Anti-Rootkit programs

What program do you use for detecting Rootkits? How do you know what to trust?


Solution 1:

On Unix-based systems, Tripwire is a good general "what changed on this machine today?" solution. There are other, more specific rootkit detectors out there, but I've always thought that it was a matter of playing catchup with the bad guys; you'll never be sure that your rootkit detector is up-to-date enough to catch all of 'em.

Solution 2:

I have been using OSSEC and have been really impressed by the results

Solution 3:

None of the available free rootkit checkers for Linux are very good. They can't even detect all the publicly available (most for many years) rootkits that you can find source code for on sites like packetstorm. Not only do they not do a good job with the known threats, but there is good reason to expect that they will perform worse against any intelligent attacker, who has the opportunity test against the detectors in advance of using his rootkit.

Furthermore, there is no reason to assume that a rootkit will have an on-disk footprint that can be detected with a tool like Tripwire. Kernel rootkits can deceive any software running on the infected system; even if you're running a trusted binary from read-only media it might be getting falsified information from the operating system. Furthermore, memory-resident-only malware is not just a theoretical worry any more; its use has been documented by security firms such as Mandiant. Against such a rootkit, even offline analysis would be ineffective, although on the plus side the malware might not survive the reboot.

There are some solutions, but not free or cheap. A large corporation or government entity can spring for a memory forensics tool like Second Look from Pikewerks, or one could hire a security consultant who might employ such a tool as part of their arsenal. Others, go ahead and use the available anti-rootkit programs. They are not 100% useless. Just do what you can to avoid being rooted by someone with a customized, non-public rootkit. How large is the risk? Unfortunately, there are no statistics I know of to go by. Clearly Linux does not suffer from the enormous volume of "mass malware" that Windows does, but how common are stealthy, targeted attacks?

(Disclosure: I am an author of the Second Look product mentioned above.)