Skip to content

Free Rootkit Detection

by Tom B. on January 17th, 2011

Wikipedia defines a rootkit as “software that enables continued privileged access to a computer while actively hiding its presence from administrators by subverting standard operating system functionality or other applications.” In other words it installs itself in such a way that its invisible to operating system processes.

A rootkit is more dangerous than a virus because rootkit removal can be difficult and sometimes impossible, especially if it installs itself in the kernel which usually requires an operating system reinstall. Unfortunately, typical Anti-Virus software is often useless in detecting and removing hard core rootkits and modern rootkit software has been known to attack virtualization hypervisors and firmware.

We all know Windows is a prime target but what about other operating systems like Unix or Linux? Despite Apple’s insistence that its Mac OS X operating system is immune to virus threats, the harsh reality is all operating systems are vulnerable to malicious software attacks. According to Wikipedia, 2005 saw a doubling of virus threats for the Linux operating system from 422 to 863 known viruses, trojans and other threats. Common belief is the number of threats correlates for the most part to the popularity of an operating system. Given this is true as Mac OS X and Linux become more popular we will see a surge in malware peddling for these operating systems. It’s just a matter of time.

Okay, enough about Windows and Apple’s Mac OS X. Let’s talk Open Source. So the question that you may be asking yourself is; should I be worried about rootkit attacks against my Linux Server or Desktop? My answer is a definite ‘YES’. I say that because I like to play it safe. My Ubuntu email server is important to me and I want to protect it. I prefer to do whatever it takes to lower my attack surface by patching it regularly, disabling unnecessary services and using security tools to help detect any foul play.

One such tool is ‘chkrootkit’ by Nelson Murilo and Klaus Steding-Jessen.  Current release 0.49 will detect 63 rootkits and worms and best of all it is free and super easy to use. It is available through Ubuntu repository making installation a snap.

From command prompt;

#apt-get update

#apt-get install chkrootkit

DONE!

 To scan your system simply execute ‘chkrootkit’ as root.

#chkrootkit

You should see the following output:

ROOTDIR is `/’

Checking `amd’…                                         not found

Checking `basename’…                             not infected

Checking `biff’…                                           not found

Checking `chfn’…                                         not infected

Checking `chsh’…                                         not infected

Checking `cron’…                                         not infected

Checking `crontab’…                                  not infected

Checking `date’…                                          not infected

Checking `du’…                                             not infected

Checking `dirname’…                                 not infected

Checking `echo’…                                        not infected

Checking `egrep’…                                       not infected

Checking `env’…                                           not infected

Checking `find’…                                          not infected

Checking `fingerd’…                                   not found

Checking `gpm’…                                         not found

Checking `grep’…                                         not infected

Checking `hdparm’…                                  not infected

Checking `su’…                                              not infected

Checking `ifconfig’…                                   not infected

Checking `inetd’…                                        not infected

Checking `inetdconf’…                               not found

Checking `identd’…                                      not found

Checking `init’…                                             not infected

Checking `killall’…                                         not infected

Checking `ldsopreload’…                            not infected

Checking `login’…                                          not infected

Checking `ls’…                                                not infected

Checking `lsof’…                                           not infected

Checking `mail’…                                         not found

Checking `mingetty’…                                not found

Checking `netstat’…                                     not infected

Checking `named’…                                     not found

Checking `passwd’…                                   not infected

Running ‘chkrootkit’ regularly is a great idea. But of course we don’t want to do it manually each and every time. In which case we can utilize cron and schedule it. Cron is equivalent to AT in the Windows world.

For example let’s say we want to schedule ‘chkrootkit’ on a daily basis and email scan output.

Open cron configuration file like this;

# crontab –e

Add the following lines

0 3 * * * (/usr/sbin/chkrootkit 2>&1 | mail –s “chkrootkit \output” your@email.com)

Above example will execute ‘chkrootkit’ daily at 3 am and email output to your@mail.com. (Email MTA is required)

And there you go, free rootkit detection for Linux and Unix.

From → Open Source Tools

No comments yet

Leave a Reply

Note: XHTML is allowed. Your email address will never be published.

Subscribe to this comment feed via RSS