The danger of ring3 rootkits

By Fernando Mercês, Trend Micro

The Linux kernel has reached a great level of security and that’s exactly why malware creators moved away from kernel land to user land to develop their malicious software. That’s the case of ring3 (user land) rootkits made for Linux. Without touching the kernel and leveraging features of how the Linux loader works, criminals are able to create powerful remote access tools that stay deeply hidden in a Linux environment, giving zero or low chances for an administrator to detect them. This talk will explain how these rootkits works, present statistics related to infection, number of rootkits available, how they are sold in the underground market and propose solutions to shield Linux against these threats and methods for detection.


Senior Threat Researcher at Trend Micro, where he acts a cybercrime investigador making use of reverse engineering and threat intelligence skills to research on cyber attacks. Creator of many free security tools [], he has presented his work in many conferences like Hackers To Hackers Conference, LinuxCon, You Shot The Sheriff and FISL.