De-Cloaking Linux Stealth Rootkits, Whitelisting and UI Updates: Sandfly 1.4 Released

Product Update

August 27, 2018
The Sandfly Security Team

Sandfly 1.4 has been released. We now have capabilities to de-cloak data being hidden by common Linux loadable kernel module stealth rootkits. This capability works even when they are active and trying to evade detection. We have also improved the UI and added per-host whitelisting for individual sandflies.

Linux Stealth Rootkit De-Cloaking

Sandfly has always had methods to discover Linux stealth rootkits (and many other threats), but we are adding a new detection method today. We now have the ability to de-cloak files that contain data being actively hidden by loadable kernel module rootkits on Linux. Sandfly is the first security product for Linux we know of that has this capability so easily available. Sandfly now has methods to tell you there has been tampering and active cloaking of data in critical system areas. Plus, we’ll even show you the suspicious data we found cloaked right at your fingertips.

Below is an example from the Reptile rootkit which modifies /etc/modules to start itself on boot to maintain persistence. Reptile, like other variants of this kind of rootkit (the first to do this was EnyeLKM), allows you to wrap data in special tags (#<reptile> and #</reptile>). When those tags appear in any file, the loaded rootkit will hide their presence so you cannot see them. The cloaked lines will not be visible with any normal Linux system utility such as cat, echo, strings, or even editors. It’s a slick trick and the entries are completely masked without serious effort to unmask them. This means a stealth rootkit could be active on a system for a long time before it is found. At least, that was true was until now.

The extract below shows what Sandfly will display when a stealth rootkit is active on the host hiding file data:

Reptile rootkit decloaked

If we find any kind of cloaked data, you’ll get an immediate alert with heaps of forensic data to determine what is going on as you can see below:

Forensic view linux stealth rootkit cloaked data

You’ll not only see the cloaked data, but full file attributes about the affected file. Even better, we hunt for this activity constantly so you won’t surprised by a long-running and damaging stealth rootkit compromise on your network. Sandfly is not just an intrusion detection system, but a very fast and thorough expert forensic investigator looking for signs of compromise on Linux 24 hours a day.

UI Updates

The user interface has had changes made to make it more responsive and intuitive. The changes overall are minor if you were using the new interface and you won’t need to change your operating habits. You will see a faster response, plus more intuitive messages with general updates to look and feel. Plus, we added in whitelisting features discussed below.


Our agentless security methods not only have low system impact, but also have extremely low false alarm rates. Security products that have lots of false alarms are worthless. We work hard to ensure we don’t pester users with false alarms (aka. false positives) because when a problem is seen by Sandfly, we want to make sure it’s not ignored.

However, a small number of legitimate programs can sometimes cause a false positive. This has mainly been around certain network monitoring applications that can appear to have suspicious network operations but actually are benign. As a result, we’ve had customers asking for the ability to whitelist certain sandfly alarms on a per-host basis so these alerts are not generated. You can now do that.

Sandfly listening network port tmp

When you see an alert show up that is a false alarm on a host, simply whitelist it and that sandfly will not run on that host going forward. The sandflies will run on all other hosts as normal however. You can remove entries from the whitelist if the false alarm situation is resolved.

Expanding Linux Threat Detection

We are always adding new sandfly modules to detect Linux threats. Sandfly works as an extremely high-speed and thorough forensic investigator to hunt for compromised hosts on your network. We are expanding our detection capabilities each week and will have some more exciting announcements in the future. Thanks for using Sandfly.

Let Sandfly keep your Linux systems secure.

Learn More