The Hidden Threat: Analysis of Linux Rootkit Techniques and Limitations of Current Detection Tools
Article No.: 28, Pages 1 - 24
Abstract
This article addresses the significant threat posed by rootkits as part of the diverse malware landscape of today. Rootkits enable an attacker to regain access to an already comprised system at root-level making their prompt identification and removal crucial. However, rootkits implement advanced stealth features, enabling them to evade detection by conventional measures during analysis. Consequently, analysts generally rely on customized tools to detect the presence of a rootkit. However, our research highlights significant deficits in the tools available for the detection of rootkits on the Linux operating system, which is frequently encountered in investigations of server environments. Recognizing the need for improved awareness and capabilities among investigators, we conducted an in-depth analysis of 21 distinct Linux rootkits allowing us to dive into their techniques and features. Furthermore, we critically assessed the effectiveness of standard detection tools, revealing their limitations. Based on these insights, we propose best practices for investigators to effectively identify and detect signs of rootkit infections. Additionally, we provide a repository of indicators of compromise we extracted during our analyses to facilitate the detection of the analyzed rootkits on compromised systems along with a utility to detect rootkits via hidden files on a live system.
1 Introduction
Malware detection is not just a proactive task, it’s a critical component in the realm of Digital Forensics and Incident Response (DFIR) investigations. The ability to identify an existing threat is crucial, not only for devising future countermeasures but also as an important element in reconstructing events. This task, however, becomes particularly challenging when dealing with sophisticated malware types such as rootkits. A rootkit, generally deployed on a system that has already been compromised, grants the attacker root-level access. Its capabilities to mask itself by hiding processes, files, or network connections significantly hinders its detection in active, live systems. Moreover, insufficient understanding of rootkit techniques, and consequently the traces they leave, can further complicate their identification even during a thorough analysis of storage, memory, or network traffic.
For these reasons, this article aims to shed a light on the current state of rootkit detection, focusing on the Linux operating system as it is often encountered when dealing with server environments. Based on the results of an analysis of 21 Linux rootkits, we explain common techniques typical of Linux rootkits and present an overview of the features they implement. Subsequently, we introduce established methodologies for Linux rootkit detection and critically assess their effectiveness. In the course of our research, we have identified notable deficiencies in their capabilities. Building on these insights, we propose a set of best practices tailored for digital forensic analysts in the context of rootkit detection along with a set of indicators of compromise (IoCs) we extracted during our analyses. In summary, this work offers the following key contributions:
–
Detailing common techniques and features utilized by 21 distinct Linux rootkits to evade detection, based on an in-depth examination.
–
A critical assessment of existing Linux rootkit detection approaches, highlighting their strengths and weaknesses, and identifying significant gaps in their effectiveness.
–
The formulation of a set of best practices, based on our findings, designed to guide digital forensic analysts in the more effective detection of rootkits in Linux environments.
1.1 Related Work
Already in 2004, insights into Linux-based rootkits were provided by [1]. In his work, the author describes techniques implemented by user and kernel space rootkits as well as detection methods and countermeasures. While this work serves as a first step in this area, it is limited by the small size of rootkits analyzed. To further aid in their detection, Levine et al. propose a categorization for rootkits [4]. Though their work explains the basics of kernel level rootkits in detail, it focuses primarily on those targeting the system table in Linux. Furthermore, their work does not consider recent developments in this area, evident in their proposed kern\(\_\)check utility, which only supports Linux kernels 2.2.x and 2.4.x. Additionally, alternative methods for rootkit detection have been explored, such as leveraging hardware-assisted infrastructure to identify anomalies in intraprocess execution [9] or employing a lightweight hypervisor for filtering rootkit activities [5]. However, these proactive strategies are not typically suited for DFIR applications.
In 2011, Joy et al. provided an overview of various detection methods for rootkits in their study [3]. While offering valuable insights into rootkits and potential detection approaches, including host-based and virtualization-based methods, their discussion lacks depth in evaluating the effectiveness of these approaches. Another study focuses on the analysis of a variety of tools for rootkit detection specifically within forensic investigations [8]. The authors ultimately determine that the assessed rootkit detection tools demonstrate high effectiveness in identifying rootkits on live systems. While this research marks an important initial step toward establishing forensic readiness for rootkit detection, its age and the limited scope of only five rootkits evaluated necessitate an updated exploration.
Other research specifically focused on rootkit detection in the realm of digital forensics remains limited. One notable study addressed the challenge of rootkits concealing themselves within memory forensics [7]. The authors developed an algorithm to locate paging structures in x86 system memory images. These structures, which are used by processes to define their address space, can be leveraged to extract a complete process list from memory, potentially revealing hidden processes, including rootkits. Another significant contribution was made in the field of live system analysis [6], where a detection system was proposed to identify discrepancies in userspace utility outputs, aiding in the discovery of hidden process IDs or files. Although this approach shows promise, its efficacy in userspace is somewhat constrained due to the limited scope of rootkits examined and does not incorporate findings from other analyses, such as storage analysis. In the realm of memory forensics, Case et al. provide an approach for detecting kprobe, ftrace, and Extended Berkley Packets Filters (eBPF)-based hooks using their own custom Volatility plugins [2]. While the article provides valuable insights, it does not include a thorough assessment of the plugins discussed in relation to actual rootkits. Additionally, we were unable to obtain the plugins for our own analysis during the preparation of this article since they were not publicly released.
Our findings suggest that prior research has predominantly concentrated on rootkit prevention, rather than detection, as required in DFIR contexts. Furthermore, a considerable amount of the literature in this domain is now outdated. Consequently, there’s a notable absence of established guidelines for analysts to detect these hidden threats. To address this, the following sections will detail common rootkit techniques and features identified in our analysis.
2 Rootkit Techniques
This section explains specific Linux operating system structures in the context of rootkits. These underlying concepts are essential in understanding how rootkits can manipulate the system state presented to the user and are thereby essential in constructing effective detection approaches.
2.1 Protection Domains
Like most modern operating systems, Linux implements multiple so-called “protection domains,” which define and control the access programs have to specific system resources. This hierarchical structure is often visualized as concentric rings, with the highest privileged domain in the center. The outermost ring (3) is commonly referred to as the user space while the three inner rings (0–2) form the kernel space. Communication between these domains is carried out via well-defined interfaces. The inner domains and the interfaces to them will usually dictate what information is passed on to the outer domains. Rootkits can abuse this hierarchical flow of information to alter the system state presented to the user.
Inside this structure, rootkits may be classified by three characteristics: Which domain they choose to reside in, how they assert their control in the chosen domain to change information flowing through it, and what specific changes they perform on the information. The following sections will deal with the first two characteristics, explaining the two primary domains rootkits may reside in on a Linux system and how they can insert themselves into control sequences inside these domains to manipulate information.
2.2 User Space Rootkits
The user space is the least privileged domain. Here is where user applications and libraries reside.
2.2.1 Application-Level Rootkits.
Application-level rootkits, as the name suggests, directly target system applications responsible for outputting status information to the user (e.g., ls, ps). They replace the binaries of these programs with manipulated versions, which can be configured to filter certain information or perform other actions. Since this will only affect those specific programs and may easily be detected using integrity-based scans, application-level rootkits have become very rare.
2.2.2 Dynamic Linker Rootkits.
Nowadays, dynamic-linker-based rootkits are much more common in the user space. While essentially targeting the same applications, these rootkits aim to manipulate the dynamically linked libraries (e.g., libc) used by those applications. They attempt to insert their own libraries in the dynamic linker’s load order, with a higher priority than the libraries the application intends to load. By mirroring the functions’ signatures in the original library, the rootkit effectively replaces them while keeping the original functions for later usage. In their versions of these functions, the rootkits usually call the originals, change their output depending on the attacker’s needs, and then return the manipulated information to the user. The most common method of inserting one’s library into the dynamic linker’s load order is abusing the LD\(\_\)PRELOAD environment variable. Shared object files specified in this variable are considered by the dynamic linker with increased priority. Without additional concealment, these malicious libraries may be discovered using a tool like ldd.
