This is a read-only archive. Find the latest Linux articles, documentation, and answers at the new Linux.com!

Linux.com

Feature

Good malware hunting for Linux

By Joe Barr on March 11, 2008 (7:00:00 PM)

Share    Print    Comments   

Linux has proved to be much more resistant to malware than Windows, especially when it comes to viral infections, but any remote exploit makes it just as susceptible to worms, trojans, and rootkits as any other platform. Given all the fuss in the news recently about compromised Linux/Apache servers being responsible for infecting Windows users with malware when they visit those compromised sites, we thought it would be a good time to take a look at three of the best rootkit/malware detection tools available for Linux desktop and SOHO users. Here's a brief comparison of three popular choices: Chkrootkit, Rootkit Hunter, and Ossec.

Chkrootkit

Chkrootkit is a collection of scripts and programs which check system integrity in a variety of ways. The most recent version of Chkrootkit is 0.48, which was released in December of 2007. It's quick and easy to download, install, and run.

Decompress the downloaded file, enter the resulting directory, and type make sense. That creates an executable in the same directory, which you then execute as root. In Ubuntu, that's as easy as entering sudo ./chkrootkit in the installation directory.

When run without any options, Chkrootkit performs all the tests in its repertoire. If you're only interested in specific tests, you can specify them as options, and only they will be executed. To list all the available tests, enter ./chkrootkit -l. If you only want to test for slapper, for example, enter ./chkrootkit slapper.

Running Chkrootkit on my desktop system without any arguments took less than 15 seconds and produced about 115 lines of output.. You can instruct Chkrootkit to limit its output of test results with the -q option. It's not any quicker, but only results indicating a problem or suspected problem are printed.

If less is not more for you, or if you want to check on Chkrootkit's parsing yourself, run it in expert mode by using the -x option. Be warned, however, that this produces nearly 30K lines of output on my system.

Rootkit Hunter

Rootkit Hunter -- AKA RKH or rkhunter -- version 1.3.0 was released last September, making it just a tad older than Chkrootkit. Originally created by Michael Boelen, project management was assumed by others in 2006, when Boelen found it difficult to both make a living and support his creation. Version 1.3.0 was the first major release from the new crew.

We reviewed Rootkit Hunter in April of 2004, at the 1.0.3 level. The latest version contains additional and refined tests for all manner of malware. Installation is still as simple as decompressing the tarball, entering the rkhunter-1.3.0 directory, and running ./installer.sh --layout default --install as root.

If you don't want to actually install Rootkit Hunter, you can run it as a standalone tool by entering the files sub-directory in the rkhunter-1.3.0 directory, and then -- as root -- entering ./rkhunter --check. To run Rootkit Hunter after installing it, do the same thing without entering the ./ preceding the program name.

RKH is more sophisticated than Chkrootkit, and it does a lot more than rootkit tests. It runs for about 2.5 minutes on my system and produces roughly 300 lines of output. In the default mode, as shown above, it is interactive, waiting on you to press Enter as it goes from one series of tests to the next. You can avoid the delays by specifying -sk as an option.

Other essential options for regular use are --update, which will keep the local store of data files used in detecting malware threats current, provided that you have wget, lynx, curl, or other RKH supported tool for retrieving data across the Internet, and --versioncheck, which will call home to check and see if you have the latest release. For more options and detailed configuration instructions, peruse the README in the files subdirectory.

OSSEC

Both Chkrootkit and Rootkit Hunter focus on rootkit detection, even though both go beyond that. OSSEC is a complete Host Intrusion Detection System, meant to detect any and all attempts at intrusion. We reviewed OSSEC in 2006, when it was at the 0.9 release. But even though its much larger and more complex than the other two tools, OSSEC installation is a breeze.

In my opinion, OSSEC is not really in the same category as Chkrootkit and Rootkit Hunter. It's much more suited to installation on a server than a desktop machine, though you can install it to run locally. The only reason I've included it in this comparison is that I've had problems finding other rootkit detectors for Linux which are actively maintained. That said, OSSEC is very good at rootkit detection. As you can see in my informal spreadsheet comparison, it detects more rootkits and worms than either of the other two tools.

Grab the latest version from the OSSEC download page, decompress it, enter the resulting directory and execute install.sh as the root user. Assuming that you have the gcc compiler installed, the install script will compile, configure, install and start OSSEC running.

