Rootkits

Rootkit malware is also possible on Linux and OSX. Those of us in UNIX-land (and yes, Mac people, that includes you) don’t often have to deal with malware. There is room for debate about the exact reasons for that, but few would argue that Linux, BSD and OSX get hit as hard or as often as Windows. This does not, however, make us immune to malware. We all download software online, and even those who stick with only their software provider’s packages can still be afflicted by bugs or security holes which may allow nasty people or software inside. As the old saying goes, “an ounce of prevention is worth a pound of cure”. Today we’d like to show you some ways that you can scan your system to make sure there are no nasty rootkits lurking in the shadows.

The Quick and Dirty Personal Scan

A common technique used by some malware authors is to replace a normal system binary with one that takes additional or alternative actions. Many of them try to protect themselves by making their corrupted versions immutable in an attempt to make the infection harder to remove. Fortunately, this leaves traces behind that can be picked up by normal system tools.

Use the lsattr command to display the attributes of your system’s binary files in locations such as /bin, /sbin, and /usr/bin, as shown here.

lsattr /usr/bin

Normal, non-suspicious output should look something like this.

You may need root privileges to scan some places like /sbin. If the output contains other attributes like s, i, or a, that could possibly be a sign that something is

wrong, and you may wish to try a deeper scan as shown below.

To read about CHKrootkit and rootkit hunter

Read further on this website

sudo chkrootkit > mylogfile.txt

sudo rkhunter -c

Yes, so to help clean these up, as root you'll need to remove those s, i, or a attributes with:

root-shell# chattr -sia /usr/bin/whatever

Once those attributes have been removed (note, read about the attributes first and make sure the other tools warn you! /usr/bin/X11/ for example may intentionally have these set), you can once again manipulate those files to edit, delete, or whatever.

So then you have incorrect/compromised binaries? On a Debian system you can get older packages to manually download (wget http://...) and install (dpkg -i ___.deb) from http://snapshot.debian.org/