2.3 Kernel Space Rootkits
The kernel space sits “below” the user space and forms a bridge to the underlying hardware. The Linux kernel is responsible for process scheduling, memory management, networking, virtual file systems (VFS), and more.
2.3.1 Loadable Kernel Modules (LKM) and eBPF.
The first step for any kernel space rootkit is getting its code to run inside the kernel. Almost all analyzed rootkits achieve this by loading themselves as LKM. These modules are designed to be used by developers to expand the monolithic Linux kernel at runtime. Loading an LKM requires elevated privileges. Since LKMs can be disabled by the user, older rootkits like SuckIt attempt to inject themselves into the kernel by using the direct memory interface /dev/kmem. However, this device is no longer exported on current Linux versions. Modern rootkits have also begun to explore the capabilities of eBPF as an alternative to LKMs. eBPFs serve a similar purpose as LKMs but offer advantages like higher stability and prebuild hooks for system calls and low-level network access (XDP). Loaded LKMs are hidden from the user by deleting the corresponding entry from the linked list inside the kernel that holds all loaded modules, which is exported via /proc/modules. Some rootkits will additionally delete or hide the kernel object reference of the module under /sys/module.
2.3.2 System Calls and Interrupts.
System calls are the primary communication interface between user space and kernel space. These special functions allow applications to interact with the kernel and receive crucial system information. A system call can be broken down into the following steps:
(1)
The application defines the desired system call and prepares all required arguments.
(2)
The sysenter/syscall instruction or interrupt 0x80 from the interrupt descriptor table (legacy) is triggered, and the CPU switches into kernel mode.
(3)
A handler processes the system call and the corresponding function pointer from the system call table is chosen.
(4)
The system call function is called, and return values are passed back to the calling application.
The analyzed rootkits all use one of the following five attack vectors to insert themselves into this sequence and manipulate information presented to the user via system calls:
–
Replace function pointers in the system call table.
–
Replace the entire system call table by modifying the interrupt handler.
–
Insert an unconditional jump operation at the start of a system call to a different function.
–
Use the ftrace framework to catch execution and redirect to a different function.
–
Use prebuilt eBPF hooks (eBPF only).
2.3.3 VFS.
The Linux VFS is an additional abstraction layer above the actual file system on the drive. It allows for managing multiple separate file systems and implementing distinct behaviors for interacting with files in those different systems. The VFS also enables the creation of pseudo-files, which do not hold data in a traditional sense but instead form interfaces with corresponding handler functions in the kernel. Accessing (e.g., reading or writing) pseudo-files triggers those handlers. An example of such a file is /proc/modules, which outputs all loaded LKMs when read. File systems the analyzed rootkits commonly target are the rootfs (/), procfs (/proc), sysfs (/sys), and devfs (/dev). They hook functions from these file systems to manipulate their output, and through that, the files that are presented to the user and the information that can be read from them.
2.4 Persistence
Most rootkits will have to implement some kind of persistence mechanism to survive potential system reboots. Not all rootkits offer such mechanisms out of the box and leave this task to the attacker. The following are a few examples utilized by the analyzed rootkits.
Application-level rootkits are already persistent by design since they directly replace application binaries. Dynamic linker rootkits using LD\(\_\)PRELOAD mostly use the file /etc/ld.so.preload, which has the same effect as setting the environment variable, just system-wide and persistent. Kernel space rootkits will generally have to find a way to have their LKM loaded into the kernel at system startup. One option can be adding an entry to /etc/modules or /etc/modules-load.d/, which is the intended method of loading LKMs during startup. Rootkits may also use many other methods of persistence, which are not exclusive to rootkits or malware in general. Those could include scripts in cron, systemd, SysVinit, Upstart, or udev.
3 Rootkit Functionality and Landscape
In order to get an overview of the current Linux rootkit landscape, we conducted an in-depth analysis of 21 modern rootkits, including 7 user space and 14 kernel space variants. Our study revealed a core set of functionalities shared by these rootkits. This section highlights these common features and the methods by which they are implemented.
3.1 Methodology and Landscape
Table 1 gives an overview of the analyzed rootkits and illustrates the primary features they implement. These feature categories will be explained in the following sections. The table is divided into user space (top) and kernel space (bottom) rootkits. The rootkits were chosen either because of their popularity or interesting/unique features they implement. They cover a wide spectrum of functionality and techniques to properly challenge detection approaches and provide a comprehensive evaluation. We mostly used working versions of the rootkits. Due to the wide range of rootkits, implemented features, and differing release dates, it was not possible to run all samples under the same kernel version. While new features and security measures were added to the kernel between versions, we do not believe these changes alter the detection results of the tools evaluated in this article. We did, however, not use any version which was no longer officially supported as of the writing of this article (\({\lt}\)4.14). In some exceptions, a working version was not available or the required kernel version too old. In these cases, we based our evaluation on an in-depth analysis of the source code of the rootkit or a sufficiently technical and detailed write-up, as in the case of the Russian Dovorub rootkit. These rootkits are marked with alphabet (a) in the following table. Rootkits, where no working version, source code, or detailed analysis report was available, were excluded from our study due to lack of confirmability.
Table 1.
| Name | Year | FH | PH | NH | LPE | Backdoor | Hook | Persistence |
|---|---|---|---|---|---|---|---|---|
| Jynx2a | 2012 | ✓ | ✓ | ✓ | ✓ | Accept | LD_PRELOAD | ld.so.preload |
| Azazel | 2014 | ✓ | ✓ | ✓ | ✓ | Accept, PAM | LD_PRELOAD | ld.so.preload |
| BEURK | 2015 | ✓ | ✓ | ✓ | ✗ | Accept | LD_PRELOAD | ld.so.preload |
| Zendar | 2015 | ✓ | ✗ | ✗ | ✓ | /etc/passwd | LD_PRELOAD | ld.so.preload |
| Umbreon | 2016 | ✓ | ✓ | ✓ | ✓ | PAM, ICMP | LD_PRELOAD | ld.so.preload |
| bedevil | 2019 | ✓ | ✓ | ✓ | ✓ | Accept, ICMP, PAM | LD_PRELOAD | New preload file |
| Father | 2020 | ✓ | ✓ | ✓ | ✓ | Accept | LD_PRELOAD | ld.so.preload |
| SuckITa | 2001 | ✓ | ✓ | ✓ | ✓ | New user | Interrupt descriptor table | ? |
| Diamorphine | 2013 | ✓ | ✓ | ✗ | ✓ | ✗ | System call table | ? |
| Knarka | 2013 | ✓ | ✓ | ✓ | ✓ | UDP-Receive | System call table | ? |
| adore-nga | 2014 | ✓ | ✓ | ✓ | ✓ | ✗ | VFS handlers | ? |
| Puszek | 2016 | ✓ | ✓ | ✓ | ✗ | ✗ | System call table | ? |
| Reptile | 2017 | ✓ | ✓ | ✓ | ✓ | IP-Receive | KHOOK | Udev rule |
| LilyOfTheValley | 2017 | ✓ | ✓ | ✗ | ✓ | ✗ | Jump hooks in VFS handlers | ? |
| Nuk3Gh0st | 2018 | ✓ | ✓ | ✓ | ✓ | User space process | Jump hooks in system calls and VFS handlers | SysVinit, Systemd, Upstart |
| Honey Pot Bears | 2019 | ✓ | ✓ | ✗ | ✓ | New user | System call table | ? |
| Umbra | 2021 | ✓ | ✗ | ✗ | ✓ | Netfilter | Ftrace callbacks | ? |
| TripleCross | 2021 | ✓ | ✗ | ✓ | ✓ | XDP | eBPF | Cronjob |
| Reveng_rtkit | 2022 | (✓) | ✓ | ✗ | ✓ | ✗ | System call table | ? |
| Boopkit | 2022 | (✓) | ✓ | ✗ | ✓ | XDP | eBPF | ? |
| Drovoruba | N.A. | ✓ | ✓ | ✓ | ✓ | WebSockets | N.A. | /etc/modules |
Table 1. Linux Rootkit Landscape and Primary Features
FH, File hiding; LPE, Local Privilege Escalation; NH, Network hiding; PAM, Pluggable Authentication Modules; PH, Process hiding.
