Detecting and Removing Rootkits
The main challenge in detecting well-designed rootkits is that users can't trust the kernel and operating system on which the rootkit is installed. This makes it difficult to identify rootkits by installing detection software directly on the affected operating system.
An experienced administrator can attempt to identify a rootkit by installing a packet sniffer on an unaffected machine on the same network to analyze the information being sent to and from the machine which may have a rootkit installed on it. Looking at the local log files, or any other files on the system, will not always allow the system administrator to detect an attacker using a rootkit because the rootkit can delete the entries that the attacker makes, or modify the files on the system that would be used to display that information.
Another method of detecting rootkits is to boot from a live CD. This allows a user to trust the kernel and the software running on the Linux CD in order to investigate the files on the possibly-affected computer for rootkits. Also, there are tools and programs available for Linux that search for rootkits locally; however, these programs depend on the local ps command to find them, which an attacker can change to whatever he or she chooses by using a rootkit. Another problem with this approach is that the rootkit can detect and change the security software on the compromised system.
Some tools and programs available for identifying rootkits and other malware on Linux systems include:
- Chkrootkit and rkhunter are tools that scan local systems, identifying any potentially malicious software such as malware and viruses that masks its existence on a system.
- Lynis is a command-line application that scans a local or remote system to help an auditor identify potential security issues.
- Linux Malware Detect (LMD) is a malware scanner that can be used to detect malware in shared Linux environments. It utilizes threat data from network edge intrusion detection systems to identify and extract malware that is actively being used in attacks and generates signatures for detection. This tool also derives threat data from user submissions and community resources.
Rootkits are designed to be very difficult to detect and remove. If a user finds a rootkit on his or her system, it can be extremely difficult to ensure that it has been removed. The only way to know that a rootkit is fully removed from a compromised system is to completely reinstall the system from a trusted source. If you suspect that your system has been compromised, the entire system should be reinstalled from trusted media. The integrity of any data on the system should be thoroughly investigated prior to being restored.