Chkrootkit

One of the most popular rootkit scanners on Linux is Chkrootkit [2]. The toolkit by Nelson Murilo and Klaus Steding-Jessen comprises a collection of small C programs specially written to detect a specific anomaly. After unpacking the archive, build the applications by typing

make sense

and then perform a trial run by typing ./chkrootkit (Figure 1). Unfortunately, the rootkit scanner calls various binary programs on the infected system. For this reason, you should always run these tools directly from a separate, clean medium such as a CD or DVD drive:

./chkrootkit -p /cdrom/bin

in order to avoid infection.

Figure 1: Chkrootkit has run once and not found a known rootkit.

Rootkit Hunter

Just like Chkrootkit, Rootkit Hunter also searches the infected system for specific characteristics that indicate the existence of a rootkit. Originally written by Michael Boelen, the tool was passed on to a team of developers in 2006, and the results are visible on SourceForge [3]. After downloading and unpacking the archive, become root and enter the following to build:

./installer.sh --layout custom . --install

Then change to the files subdirectory and modify the rkhunter.conf configuration file. The following command line starts the check

./rkhunter --check

OSSEC

In contrast to previous, simple scanners, OSSEC [4] launches a whole battery of functions (Figure 2). In addition to automatically performing period rootkit detection, it offers permanent monitoring and analysis of logfiles, integrity checks, and (rules-based) intrusion detection. The Rootcheck project has rootkit signatures up for grabs on its website [5].

Figure 2: The OSSEC project offers a web front-end for the monitoring agent.

OSSEC lets you set up a client/server team: Agents monitor the operating system on the client machines. Whenever a suspicious or atypical event occurs, a message is passed on to a central monitoring server, which then performs the analysis, draws conclusions, and raises the alarm if necessary.

To install OSSEC, just unpack the archive and type:

./install.sh

Say yes to all the prompts and choose local as the installation type, if you do not want to set up an agent/server operation.

Next, select one of the installation routine options for rootkit detection, then modify the configuration in /var/ossec/etc/ossec.conf, and launch OSSEC HIDS by typing

/var/ossec/bin/ossec-control start

The program then starts to monitor the target system.

In a default installation, the configuration file is stored in /etc/ossec-init.conf, with all other files in /var/ossec. Rootkit signatures are stored in the files rootkit_files.txt and rootkit_trojans.txt in /var/ossec/etc/shared.