Researchers have developed a proof-of-concept rootkit named Curing that leverages io_uring, a Linux asynchronous I/O interface, to bypass traditional system call monitoring techniques.
This approach exposes a critical blind spot in Linux runtime security tools, as most of them rely heavily on system call hooking. Since the Curing rootkit operates entirely through io_uring, it avoids triggering conventional monitoring systems.
Notably, the rootkit can establish communication between a command-and-control (C2) server and an infected machine, enabling it to fetch and execute commands—without using any system calls relevant to its operation.
Security company ARMO analyzed several runtime security tools and found that popular solutions like Falco and Tetragon fail to detect such threats due to their system call dependencies.
This development raises serious concerns about the future of Linux security and the urgent need to evolve detection techniques.
Stay ahead of the latest cybersecurity threats—subscribe to our updates.
0 Comments