This is a read-only archive. Find the latest Linux articles, documentation, and answers at the new!

Good malware hunting for Linux

Posted by: Anonymous [ip:] on April 09, 2008 11:14 PM
the limitation of rootkit finders is the same as for virus finders, the creators simply keep modifying their code to avoid pattern matching detection. Last I heard there are now over 100k viruses most of them are simply variants that have been changed enough to avoid the pattern detection.

Another way to detect modification of system files is to use a version control system such as
You then create one or more projects to track you system files. For instance, put all of /etc into a project and all of /sbin into a different project. Any changes that get made are clearly visible. You can then decide to approve the change as valid or roll it back to the previous version. As a bonus you get a revision history of any upgrades that are made to the system. You just have to run a check-in after any updates. Of course if the rootkit is already in control then a simple roll-back won't work, not from within the compromised OS. But if you boot another OS and use a trusted copy of the Bazaar project, then you can rollback to any version of the OS that you like.

The reason I recommend using Bazaar instead of the many other version control systems is that Bazaar has excellent support for binary files which most vcs systems either lack or are poor at. Also Bazaar is very flexible.

Your security is further enhanced if you publish the Bazaar project to another computer, so that it can not be compromised by a savvy cracker. The only downside of this approach is that it requires a higher level of knowledge and is a bit higher maintenance.

Codeslinger (


Return to Good malware hunting for Linux