Skip to content

null9900/FUSE-malware

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

1 Commit
LICENSE
LICENSE
 
 
README.md
README.md
 
 
cleanup.go
cleanup.go
 
 
data.go
data.go
 
 
errors.go
errors.go
 
 
fuse.go
fuse.go
 
 
go.mod
go.mod
 
 
go.sum
go.sum
 
 
hide.go
hide.go
 
 
main.go
main.go
 
 

Repository files navigation

Malware in the filesystem

This note was published in the 2600 magazine -- Autum 2025

While researching UNIX sandboxing solutions, one in particular caught my attention: mbox.

This sandbox creates a copy-on-write version of any file accessed by a sandboxed process, intercepting specific system calls using Seccomp and Ptrace. The solution is old, but still fascinating. Naturally, I started wondering: how could we build a better version?

FUSE (Filesystem in Userspace) is a Linux kernel module that lets you implement a filesystem entirely in user space. That means you can write your own special filesystem using the FUSE protocol. For our sandboxing example, this allows us to intercept every file access, log it, create copies, or tamper with it at will. All filesystem operations are under our complete control.

How might we abuse the power of FUSE? This note presents a PoC demonstrating how FUSE can be used to create malware disguised as a filesystem. Specifically, we'll show how to spy on the commands typed into a user's terminal. Pretty neat, right?

If you open a terminal on Linux, you'll notice you can scroll through your command history with the up and down arrows. But where is that history stored? And how does it actually work?

In bash, for example, your command history is saved to a file called .bash_history. When a shell session exits, bash flushes the session's commands into that file. When you open a new terminal, bash reads .bash_history back into memory so you can reuse old commands.

Interesting. So our goal now is to spy on .bash_history.

Thanks to FUSE, we can do this without even reading the real file directly. One method is to replace the user's .bash_history with a symlink to a file inside our FUSE-mounted filesystem. Every time bash writes a new command to history, our FUSE node sees the write. This lets us silently capture the user's command history, and exfiltrate it to a server.

Another method is to modify the HISTFILE environment variable in .bashrc to point to a file inside our FUSE filesystem. This achieves the same goal, as every read and write to the history file is now fully under our control.

We can also hook read operations on the history file, serving either the legitimate content or injecting malicious commands into the user's history.

This idea naturally extends to other sensitive files, for instance, .ssh/authorized_keys. What's beautiful about this approach is that the malware never read or open the target files directly. Instead, it impersonates the filesystem itself. Malware as the filesystem! The filesystem is the payload.

+------------------------+
|      User Terminal      |
|  (typing commands)      |
+-----------+------------+
            |
            v
+------------------------+
|      Bash Shell         |
|  (writes to HISTFILE)   |
+-----------+------------+
            |
            v
+------------------------+
|   FUSE FS (evil)        |
|  - intercepts writes    |
|  - logs commands        |
|  - can modify data      |
+-----------+------------+
            |
            v
+------------------------+
|   Real FS               |
|  (actual disk storage)  |
+------------------------+
  • Author: Maysara Alhindi

About

Malware in the filesystem using FUSE

Resources

Readme

License

MIT license
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages