9. Test for a rootkit
9.1. Standard Utilities
Any thorough search for a rootkit will begin with a
boot from clean media. However, there are easy-to-use
utilities which can help without the necessity of a reboot:
9.2. Kernel-Related Utilities
There are many other approaches to rootkit detection which usually require,
in practice, a sysadmin to compilation up source code (as a minimum)
and often knowledge of C and some kernel-level programming to tweak the
code for a particular kernel. Details are beyond the scope of this
document, but we mention two methods for interest sake:
- System-call fingerprinting: many rootkits work by wrapping system-calls
— if data such as the address of each call is stored on a newly
installed machine and periodically compared to the current state
such wraps can often be detected.
- Loadable kernel module (LKM) scanning: many rootkits work by loading
a kernel module which contains system-call wrappers — LKMs can
be detected by scanning /dev/kmem for certain structures.
Comparison of the results to those returned from lsmod can
show up hidden — rootkit-related — LKMs.
About this document:
Produced from the SGML: /home/umits/public_html/_unix_security/_reml_grp/diagnostic_forensic_tools.reml
On: 23/10/2005 at 13:29:12
Options: reml2 -i noindex -l long -o html -p multiple