(\(\checkmark\)) Exclusively for hiding processes.
? The choice is left to the attacker. E.g. /etc/modules.
aAnalyzed but not tested.
The landscape presented shows how new rootkits are developed and released every year, proving the ongoing need for capable detection solutions.
3.2 Functionality
The following subsections present the core functionalities identified in our study.
3.2.1 Data Hiding.
Hiding files and directories from the user of a system is arguably the most critical function that rootkits implement. It prevents the user from visually identifying malicious files and is directly intertwined with other functionality the rootkit has to implement. The specific implementation of the mechanism to hide files depends on the domain in which the rootkit is operating. However, it comes down to filtering certain files from data structures, which are output via command line tools like ls. Application-level rootkits will attempt to manipulate these tools directly by replacing them with tampered versions. In contrast, library- and kernel-level rootkits will target functions and system calls responsible for listing directory contents and interacting with files. This could, for example, include functions like sys\(\_\)getdents, readdir, or fopen. Which files to filter from the output is usually determined by one or more of the following methods: The rootkit may check filenames for predetermined substrings or prefixes, it may look for files belonging to a particular user or group, or it may simply hold a list of specific file paths. Some rootkits will also adapt their behavior depending on the current user or group. This allows them to hide files for most users while still granting the attacker access. The example in Listing 1 is from the user space rootkit Father and demonstrates how such a filter function may be implemented.
First, the rootkit function uses the same signature as the libc function it is trying to replace (l. 2). It also attempts to acquire a function pointer to the original function by searching for its next occurrence in the dynamic linkers load order (l. 4). If the current user has the magic Group Identifier (GID), the output of the original function is returned without modification (l. 6-7). Otherwise, file names with a prespecified prefix or the rootkit library itself are filtered from the output before returning (l. 11-12).
3.2.2 Process Hiding.
Every running process on a Linux system maintains a directory under /proc named after the process identifier (PID). Tools like ps enumerate active processes by walking through these directories. Therefore, a rootkit may conceal its processes from these programs by hiding the corresponding directories through methods described in the previous chapter. Since directories usually inherit the group of the creating user, a rootkit may automatically hide processes created by a specific group. Some rootkits go a step further and also manipulate functions like sys\(\_\)kill or find\(\_\)task\(\_\)by\(\_\)vpid, which could be used to interact directly with running processes using their PID.
3.2.3 Connection Hiding.
Tools like netstat enumerate active network connections by reading from interfaces under /proc/net. Depending on the domain they operate in, rootkits may either manipulate the functions that read from these interfaces or the corresponding handler functions in kernel space. Since most rootkits utilize Transmission Control Protocol (TCP) connections, common targets are the /proc/net/tcp interfaces and the tcp\(\_\)seq\(\_\)show handler functions. Inside these functions, the entries belonging to the rootkits’ connections are filtered out, making them invisible in the abovementioned tools. Listing 2 is a sample from the user space rootkit bedevil and shows the part of rootkits fopen routine responsible for determining if the output of an opened file should be filtered. The custom forge\(\_\)procnet function removes all entries belonging to local or remote ports inside a prespecified range.
A few analyzed rootkits even attempted to filter their connections from certain libpcap library functions. If implemented correctly, this hides the rootkits’ packets from locally running packet analyzers like Wireshark. However, neither technique can hide packets from being captured on external, uninfected network nodes.
3.2.4 Backdoors.
Most rootkits implement a mechanism that allows the attacker to reestablish their control over an infected system at a later time. We divide these backdoors into three broad categories.
Trigger backdoors hook themselves into various functions, which are called when a network connection is established with a Linux system (e.g., sys\(\_\)accept). They then use these hooks to wait for packets with certain properties, like having a specific remote port. Upon receiving such a packet, they open a (reverse) shell for the remote host. An example of this was found in the userspace rootkit Father, which employs an accept-based backdoor mechanism. This method involves waiting for a connection from a predefined port to trigger the backdoor routine. This routine spawns a new subprocess and authenticates the user via a simple password check. If sufficient privileges are available, it sets the GID of the subprocesses to a magic value. Subsequently, it links the IO streams of the remote connection and launches a Bash shell.
Command-and-Control backdoors, on the other hand, do not await outside commands but instead try to establish a connection to a remote server at regular intervals. They will then fetch instructions from these servers to execute on the infected system.
Authentication backdoors seek to create new (pseudo) users by manipulating functions responsible for user authentication or by adding new entries to /etc/passwd. Most rootkits will target functions in the Pluggable Authentication Modules (PAM), which are responsible for verifying a user’s identity by requesting a password or similar secret from him. These functions are manipulated to return a successful authentication for a specific set of credentials specified by the attacker beforehand. This pseudo user is then used to authenticate against services like ssh (if configured to use PAM) and gain a remote shell. Listing 3 exemplifies how the rootkit bedevil hooks the PAM authentication to insert a pseudo user.
The function waits for a user with a predefined username to authenticate (l. 3). It then prompts the user for an encrypted password (l. 8-14) and returns a successful authentication if the password is correct (l. 16). This custom routine lets attackers authenticate with a special username not registered on the system.
3.2.5 Local Privilege Escalation.
All analyzed rootkits require elevated privileges on the target system for installation. The following techniques should be seen more as a way to “grant” privileges to other processes from an already privileged standpoint rather than an “escalation” of privileges.
User space rootkits will attempt to call the setuid or setgid functions from within a target process to change the permissions of that process. To achieve this, the rootkits abuse programs like sudo, which have the necessary privileges to call the functions above. They will hook frequently used libc functions (e.g., open or access) which are used by these programs and run setuid and setgid inside of them. To make this more stealthy, rootkits will usually implement some condition that must be met for these functions to be executed (e.g., a specific environment variable). Otherwise, any user running sudo will have their privileges elevated unexpectedly.
Kernel space rootkits will hook themselves into any system call, usually sys\(\_\)kill, since it is easy to call from a shell and create a new set of credentials from within the function. That credential set is then configured with the desired privileges and committed. This will cause the credentials of the calling process to be replaced by the newly created ones. Again, this routine usually requires some condition to be met before execution (e.g., a specific signal number).
3.2.6 Additional Functionality.
Furthermore, we encountered additional antidetection features in some of the analyzed rootkits. The following is not a comprehensive list but provides a good overview of potential features.
–
Catch detection processes: Some user space rootkits hook the libc function execve to catch the execution of specific detection tools like rkhunter or unhide. They attempt to unload their libraries for the duration of the execution and reinsert themselves afterward.
–
Manipulate logging: Logs, especially those created by supposedly hidden processes, can unveil a rootkit’s activities. For this reason, some rootkits manipulate log files or hook functions responsible for writing logs to prevent hidden processes from creating them in the first place.
–
Spoof process maps: The mappings of a process found under /proc/<pid>/maps can be utilized to enumerate shared objects used by that process. It could, therefore, be used to find malicious libraries belonging to user space rootkits. Some rootkits will remove their entries when /proc/<pid>/maps is being read to prevent this.
–
Patch preload file path: Reading the preloaded libraries from /etc/ld.so.preload can result in a rootkit’s libraries being discovered. For this reason, most user space rootkits will attempt to hide this file from the user. A potentially less conspicuous method is to patch the dynamic linker’s binary and have it use a different file path for preloading.