Conclusion

These three security tools test for a total of 80 different rootkits, plus worms, trojans, and back doors. My informal comparison -- minor differences in spelling and versions makes it decidedly not a scientific survey -- shows that Chkrootkit tests for 64 types of malware, Rootkit Hunter tests for 60, and OSSEC for 56. Exactly how many each checks for is less important than the fact that each runs tests for malware that the others don't.

My thinking is that OSSEC would be the best choice if you are checking multiple machines on your SOHO LAN, but one of the other two would be best for use on a single desktop or laptop. Which one to choose? That's a good question, but I am leaning towards the opinion given by Michael Boelen, the original Rootkit Hunter author, when he proclaimed that it wasn't being written as a replacement for Chkrootkit, but rather to provide a second opinion. So why not run both? It can't hurt, and the second one might find the rootkit the other missed, or didn't check for.

Share    Print    Comments   

Comments

on Good malware hunting for Linux

Note: Comments are owned by the poster. We are not responsible for their content.

Good malware hunting for Linux

Posted by: Anonymous [ip: 69.248.80.162] on March 12, 2008 01:01 AM
What if your system has been compromised? This would mean altered commands and a system that would be resistant to discovery. That is, it would not compile root kit finders properly to hide its presence. Why do you seem unconcerned?

#

Good malware hunting for Linux

Posted by: Joe Barr on March 12, 2008 02:38 AM
On the other hand, if your system has not been compromised, these tools may be of use in keeping it that way, and that is the reason for this article. Why do you object to that?

#

Good malware hunting for Linux

Posted by: Vasily Tarasov on March 12, 2008 04:05 AM
Joe, you wrote "As you can see in my informal spreadsheet comparison, it detects more rootkits and worms than either of the other two tools". Where exactly can we see your spreadsheet comparison? :)

#

Re: Good malware hunting for Linux

Posted by: Joe Barr on March 12, 2008 02:24 PM
Where exactly can we see your spreadsheet comparison? :)


An excellent question. I'm trying to come up with a good answer.

#

Good malware hunting for Linux

Posted by: Vasily Tarasov on March 12, 2008 09:54 PM
I can see the document now, thank you. Notice however that it contains 121 pages, most of which have only one string on it. ;)

#

Re: Good malware hunting for Linux

Posted by: Joe Barr on March 12, 2008 11:20 PM
You're right. I'll have to redo the PDF, and try not to munge it up this time.

#

Good malware hunting for Linux

Posted by: Anonymous [ip: 68.204.151.211] on March 13, 2008 10:10 AM
Keep in mind these applications are not the end all be all of root kit detection. If you suspect a root kit I would compile these on a clean machine as well and packet sniff the network for unexpected traffic. You should also be running a firewall to accompany these solutions. They are all part of multi tier security, in my opinion any software that tries to make any system more secure is a good choice.

#

Good malware hunting for Linux

Posted by: Anonymous [ip: 63.226.230.4] on April 09, 2008 11:14 PM
the limitation of rootkit finders is the same as for virus finders, the creators simply keep modifying their code to avoid pattern matching detection. Last I heard there are now over 100k viruses most of them are simply variants that have been changed enough to avoid the pattern detection.

Another way to detect modification of system files is to use a version control system such as www.bazaar-vcs.org
You then create one or more projects to track you system files. For instance, put all of /etc into a project and all of /sbin into a different project. Any changes that get made are clearly visible. You can then decide to approve the change as valid or roll it back to the previous version. As a bonus you get a revision history of any upgrades that are made to the system. You just have to run a check-in after any updates. Of course if the rootkit is already in control then a simple roll-back won't work, not from within the compromised OS. But if you boot another OS and use a trusted copy of the Bazaar project, then you can rollback to any version of the OS that you like.

The reason I recommend using Bazaar instead of the many other version control systems is that Bazaar has excellent support for binary files which most vcs systems either lack or are poor at. Also Bazaar is very flexible.

Your security is further enhanced if you publish the Bazaar project to another computer, so that it can not be compromised by a savvy cracker. The only downside of this approach is that it requires a higher level of knowledge and is a bit higher maintenance.

Codeslinger (compsalot.com)

#

This story has been archived. Comments can no longer be posted.



 
Tableless layout Validate XHTML 1.0 Strict Validate CSS Powered by Xaraya