Watch out for any Linux malware sneakily evading syscall-watching antivirus • The Register Forums

Tuesday 29th April 2025 19:18 GMT Pascal Monett

What a surprise

A tool specifically made to avoid syscalls, which just happen to be what AV tools are actively watching, is hijacked by miscreants for their own nefarious purposes.

I can't help but think that the guy who thought this up must be a serious expert on OSes in general, and on kernels in particular. You have to know the ins and outs of the inner workings of the entire OS stack and the particulars of how it all fits together to dream up a scheme like that and make it work for you.

What a shame that a mind like that decided to employ his formidable intellect for crime, instead of working with Torvalds or Cupertino or even Redmond and making a better world for everyone.

2 7 Reply

Tuesday 29th April 2025 21:20 GMT cyberdemon

Re: What a surprise

> A tool specifically made to avoid syscalls, which just happen to be what AV tools are actively watching, is hijacked by miscreants for their own nefarious purposes.

There is no claim that this has been 'hijacked' by any 'miscreants', yet. It's just AFAICT the usual story of an AV/infosec outfit hyping a relative non-issue with a so-called PoC developed by themselves, for rep points

Rather than release a PoC that does not really constitute a vulnerability (the only 'concept' that it proves is that AV is fundamentally rather futile), a kernel PR would have been more welcome. Any would-be miscreant can take the PoC and perhaps evade detection, but then that is hardly the modern miscreant's primary concern

Once there is malware running on any system, AV or no AV you're 90% screwed anyway

11 0 Reply
1. Tuesday 29th April 2025 22:12 GMT diodesign
  
  Infosec bluster
  
  Yeah, normally we try not to let infosec companies hype up problems they conveniently have the solution to, and we sat on this article for a few days thinking about whether it was worth doing.
  
  But we figured it would be worth bringing io_uring to a wider attention, it appears to be a contentious feature, and this might be a nail in the coffin for it.
  
  We publish a lot of work; some of it is less Earth shattering and more just whatever we felt people would find mildly interesting.
  
  C.
  
  20 0 Reply
  1. Wednesday 30th April 2025 09:32 GMT claimed
    
    Re: Infosec bluster
    
    And that’s why I love it here.
    
    5 0 Reply

This post has been deleted by its author

Tuesday 29th April 2025 19:26 GMT Jou (Mxyzptlk)

Google search first two hits...

sysctl -w kernel.io_uring_disabled=2

Since kernel 6.6 it can be disabled easily, it can be tested easily. IMHO could have been within the article.

5 0 Reply

Tuesday 29th April 2025 22:09 GMT diodesign

[triv]

Well, heh, we did say it can be switched off, and if you can find the command in one Google search, one wonders if it's worth including here.

We also don't like including commands we haven't tested and are not confident about. But seeing as it is pretty straight forward, and easy to run, we've now included it in the article.

C.

13 0 Reply

This post has been deleted by its author

Tuesday 29th April 2025 21:43 GMT Grindslow_knoll

Re: SELinux

Little bit more digging, SL support for monitoring io_uring was added in 5.16 (2022) https://www.paul-moore.com/blog/d/2022/01/linux_v516.html

2 0 Reply

Wednesday 30th April 2025 07:11 GMT Anonymous Coward

Antivirus useless. News at 11.

So.... ....this is about Antivirus software, not any specific issue with io_uring?

That's pretty standard, if you're writing malware, you're going to check that anti-virus software doesn't detect it...

2 0 Reply

Wednesday 30th April 2025 07:18 GMT thosrtanner

"thing.disabled = 2" to disable it? That's pretty inspiring. Most booleans are set to 0 or 1. Why would anyone use 2? Or is 2 even more disabled than 1? And by how much>

This looks like the True/False/File_Not_Found boolean type much beloved of DailyWTF readers.

0 1 Reply

Wednesday 30th April 2025 09:47 GMT 42656e4d203239

Easy to find out why 2=completely disabled.... its because 1 is already in use.

Phoronix

"Submitted by Google engineer Matteo Rizzo, the upstream Linux 6.6 kernel is set to add a new sysctl interface for disabling IO_uring system-wide. The io_uring_disabled sysctl knob is being added that if set to a value of one will block all processes from calling IO_uring's setup function except for those privileged users with the system administrator capability (CAP_SYS_ADMIN). Or if io_uring_disabled is set to a value of 2, it will block all processes regardless of privilege level."

3 0 Reply
1. Thursday 1st May 2025 07:26 GMT thosrtanner
  
  Either something is disabled or it isn't. that's a LEVEL. It's badly named. I see rather too many badly named things in the computing world
  
  0 2 Reply
  1. Wednesday 7th May 2025 11:08 GMT Jou (Mxyzptlk)
    
    Actually I see even FOUR levels!
    
    0 = open
    
    1 = only specified group
    
    2 = no one
    
    aaaand:
    
    "undefined", which IMHO should default to 2. But that is a kernel list discussion.
    
    0 1 Reply