4 Detection Tools
This section provides an overview of available rootkit detection tools for Linux. Not all of them have been specifically designed to be used against rootkits, but all offer some functionality that may be used for this purpose. The following are all utilities to be installed onto the infected system to conduct live scans.
4.1 rkhunter
Arguably the most well known of the presented tools, rkhunter was first released in 2003 and has received updates until 2018. It offers a wide variety of different submodules, which may be used independently or in unison. Some of these modules require the user to have generated an integrity database before the infection. rkhunter includes modules to check for the integrity of critical system applications, known rootkit paths and kernel symbols, known persisted LKMs, network sniffers, suspicious processes, preloaded libraries, changes in user/group privileges, and many more.
4.2 chkrootkit
chkrootkit was initially released in 1997 and is frequently updated until today. It consists of three primary utilities: The first (chkrootkit) searches for artifacts of known rootkits (e.g., file paths or strings). The second (chkproc) uses a brute force method, in which it iterates through all possible process IDs and attempts to access their entries in the procfs. If an entry is accessible, but its corresponding process does not appear in the outputs of ps, it might be hidden by a rootkit. The third utility (chkdir) iterates through the file system and searches for directories with an anomalous number of hard links. Many rootkits hide directories but do not modify the number of hard links pointing to the parent directory. So, a hidden directory might be present if the number of hard links does not match the number of visible subdirectories. Additionally, chkrootkit offers multiple tools for log file verification and a script to check for promiscuous network adapters.
4.3 Unhide
Unhide is a forensic tool to unveil hidden processes and network connections. Its most recent version is from January 2021. Unhide’s hidden process scan supports multiple modes, which all function by iterating through the number of available process IDs and interacting with these IDs in different ways. This may include accessing their directories in the procfs or attempting to use them in different functions and system calls. The list of responsive IDs is then matched against the outputs of ps to reveal potentially hidden processes. The hidden network connection scanner follows a similar approach: Unhide attempts to bind itself to all possible port numbers. If a binding is unsuccessful, meaning the port is already in use, it verifies if the corresponding connection is shown in tools like netstat or ss. Should this not be the case, a rootkit might hide the connection.
4.4 AIDE and Tripwire
Tripwire allows an administrator to create a highly customizable snapshot of a Linux system, which can later be used to detect malicious changes to this system. Since the open source development of Tripwire stopped in 2018, the Advanced Intrusion Detection Environment (AIDE) has become its successor (current version from June 2023). Like the integrity checks performed by rkhunter, AIDE requires the victim to have proactively generated an image before infection. This image must have also been protected against manipulation by separating it from the system or encryption. Files must be visible for AIDE to interact with them.
4.5 OSSEC and Wazuh
OSSEC and its fork Wazuh are intrusion detection systems that guard endpoints against attacks. They both offer the same rootkit scanner called Rootcheck and are identical in their anti-rootkit capabilities. The most recent version of OSSEC was released in January 2022. The full rootkit check consists of seven stages, including checks for known paths, strings, and devices, a slightly simplified version of Unhide’s process and port checks, and inspection of certain file permissions and network interfaces.
4.6 ClamAV
ClamAV is a general-purpose malware scanner (primarily for Linux systems) initially published in 2001. It is currently maintained and regularly updated by Cisco. Malware is detected by scanning directories and comparing found files with an extensive signature database. This comes with the apparent limitation of only being able to detect already known malware and only if their files can be accessed.
4.7 Linux Kernel Runtime Guard (LKRG)
LKRG is a mostly proactive utility designed to detect exploits and integrity violations inside the Linux kernel. Its newest version was published in Juli 2023. LKRG is loaded into the kernel as an LKM. Its primary function is to validate the integrity of various kernel structures against a previously generated hash database. In addition, it performs various checks for potential kernel exploits. This includes the verification of credential structures to detect processes with illegitimately elevated privileges, as well as a comparison of the kernel modules exported via /proc/modules and the list of kobjects in /sys/module. Discrepancies between these two structures may point to modules hidden by a kernel rootkit.
5 Evaluation
The detection tools were tested against the previously collected and analyzed set of rootkits to evaluate their effectiveness.
5.1 Environment and Methodology
All detection tools were evaluated in a virtualized environment and a contained network. Depending on the available rootkit features (e.g., backdoors), an additional system was added to the network to simulate the attacker. After each rootkit evaluation, the virtual machine was fully reset. Depending on the rootkit’s age, either Ubuntu 22.04.2 LTS or 14.04.6 LTS was used as the operating system. No additional software was installed on the machines besides the rootkit, the detector, and their dependencies. The following sections detail how each tool was set up and under which constraints it was run.
rkhunter was downloaded from its SourceForge repository. Some of rkhunter’s modules utilize other tools like Tripwire or Unhide. These were not used during our evaluation to accurately assess rkhunter’s standalone capabilities. Besides that, rkhunter was run using its default configuration.
chkrootkit was compiled from source. Besides running the chkrootkit main utility, chkdir was also run independently against the system’s root directory (recursively). This produced significant numbers of false positives from inside the /proc directory, prompting us to filter the directory from the output. Because of this, chkdir is, for example, capable of detecting Reptile’s install directory under /reptile, but not Knark’s install directory /proc/knark.
Unhide was also compiled from source. The sub-utilities unhide-linux and unhide-tcp were run at least once using each available detection-mode. Note, that unhide-tcp, contrary to what its name might suggest, also detects hidden User Datagram Protocol (UDP) ports.
AIDE was installed via the apt package manager. The integrity database was generated using AIDE’s default configuration. After installing the rootkits, the new system state was compared to this snapshot. It is important to note that, depending on the time which has passed between generating the database and using it to check for changes, AIDE may produce large outputs, especially on a busy system. Interpreting these outputs and identifying malicious changes does require some experience. We primarily looked for changes to /etc/ld.so.preload, /lib/ld.so, /etc/passwd and /etc/shadow as well as new files which could be associated with known rootkits.
OSSEC was installed in a Server/Agent configuration following the official installation guide. The rootcheck module is run repeatedly in prespecified intervals. It is also executed as part of the agent’s installation procedure. The outputs were viewed on the server’s Web interface.
ClamAV was installed via apt and its malware signatures were updated using freshclam. It was then run recursively against the system’s root directory. ClamAV directly outputs infected files. Out of interest, we also looked into the scanning logs and noticed that in the instance of one rootkit (Father), an error occurred, when ClamAV attempted to scan one of the files manipulated by the rootkit. After some consideration, we decided to not count this as a successful detection, since it is not part of the tool’s regular output and was found coincidentally.
LKRG was compiled from source and its LKM was loaded into the kernel. This automatically generates the integrity database. The outputs of LKRG were read directly from the system’s kernel logs.
A “successful detection” includes all anomalous behavior that is not present on an uninfected system. A detection tool does not necessarily have to identify the threat as a rootkit or by a specific name for the detection to be counted as such. One rootkit (Puszek) caused a few tools to crash when scanning its files. We decided to count this as a successful detection. All utilities were also run at least once on a clean, uninfected system to determine their proneness for outputting false positives.
5.2 Simulated Scenarios
Some detection methods depend on certain rootkit features being active or previously collected data (see Table 2) being available. To most accurately assess the effectiveness of the tested detection tools, we divided the evaluation into four distinct scenarios based on two criteria:
Table 2. Certain Requirements for Rootkit Detection Tools
Table 2.
| Tool | Required data/knowledge |
|---|---|
| rkhunter | Integrity image of critical files, known file paths, known strings, known kernel symbols |
| chkrootkit | Known file paths, known strings |
| Unhide | - |
| AIDE | Integrity image of the file system, known file paths |
| OSSEC | Integrity image of critical files |
| ClamAV | Malware signatures |
| LKRG | Integrity image of critical kernel structures |
S1:
The rootkit has been installed, and no additional features have been enabled. The detector does not have access to previously collected data or knowledge.
