How to Check for Rootkits on Linux, BSD, and OSX

Those of us in UNIX-land (and yes, Mac people, that includes you) don’t often have to deal with malware. There is room for debate about the exact reasons for that, but few would argue that Linux, BSD and OSX get hit as hard or as often as Windows. This does not, however, make us immune to malware. We all download software online, and even those who stick with only their software provider’s packages can still be afflicted by bugs or security holes which may allow nasty people or software inside. As the old saying goes, “an ounce of prevention is worth a pound of cure”. Today we’d like to show you some ways that you can scan your system to make sure there are no nasty rootkits lurking in the shadows.

A common technique used by some malware authors is to replace a normal system binary with one that takes additional or alternative actions. Many of them try to protect themselves by making their corrupted versions immutable in an attempt to make the infection harder to remove. Fortunately, this leaves traces behind that can be picked up by normal system tools.

Use the lsattr command to display the attributes of your system’s binary files in locations such as /bin, /sbin, and /usr/bin, as shown here.

lsattr /usr/bin

Normal, non-suspicious output should look something like this.

rootkits-lsattr

You may need root privileges to scan some places like /sbin. If the output contains other attributes like s, i, or a, that could possibly be a sign that something is wrong, and you may wish to try a deeper scan as shown below.

Chkrootkit is a tool to scan your systems vital files to determine if any of them show signs of known malware. It’s a group of scripts that use existing system tools and commands to validate your system files and /proc information. Because of this, it’s recommended than it be run from a live CD, where there can be higher confidence that the base tools have not already been compromised. You can run it from the command line with just

# You might need "sudo" for root privileges
chkrootkit

rootkits-chkrootkit

but since chkrootkit does not create a log file by default, I’d recommend redirecting the output to a log file, like with

chkrootkit > mylogfile.txt

and when it finishes, just open up the log file in your text editor of choice.

Rootkit Hunter acts a lot like chkrootkit, but bases much of its functionality on hash checks. The software includes known good SHA-1 hashes of common system files, and if it finds that yours differ, it will issue an error or warning as appropriate. Rootkit Hunter could also be called more thorough than chkrootkit, as it includes additional checks regarding network status, kernel modules and other pieces that chkrootkit does not scan.

To start a normal local scan, just run

# You might need "sudo" for root privileges
rkhunter -c

rootkits-rkhunter

When it’s completed, you’ll be shown a summary with the results of your scan.

rootkits-rkhunter2

Rootkit Hunter does create a log file by default, and saves it to /var/log/rkhunter.log.

Be warned – both of these applications, as well as the “manual” method, may produce false positives. If you get a positive result, investigate it thoroughly before taking any action. Hopefully, one of these methods can help you identify a threat before it becomes a problem. If you’ve got any other suggestions for ways to detect nasty files or appliations, please let us know in the comments below.

Image credit: rykerstribe