoiding prolonged exposure.
Preventing Loadable Kernel Modules (LKM) based Rootkits
Use echo 1 > /proc/sys/kernel/modules_disabled after boot
- This command permanently disables the ability to load or unload kernel modules on a running Linux system after boot.
- After all legitimate modules are loaded, use this command. After this, all attempts to load or remove modules will fail.
- No insmod, modprobe, or rmmod will work.
- Even root users or processes with CAP_SYS_MODULE cannot insert or remove modules.
- Prevents LKM rootkit installation or unauthorized LKM injection
Conclusion
From a defensive standpoint, KoviD reinforces the critical need for proactive kernel hardening, strict control over module loading, continuous integrity monitoring, and advanced behavioral analysis. Traditional user-space detection tools are insufficient against such rootkits; defenders must evolve toward kernel-aware security architectures.
As Linux continues to power critical infrastructure, servers, and cloud-native environments, understanding and preparing for kernel-mode threats like KoviD is no longer optional; it is imperative.
References