S2:
The rootkit has been installed, and no additional features have been enabled. The detector does have access to previously collected data or knowledge.
S3:
All additional features available to the rootkit have been enabled. The detector does not have access to previously collected data or knowledge.
S4:
All additional features available to the rootkit have been enabled. The detector does have access to previously collected data or knowledge.
For this evaluation, “all additional features active” means: If the rootkits implements a backdoor, an active connection is established to it from a separate system. If the rootkits offer process hiding capabilities, at least one hidden process is created. If the rootkit implements arbitrary file hiding, at least one file and one directory is hidden. If the rootkits offers local privilege escalation, at least one process has its privileges elevated using it.
Table 2 shows the previously collected data and knowledge required by the tools for some or all of their detection approaches to function.
5.3 Results
As shown in Table 3, the results indicate that separating the evaluation into these scenarios was sensible. Many tools fail if the rootkit has only been installed and not all its features are active. Some are also heavily dependent on proactively obtained data, whether in the form of known file paths, integrity images, or special expertise. Tools like AIDE or rkhunter become almost entirely unusable without such data. Others like LKRG lose a significant number of detections, but can still find some rootkits using alternative means. Approaches exclusively covering kernel space or user space rootkits naturally fail at covering the entirety of the evaluated samples.
Table 3.
| Tool | Just installed | With features | ||
|---|---|---|---|---|
| S1 | S2 | S3 | S4 | |
| rkhunter | 0% | 33.3% | 4.8% | 38.1% |
| chkrootkit | 23.8% | 33.3% | 95.2% | 95.2% |
| Unhide | 4.8% | 4.8% | 71.4% | 71.4% |
| AIDE | 0% | 42.9% | 4.8% | 47.6% |
| OSSEC | 14.3% | 33.3% | 85.7% | 90.4% |
| ClamAV | 0% | 0% | 4.8% | 4.8% |
| LKRG | 28.6% | 57.1% | 52.8% | 57.1% |
Comprehensive evaluation results, covering all scenarios, rootkits, and detection tools, along with the methods used for successful detection, are detailed in the appendix.
6 Forensic Analysis and Detection
As demonstrated in the previous section, the efficiency of tools tailored for rootkit detection shows significant shortcomings. For this reason, the following section will provide a series of best practices based on the results and experience gained, which can be used in the forensic analysis and detection of Linux rootkits.
Our analysis has shown that rootkits can manipulate almost any information presented to the user. Because of this, the output of tools running on a potentially infected live system must be used with caution. Conducting dead forensic analysis where possible can be a way to circumvent this issue.
This section is divided into three categories that present detection approaches using storage, network, and memory forensics.
6.1 Storage Forensics
All analyzed rootkits implement mechanisms to hide files from the system user. However, these techniques are based on hooking functions, manipulating their output, and removing files from tools that list directory contents. None of the analyzed rootkits actually makes changes to the file data on the drive itself.
Knowing this, an important step in a forensic analysis is to directly parse the file system on the potentially infected drive. This can either be done live by using a tool like the Sleuth Kit or dead by copying the drive and mounting the image read-only on a separate, uninfected system. The latter may not always be possible due to resource and time limitations, but comes with the advantage of being immune to potential rootkit interference. However, none of the rootkits analyzed in this article implements measures against directly parsing the file system on a live system.
The challenge now is to identify the files belonging to the rootkit. This task can be approached in two ways, in addition to a fully manual file-by-file analysis. The first is to search the image for known IoCs. These could come in the form of file paths, signatures, or YARA rules. In theory, preexisting malware solutions might be used for this as well. ClamAV, however, offers insufficient signatures for the tested rootkits. For the 21 rootkits analyzed in this article, we extracted a set of IoCs, which can be used for their detection. Table 4 provides a brief overview; the full dataset is available in the accompanying GitHub repository for this article.
Table 4.
| Files | Strings | Network |
|---|---|---|
| /tmp/silly.txt /lib/selinux.so.3 rk.so | Enjoy the shell! lpe_drop_shell falsify_tcp lobster | Default rport: 54321 Unencrypted bash shell |
| /XxJynx/jynx2.so /XxJynx/reality.so autokitter.sh | XxJynx Bump with shell.\n | Default ports: 41–43 SSL encrypted |
| /reptile/reptile […] /lib/udev/reptile reptile_module.ko | khook_sys_kill khook_vfs_read hook_tcp4_seq_show reptile_init reptile_exit | Default rport: 666 Default lport: 4444 |
This approach comes with the obvious drawback that one can only find known rootkits. The second approach is more generic and focuses on finding differences between the files on the drive image and those on the live system. Finding a file on the drive that is not present on the live system could be a sign that a rootkit is hiding the file. There might be edge cases, if there is a significant time difference between the drive image acquisition and the comparison with the live state. Figure 1 illustrates an example, in which a directory belonging to the Reptile rootkit is visible in Autopsy, but not when listing the same parent directory on the infected system.
Fig. 1.
To make the employment of this technique more efficient and feasible in a real-world scenario, we have developed a utility based on The Sleuth Kit3 by Brian Carrier, which automates this process as shown in Listing 4. This tool has already proven its effectiveness by identifying an undisclosed rootkit in a practical setting. It will be made available concurrently with the publication of this article.
Additionally, if the hidden file is a directory, its presence may also be detected using the hard link method utilized by chkrootkit. Counting the directories in Figure 1 (23) and comparing them with the number of hard links pointing to the directory (24) one notices that a directory seems to be missing. However, this method relies on the rootkit not manipulating this number and should be used with caution and only as an additional test. It can also only detect the presence of a hidden directory inside a parent directory, but never its name.
6.2 Network Forensics
As shown in Table 1, 14 of the analyzed rootkits implement network hiding capabilities. Similarly to the file-hiding functionality of most rootkits, network connection hiding is also based on hooking and manipulating functions on the live system. Therefore, these changes can only affect the output of tools running on the infected system. Software running on a separate network node will be able to see all untainted traffic. Again, the challenge is identifying packets as part of a rootkit’s network traffic. The first approach is to manually analyze the packets and look for suspicious indicators. A rootkit backdoor may, for example, utilize an open Secure Shell (SSH) port but send unencrypted data through it. Figure 2 is an example of such traffic in Wireshark.
Fig. 2.
In other cases, the packets may contain custom protocols or keywords that may be attributed to known rootkits. This kind of detection, however, falls into the category of general malware/anomaly detection and is not specific to rootkits. The repository linked above still contains a selection of network IoCs for some of the analyzed rootkits to aid this task. The second and more generic approach would be comparing the connections visible on separate network nodes with those visible on the infected system. The difference may reveal connections hidden by a rootkit. Figure 3 shows an open connection belonging to the Father rootkit captured on a MITM proxy, which at the same time is not visible in netstat on the receiving system. Full packet captures are not necessary for this kind of comparison, a Netflow or similar providing metadata is sufficient.
Fig. 3.
In practice, timing these comparisons can be challenging, especially if the rootkit only communicates for short intervals. Another method to detect hidden connections on a live system is the one already implemented by Unhide and OSSEC/Wazuh. They iterate through all 65,535 possible network ports for the TCP (6) and the UDP (6) and attempt to bind themselves to each of them. If the binding fails, meaning the port is already in use, they check the output of netstat or ss to verify if the connection is visible and if not, report it as potentially hidden. While successful in some cases, this method struggles if a rootkit (e.g., Father) utilizes a constantly listening network service, like an SSH client, since the port will be blocked regardless of whether an active connection has been established or not. Overall, this technique is able to detect connections of 6 out of the 14 rootkits implementing network hiding capabilities.
6.3 Memory Forensics
Eighteen of the analyzed rootkits perform process hiding, and almost all of the analyzed kernel rootkits manipulate kernel structures to either hook functions or hide their modules. Investigators can detect these by analyzing memory images from an infected system.
