Currently the only rootkit scanners I know of have to be installed on the machine before the rootkit so that they can compare file changes etc (e.g.: chkrootkit and rkhunter), but what I really need to do is to be able to scan my machine and other machines from a LiveUSB because if the rootkit is good enough then it will have taken over the rootkit detection programs too.

So is there a signature-based rootkit scanner for Ubuntu/Linux that I could just install on a LiveUSB and use to reliably scan machines I plug it into without it having to monitor behaviour or compare files from previous dates?


AIDE (Advanced Intruder Detection Envionment) is a replacement to tripwire mentioned in another answer here. From wikipedia:

The Advanced Intrusion Detection Environment (AIDE) was initially developed as a free replacement for Tripwire licensed under the terms of the GNU General Public License (GPL).

The primary developers are named as Rami Lehti and Pablo Virolainen, who are both associated with the Tampere University of Technology, along with Richard van den Berg, an independent Dutch security consultant. The project is used on many Unix-like systems as an inexpensive baseline control and rootkit detection system.


Functionality

AIDE takes a "snapshot" of the state of the system, register hashes, modification times, and other data regarding the files defined by the administrator. This "snapshot" is used to build a database that is saved and may be stored on an external device for safekeeping.

When the administrator wants to run an integrity test, the administrator places the previously built database in an accessible place and commands AIDE to compare the database against the real status of the system. Should a change have happened to the computer between the snapshot creation and the test, AIDE will detect it and report it to the administrator. Alternatively, AIDE can be configured to run on a schedule and report changes daily using scheduling technologies such as cron, which is the default behavior of the Debian AIDE package.2

This is mainly useful for security purposes, given that any malicious change which could have happened inside of the system would be reported by AIDE.


Since the wikipedia article was written the then current maintainer Richard van den Berg (2003-2010) has been replaced by a new maintainer Hannes von Haugwitz from 2010 to present.

The AIDE homepage states Debian is supported which means the application can be installed in ubuntu with the predicatable:

sudo apt install aide

As far as portability and USB pen drive support the homepage goes on to say:

It creates a database from the regular expression rules that it finds from the config file(s). Once this database is initialized it can be used to verify the integrity of the files. It has several message digest algorithms (see below) that are used to check the integrity of the file. All of the usual file attributes can also be checked for inconsistencies. It can read databases from older or newer versions. See the manual pages within the distribution for further info.

This implies to me you could have the signature database on your pen drive along with the application on live USB persistent storage. I'm not sure AIDE suits your needs but as it's a replacement to tripwire your current favorite it bears looking into.


Reminds me of tripwire which creates cryptographic checksums of the files you specify. Install a copy of the system you are checking from known good source (DVD for example), install the same updates of the target system), have tripwire create the checksum file. Copy tripwire's checksum file to the target system, have tripwire compare checksum file with target system's files.

Out of sync updates / upgrades / installs / system specific configuration files will of course be flagged / marked as changed.

Update 2018-05-06:

I should also add that the target system must be checked offline. If the target has been compromised, the hardware, boot firmware, os kernel, kernel drivers, system libraries, binaries may have already been compromised and interfere or return false positives. Even running across a network into the target system might not be safe since the (compromised) target system would be processing the network packets, file system, block device, etc. localy.

The smallest comparable scenario that comes to mind are smart cards (EMV used in credit cards, PIV used by federal government, etc.). Disregarding wireless interfaces, and all the hw/electrical/rf protections, the contact interface is essentially a serial port, three wire, or two wire. The API is standardized and white boxed so everyone agrees it is impervious. Did they protect the data in transit, in runtime memory, at rest in flash memory?

But the implementation is closed source. A backdoor may exist in the hardware to copy the entire runtime and flash memory out. Others may manipulate the data in transit between the hardware and the internal memories, Smart Card OS, or I/O from/to the card. Even if hw/fw/sw/compilers are open source, you would have to audit everything at every step and still you could miss something you/everyone else didn't think of. The paranoia can send you into a white rubber room.

Sorry for running off on a paranoia tangent. Seriously, take the target drives out to test. You only have to worry about the target drive hw/fw then. Better yet, just take out the HDD platters / SSD flash chips to test (assuming your test system is golden). ;)