9. Test for a rootkit

9.1. Standard Utilities

Any thorough search for a rootkit will begin with a boot from clean media. However, there are easy-to-use utilities which can help without the necessity of a reboot:

• chkrookit — see below, or go to the homepage;
• Rootkit Hunter — see below, or go to the homepage.

There are many other approaches to rootkit detection which usually require, in practice, a sysadmin to compilation up source code (as a minimum) and often knowledge of C and some kernel-level programming to tweak the code for a particular kernel. Details are beyond the scope of this document, but we mention two methods for interest sake:

• System-call fingerprinting: many rootkits work by wrapping system-calls — if data such as the address of each call is stored on a newly installed machine and periodically compared to the current state such wraps can often be detected.
  
  
• Loadable kernel module (LKM) scanning: many rootkits work by loading a kernel module which contains system-call wrappers — LKMs can be detected by scanning /dev/kmem for certain structures. Comparison of the results to those returned from lsmod can show up hidden — rootkit-related — LKMs.