The first hurdle of memory analysis is to acquire an image of the infected system’s memory. If the system is virtualized, the image can be created from the outside without issues. On a bare-metal system, the image has to be created live using a tool like LiME. None of the analyzed rootkits implement functionality to intercept this process. However, caution is warranted since the data is collected on the infected system. Future rootkits may attempt to exploit this.
Afterward, the image can be analyzed on a separate system using advanced analysis tools such as Volatility. Volatility already offers a multitude of plugins, which are specifically tailored toward detecting anomalies caused by rootkits. The first set of plugins may be used to verify the function pointers of system calls (linux\(\_\)check\(\_\)syscall), interrupt handlers (linux\(\_\)check\(\_\)idt), vfs file operations (linux\(\_\)check\(\_\)fop), and network handler functions (linux\(\_\)check\(\_\)afinfo). If one of them no longer points into the core kernel text, it is marked as being HOOKED. However, this will only detect hooking methods that directly replace function pointers. Rootkits using unconditional jumps, ftrace callbacks, or eBPF hooks will not be detected by these plugins. Jump hooks may be detected by manually inspecting the starting bytes of functions and looking for assembly instructions implementing an unconditional jump to an address belonging to a kernel module. As already mentioned, the custom plugins developed by Case et al. [2] were not available for evaluation. In theory, their approach should be able to detect the three analyzed rootkits utilizing ftrace/eBPF. Six of the analyzed kernel rootkits only hide their modules from /etc/modules to prevent being revealed via lsmod. Nevertheless, since they leave their kobjects (exported via /sys/module) unhidden, they may be detected by comparing the two structures and printing the difference. The linux\(\_\)check\(\_\)modules plugin automates this process, but rootkits that hide themselves from both structures remain undetected. The linux\(\_\)psxview plugin can be used to find hidden processes by comparing different sources for acquiring process lists. This may produce false positives, requiring manual analysis to identify the hidden process. Malicious preloaded libraries may be found using the linux\(\_\)proc\(\_\)maps plugin and looking for unusual shared objects mapped into processes. This approach, however, is entirely based on suspicious names or known strings in the mapped memory segments. The linux\(\_\)netfilter plugin is designed to list Netfilter hooks registered by LKMs. One of the analyzed rootkits uses such a hook as a backdoor trigger. However, during testing, we ran into problems with both the Volatility 2 and Volatility 3 versions of the plugin. The Volatility 2 version was runnable but did not yield any results, while the Volatility 3 version provided in the official community repository contained multiple deprecated code segments. Fixing these was out of the scope of this article. However, since no additional obfuscation is implemented, the plugin should, if updated, be able to find the Netilfter hooks of the analyzed rootkit.
Table 5 shows which of the analyzed rootkits can be detected using the presented Volatility plugins. It is assumed that hidden processes are active and IoCs are available to identify malicious libraries. Without these, the linux\(\_\)psxview and linux\(\_\)proc\(\_\)maps plugins will not produce any results.
Table 5.
| Plugin | Detected rootkits |
|---|---|
| linux_check_syscall | Diamorphine, Reveng_rtkit, Puszek, Honey Pot Bears, Knarka |
| linux_check_idt | SuckITa |
| linux_check_fop | LilyOfTheValley, adore-nga |
| linux_check_afinfo | adore-nga |
| linux_check_modules | Diamorphine, Reptile, Nuk3Gh0st, Umbra, Reveng_rtkit, Drovoruba |
| linux_psxview Assuming hidden processes are active | Father, bedevil, Umbreon, Azazel, BEURK, Diamorphine, Reptile, Nuk3Gh0st, Reveng_rtkit, LilyOfTheValley, Puszek, Honey Pot Bears, Boopkit, Jynx2a, adore-nga, Knarka, SuckITa, Drovoruba |
| linux_proc_maps Assuming IOC data is available | Father, bedevil, Umbreon, Azazel, BEURK, Zendar, Jynx2a |
| linux_netfilter Not tested due to deprecated code | Umbraa |
| linux_ftrace Not tested due to unavailability | Umbraa |
| linux_ebpf Not tested due to unavailability | TripleCrossa, Boopkita |
Table 5. Evaluation Results of Various Volatility Plugins
aResults are based on theoretical considerations.
Since many of the techniques presented in the previous sections work by comparing the state of certain system structures acquired from different sources and searching for differences, the question arises of how these techniques fare against rootkits that “hide in plain sight” and do not implement significant hiding capabilities. We believe that these cases do not fall into the realm of rootkit but rather regular malware detection, which is an entirely new topic in and of itself and not in the scope of this article.
Comprehensive detection results, covering all rootkits and the primary techniques presented in this chapter, along with the methods used for successful detection, are detailed in the appendix.
7 Conclusion and Future Work
Based on our evaluation, we conclude that the current means to detect rootkits on Linux are insufficient. We evaluated seven common tools to detect rootkits and found that none could detect all rootkits we tested. Moreover, the detection rate was notably worse when there was no knowledge of the system under investigation and the rootkits to detect. This is important as this information is frequently unavailable in practical, real-world scenarios.
Therefore, effective detection approaches should not rely on this information exclusively. Instead, they should strive for more generalized means that enable detection even when the targeted system and the rootkit are unknown. To develop foundations for such detection methods, we conducted an in-depth analysis of 21 rootkits for Linux. We systematized their general functionalities and techniques to hide their presence on a system. Based on our findings, finding discrepancies between the information normal user space programs provide and information gathered without relying on system or API functions emerged as the most promising approach. While this approach is not new—Todd et al. termed it cross-view-based detection [8]—our work emphasized that it is indeed very effective even against modern rootkits. Although applicable in storage, network, and memory forensics, it should be acknowledged that acquiring memory can sometimes be impractical, rendering memory forensics unviable for detecting rootkits under specific circumstances.
Nevertheless, having IoCs for known rootkits can drastically speed up the detection. Hence, we compiled a list of IoCs for the rootkits we investigated on the GitHub repository accompanying this article. This list can help defenders to find known rootkits quickly. Of course, scanning for the IoCs must be carried out by means a rootkit cannot deceive.
To sum up, our study, which is, to our knowledge, the most comprehensive and recent study of Linux rootkits, illustrated a shortcoming of current detection tools in this area. Furthermore, we state that checking for discrepancies in information from different system sources is most promising when detecting unknown rootkits. On the other hand, the detection of known rootkits is often rapidly accomplished using the IoCs we provide.
If the linux\(\_\)ebpf and linux\(\_\)ftrace plugins for volatility should remain unavailable, we will provide our own implementation to conduct a thorough evaluation against real-world rootkits. Moreover, we are investigating if one or more of the tools we tested in our evaluation can be extended based on the insights of our study to enhance their detection capabilities. If this is not possible, we will provide a new detector implementation supporting the proposed detection approach for unknown rootkits and IoC scanning techniques that cannot be deluded.
