A new rootkit leveraging the io_uring interface has been discovered, capable of bypassing traditional Linux security measures. This malicious software operates at a low level, allowing it to evade detection and maintain persistence on infected systems, raising significant concerns for system administrators and security professionals.

FlipSwitch is a novel syscall hooking technique developed to bypass the changes introduced in Linux kernel 6.9 that neutralized traditional hooking methods. By directly patching the syscall dispatcher's machine code, FlipSwitch allows rootkits to redirect syscalls while remaining stealthy, posing ongoing challenges for kernel security. Detection methods, including YARA rules, have been devised to identify this rootkit in memory or on disk.

A Rust-based Linux kernel module for rootkit detection was developed during an internship at Thalium to enhance malware detection capabilities in various Linux environments. The article discusses the importance of detecting kernel rootkits and outlines the tools and techniques used for this purpose, including leveraging the Linux kernel's tracing APIs and the limitations of existing malware detection solutions.

KoviD is an open-source Loadable Kernel Module designed for educational and defensive security research, providing a platform for security professionals to understand and combat rootkit techniques within Linux systems. It enables users to analyze rootkit behavior, develop detection methods, and improve security strategies in a controlled environment. The project emphasizes responsible usage and compliance with legal regulations to ensure ethical testing practices.