Singularity: Open-Source Linux Rootkit Advances Security Research

Security researcher Matheus Alves has released Singularity, a fully open-source rootkit for Linux systems that pushes the boundaries of what's possible in kernel-level stealth. Unlike proprietary counterparts, this MIT-licensed project provides transparency into advanced evasion techniques while serving as a research platform for defensive improvements.

Singularity focuses on maintaining undetected persistence after initial compromise. Its core innovation lies in leveraging Linux's built-in Ftrace debugging framework to intercept system calls without modifying CPU trap vectors or directly patching kernel functions. This approach minimizes forensic footprints that traditionally exposed rootkits.

Key evasion capabilities include:

1. Module Concealment: Upon loading, the kernel module resets system taint flags and removes itself from active module lists while blocking subsequent module loads. This renders the rootkit invisible to tools like lsmod.

2. Process Hiding: A 32-entry PID array tracks attacker-controlled processes. Singularity intercepts signal 59 (SIGEMT) to add processes to its hidden list while filtering:

   • Process existence checks (signal 0)
   • Process group queries (getpgid)
   • Scheduling affinity checks (sched_getaffinity)
   • /proc directory entries

3. Filesystem Manipulation: The rootkit filters getdents system calls to remove hidden files from directory listings. It maintains filesystem consistency by:

   • Adjusting parent directory link counts during stat calls
   • Failing openat attempts to hidden paths
   • Filtering readlink for symbolic link resolution

4. Network Obfuscation: All traffic to a configurable port (default 8081) disappears from local packet captures by intercepting network stack processing. This doesn't affect external network monitoring.

Notable technical constraints include:

• Ftrace Dependency: Singularity forces Ftrace to remain active and filters read/write operations to /proc/sys/kernel/ftrace_enabled to maintain stealth
• Architecture Support: Currently limited to x86/x86_64 with dual 32/64-bit system call handling
• Persistence Limitations: Hidden files reappear after reboot since the rootkit only affects running kernels

Utility scripts bundled with the project automate evidence removal, including log truncation, source-code shredding, and boot-time loading configuration.

While Singularity demonstrates remarkable stealth, researchers note detectable behaviors:

• Inability to disable Ftrace via standard interfaces
• Consistent failure when loading new kernel modules
• Potential visibility to performance monitoring tools during filesystem operations

The project explicitly prohibits malicious use, urging researchers to test only on systems with proper authorization. By exposing sophisticated attack techniques in public code, Singularity provides valuable insights for developing next-generation defensive tools while highlighting subtle kernel vulnerabilities that warrant deeper inspection.