Appendix
Table A1.
| CHG | Changes to critical files |
|---|---|
| KWN | Known file paths or strings |
| FIL | Hidden files |
| DIR | Hidden directories |
| PRC | Hidden processes |
| NET | Hidden network connections |
| NTF | Registered Netfilters |
| COM | Backdoor communication |
| LIB | Injected libraries |
| MOD | Hidden kernel modules |
| SYS | Manipulated system calls |
| VFS | Manipulated VFS handlers |
| NEF | Manipulated network functions |
| INT | Manipulated interrupt handler |
| KTH | Kernel Tracing hooks (e.g., ftrace, ebpf) |
| LPE | Local privilege escalation |
Table A2.
| rkhunter | chkrootkit | Unhide | AIDE | OSSEC | ClamAV | LKRG | |
|---|---|---|---|---|---|---|---|
| False Positivesa | - | DIR | NET | - | NET | - | - |
| Father | - | - | - | - | - | ? | - |
| bedevil | - | - | - | - | PRC | - | - |
| Umbreon | - | - | - | - | PRC | - | - |
| Azazel | - | - | - | - | - | - | - |
| BEURK | - | - | - | - | - | - | - |
| Zendar | - | - | - | - | - | - | - |
| Diamorphine | - | - | - | - | - | - | MOD |
| Reptile | - | DIR | - | - | - | - | MOD |
| Nuk3Gh0st | - | DIR, PRC | PRC | - | PRC | - | MOD |
| Umbra | - | DIR | - | - | - | - | MOD |
| Reveng_rtkit | - | - | - | - | - | - | MOD |
| LilyOfTheValley | - | - | - | - | - | - | - |
| Puszek | - | - | - | - | - | - | - |
| Honey Pot Bears | - | - | - | - | - | - | - |
| TripleCross | - | DIR | - | - | - | - | - |
| Boopkit | - | - | - | - | - | - | - |
| Jynx2b | - | DIR | - | - | - | - | - |
| adore-ngb | - | - | - | - | - | - | - |
| Knarkb | - | - | - | - | - | - | - |
| SuckITb | - | - | - | - | - | - | - |
| Drovorubb | - | - | - | - | - | - | MOD |
Table A2. Evaluation Results, after Initial Installation, without Using Prior Knowledge
See Table A1 for the definition of abbreviations used.
aThe tool repeatedly outputs false positves on a clean system.
bNot tested. Results are based on theoretical considerations.
Table A3.
| rkhunter | chkrootkit | Unhide | AIDE | OSSEC | ClamAV | LKRG | |
|---|---|---|---|---|---|---|---|
| False Positivesa | CHG, KWN | DIR | NET | - | NET | - | - |
| Father | - | - | - | CHG | CHG | ? | - |
| bedevil | - | - | - | CHG | PRC | - | - |
| Umbreon | - | - | - | CHG | CHG, PRC | - | - |
| Azazel | - | - | - | CHG | CHG | - | - |
| BEURK | - | - | - | CHG | CHG | - | - |
| Zendar | CHG | - | - | CHG | CHG | - | - |
| Diamorphine | KWN | - | - | - | - | - | CHG, MOD |
| Reptile | - | DIR | - | - | - | - | CHG, MOD |
| Nuk3Gh0st | - | DIR, PRC | PRC | - | PRC | - | CHG, MOD |
| Umbra | - | DIR | - | - | - | - | MOD |
| Reveng_rtkit | - | - | - | - | - | - | CHG, MOD |
| LilyOfTheValley | - | - | - | - | - | - | CHG |
| Puszek | - | - | - | - | - | - | CHG |
| Honey Pot Bears | CHG | - | - | CHG | - | - | CHG |
| TripleCross | - | DIR | - | - | - | - | - |
| Boopkit | - | - | - | KWN | - | - | - |
| Jynx2b | KWN | DIR | - | CHG | - | - | - |
| adore-ngb | KWN | KWN | - | - | - | - | CHG |
| Knarkb | KWN | - | - | - | - | - | CHG |
| SuckITb | KWN | KWN | - | - | - | - | CHG |
| Drovorubb | - | - | - | - | - | - | MOD |
Table A3. Evaluation Results, after Initial Installation, Using Prior Knowledge
See Table A1 for the definition of abbreviations used.
? Only an error in logs point to a possible rootkit (textbfnot counted as a successful detection).
aThe tool repeatedly outputs false positives on a clean system.
bNot tested. Results are based on theoretical considerations.
Table A4.
| rkhunter | chkrootkit | Unhide | AIDE | OSSEC | ClamAV | LKRG | |
|---|---|---|---|---|---|---|---|
| False Positivesa | - | DIR | NET | - | NET | - | - |
| Father | - | DIR, PRC | PRC | - | PRC | ? | - |
| bedevil | - | - | - | - | PRC | - | - |
| Umbreon | - | DIR | - | - | PRC | - | - |
| Azazel | - | DIR, PRC | - | - | PRC | - | - |
| BEURK | - | DIR, PRC | PRC | - | PRC | - | - |
| Zendar | - | DIR | - | - | - | - | - |
| Diamorphine | - | DIR, PRC | PRC | - | PRC | - | MOD, LPE |
| Reptile | - | DIR, PRC | NET | - | NET | - | MOD, LPE |
| Nuk3Gh0st | - | DIR, PRC | PRC, NET | - | PRC, NET | - | MOD, LPE |
| Umbra | - | DIR | - | - | - | - | MOD, LPE |
| Reveng_rtkit | - | PRC | PRC | - | PRC | - | MOD, LPE |
| LilyOfTheValley | - | DIR, PRC | PRC | - | PRC | - | LPE |
| Puszek | ! | PRC, ! | PRC | ! | PRC | ! | - |
| Honey Pot Bears | - | DIR, PRC | PRC | - | PRC | - | LPE |
| TripleCross | - | DIR | - | - | - | - | - |
| Boopkit | - | PRC | PRC | - | PRC | - | - |
| Jynx2b | - | DIR, PRC | PRC | - | PRC | - | - |
| adore-ngb | - | DIR, PRC | PRC, NET | - | PRC, NET | - | LPE |
| Knarkb | - | DIR, PRC | PRC, NET | - | PRC, NET | - | LPE |
| SuckITb | - | PRC | PRC, NET | - | PRC, NET | - | LPE |
| Drovorubb | - | DIR | NET | - | NET | - | MOD, LPE |
Table A4. Evaluation Results, All Functions Active, without Using Prior Knowledge
See Table A1 for the definition of abbreviations used.
aThe tool repeatedly outputs false positves on a clean system.
bNot tested. Results are based on theoretical considerations.
Table A5.
| rkhunter | chkrootkit | Unhide | AIDE | OSSEC | ClamAV | LKRG | |
|---|---|---|---|---|---|---|---|
| False Positivesa | CHG, KWN | DIR | NET | - | NET | - | - |
| Father | - | DIR, PRC | PRC | CHG | CHG, PRC | ? | - |
| bedevil | - | - | - | CHG | PRC | - | - |
| Umbreon | - | DIR | - | CHG | CHG, PRC | - | - |
| Azazel | - | DIR, PRC | - | CHG | CHG, PRC | - | - |
| BEURK | - | DIR, PRC | PRC | CHG | CHG, PRC | - | - |
| Zendar | CHG | DIR | - | CHG | CHG | - | - |
| Diamorphine | KWN | DIR, PRC | PRC | - | PRC | - | CHG, MOD, LPE |
| Reptile | - | DIR, PRC | NET | - | NET | - | CHG, MOD, LPE |
| Nuk3Gh0st | - | DIR, PRC | PRC, NET | - | PRC, NET | - | CHG, MOD, LPE |
| Umbra | - | DIR | - | - | - | - | MOD, LPE |
| Reveng_rtkit | - | PRC | PRC | - | PRC | - | CHG, MOD, LPE |
| LilyOfTheValley | - | DIR, PRC | PRC | - | PRC | - | CHG, LPE |
| Puszek | ! | PRC, ! | PRC | ! | PRC | ! | CHG |
| Honey Pot Bears | CHG | DIR, PRC | PRC | CHG | PRC | - | CHG, LPE |
| TripleCross | - | DIR | - | - | - | - | - |
| Boopkit | - | PRC | PRC | KWN | PRC | - | - |
| Jynx2b | KWN | DIR, PRC | PRC | CHG | PRC | - | - |
| adore-ngb | KWN | KWN, DIR, PRC | PRC, NET | - | PRC, NET | - | CHG, LPE |
| Knarkb | KWN | DIR, PRC | PRC, NET | - | PRC, NET | - | CHG, LPE |
| SuckITb | KWN | KWN, PRC | PRC, NET | - | PRC, NET | - | CHG, LPE |
| Drovorubb | - | DIR | NET | - | NET | - | MOD, LPE |
Table A5. Evaluation Results, All Functions Active, Using Prior Knowledge
See Table A1 for the definition of abbreviations used.
! The rootkit causes the scanner to crash (counted as a successful detection).
? Only an error in logs point to a possible rootkit (not counted as a successful detection).
aThe tool repeatedly outputs false positives on a clean system.
bNot tested. Results are based on theoretical considerations.
Table A6.
| Storage Forensics Cross-View (Custom Utility) | Network Forensics Cross-View (Wireshark) | Memory Forensics Volatility (All Plugins) | |
|---|---|---|---|
| False Positivesa | - | - | PRC |
| Father | - | - | LIBb |
| bedevil | DIR | - | LIBb |
| Umbreon | FIL, DIR | - | LIBb |
| Azazel | - | - | LIBb |
| BEURK | FIL | - | LIBb |
| Zendar | FIL | - | LIBb |
| Diamorphine | - | - | SYS, MOD |
| Reptile | FIL, DIR | - | MOD |
| Nuk3Gh0st | FIL, DIR | - | MOD |
| Umbra | FIL | - | MOD, NTFc, KTHc |
| Reveng\(\_\) rtkit | - | - | SYS, MOD |
| LilyOfTheValley | - | - | VFS |
| Puszek | - | - | SYS |
| Honey Pot Bears | FIL | - | SYS |
| TripleCross | FIL, DIR | - | KTHc |
| Boopkit | - | - | KTHc |
| Jynx2c | FIL | - | LIBb |
| adore-ngc | - | - | VFS, NEF |
| Knarkc | - | - | SYS |
| SuckITc | - | - | IDT |
| Drovorubc | - | - | MOD |
Table A6. Detection Results Using the Approaches Detailed in Section 6, after Initial Installation
See Table A1 for the definition of abbreviations used.
aThe tool repeatedly outputs false positives on a clean system.
bAssuming IOC data is avaliable.
cNot tested. Results are based on theoretical considerations.
Table A7.
| Storage Forensics Cross-View (Custom Utility) | Network Forensics Cross-View (Wireshark) | Memory Forensics Volatility (All Plugins) | |
|---|---|---|---|
| False Positivesa | - | - | PRC |
| Father | FIL, DIR | NET | PRC, LIBb |
| bedevil | FIL, DIR | NET | PRC, LIBb |
| Umbreon | FIL, DIR | - | PRC, LIBb |
| Azazel | FIL, DIR | - | PRC, LIBb |
| BEURK | FIL, DIR | NET | PRC, LIBb |
| Zendar | FIL, DIR | - | LIBb |
| Diamorphine | FIL, DIR | - | SYS, MOD, PRC |
| Reptile | FIL, DIR | NET | MOD, PRC |
| Nuk3Gh0st | FIL, DIR | NET | MOD, PRC |
| Umbra | FIL, DIR | - | MOD, NTFc, KTHc |
| Reveng\(\_\) rtkit | - | - | SYS, MOD, PRC |
| LilyOfTheValley | FIL, DIR | - | VFS, PRC |
| Puszek | FIL, DIR | NET | SYS, PRC |
| Honey Pot Bears | FIL, DIR | - | SYS, PRC |
| TripleCross | FIL, DIR | - | KTHc |
| Boopkit | - | - | PRC, KTHc |
| Jynx2c | FIL, DIR | NET | PRC, LIBb |
| adore-ngc | FIL, DIR | NET | VFS, NEF, PRC |
| Knarkc | FIL, DIR | NET | SYS, PRC |
| SuckITc | FIL, DIR | NET | IDT, PRC |
| Drovorubc | FIL, DIR | NET | MOD, PRC |
Table A7. Detection Results Using the Approaches Detailed in Chapter 6, All Functions Active
See Table A1 for the definition of abbreviations used.
aThe tool repeatedly outputs false positives on a clean system.
bAssuming IOC data is avaliable.
cNot tested. Results are based on theoretical considerations.
Footnotes
3
The Sleuth Kit is a C library and a collection of utilities for the forensic analysis of different filesystems.
References
[1]
B. Andreas. 2004. UNIX and Linux based rootkits techniques and countermeasures. In 16th Annual FIRST Conference on Computer Security Incident Handling, 27–34.
[2]
Andrew Case and Golden G. Richard III. 2021. Fixing a Memory Forensics Blind Spot: Linux Kernel Tracing. BlackHat, USA 2021.
[3]
Jestin Joy, Anita John, and James Joy. 2011. Rootkit detection mechanism: A survey. In International Conference on Parallel Distributed Computing Technologies and Applications. Springer, 366–374.
[4]
John F. Levine, Julian B. Grizzard, and Henry L. Owen. 2006. Detecting and categorizing kernel-level rootkits to aid future detection. IEEE Security & Privacy 4, 1 (2006), 24–32.
[5]
Yong-Gang Li, Yeh-Ching Chung, Kai Hwang, and Yue-Jin Li. 2020. Virtual wall: Filtering rootkit attacks to protect linux kernel functions. IEEE Transactions on Computers 70, 10 (2020), 1640–1653.
[6]
Daniel Molina, Matthew Zimmerman, Gregory Roberts, Marnita Eaddie, and Gilbert Peterson. 2008. Timely rootkit detection during live response. In Advances in Digital Forensics IV 4. Springer, 139–148.
[7]
Karla Saur and Julian B. Grizzard. 2010. Locating \(\times\) 86 paging structures in memory images. Digital Investigation 7, 1–2 (2010), 28–37.
[8]
A. Todd, J. Benson, G. Peterson, T. Franz, Michael Stevens, and Richard Raines. 2007. Analysis of tools for detecting rootkits and hidden processes. In Advances in Digital Forensics III: IFIP International Conference on Digital Forensics, National Centre for Forensic Science. Springer, 89–105.
[9]
Liwei Zhou and Yiorgos Makris. 2018. Hardware-assisted rootkit detection via on-line statistical fingerprinting of process execution. In 2018 Design, Automation & Test in Europe Conference & Exhibition (DATE ’18). IEEE, 1580–1585.
Index Terms
- The Hidden Threat: Analysis of Linux Rootkit Techniques and Limitations of Current Detection Tools
Recommendations
Detection of Stealth Process using Hooking
WCI '15: Proceedings of the Third International Symposium on Women in Computing and InformaticsMalware writers adapt multiple methods to make the malware detection process difficult. Hiding the presence of malware during its execution is one of them. Malware written for espionage, data stealing, or rootkits have this key characteristic of ...
Volatile Kernel Rootkit hidden process detection in cloud computing
AbstractThe rootkit industry has advanced significantly in the last decade. Attackers want to leave a backdoor for quick reoccurring exploits rather than launching the traditional one-time worm/virus attacks. Meanwhile, as intrusion detection technologies ...
Advancing Mac OS X rootkit detection
In the last few years there has been a sharp increase in the use of Mac OS X systems in professional settings. This has led to increased activity in the development of malware and attack toolkits focused specifically on OS X systems, and unfortunately, ...
Comments
Information & Contributors
Information
Published In
September 2024
304 pages
Copyright © 2024 Copyright held by the owner/author(s).
This work is licensed under a Creative Commons Attribution International 4.0 License.
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
Published: 26 October 2024
Online AM: 20 August 2024
Accepted: 03 July 2024
Revised: 03 May 2024
Received: 03 May 2024
Published in DTRAP Volume 5, Issue 3
Check for updates
Author Tags
Qualifiers
- Research-article
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- 0Total Citations
- 1,603Total Downloads
- Downloads (Last 12 months)1,603
- Downloads (Last 6 weeks)572
Reflects downloads up to 27 Jan 2025
Other Metrics
Citations
View Options
Login options
Check if you have access through your login credentials or your institution to get full access on this article.
Sign in