March 11, 2008

Good malware hunting for Linux

Author: Joe Barr

Linux has proved to be much more resistant to malware than Windows, especially when it comes to viral infections, but any remote exploit makes it just as susceptible to worms, trojans, and rootkits as any other platform. Given all the fuss in the news recently about compromised Linux/Apache servers being responsible for infecting Windows users with malware when they visit those compromised sites, we thought it would be a good time to take a look at three of the best rootkit/malware detection tools available for Linux desktop and SOHO users. Here's a brief comparison of three popular choices: Chkrootkit, Rootkit Hunter, and Ossec.


Chkrootkit is a collection of scripts and programs which check system integrity in a variety of ways. The most recent version of Chkrootkit is 0.48, which was released in December of 2007. It's quick and easy to download, install, and run.

Decompress the downloaded file, enter the resulting directory, and type make sense. That creates an executable in the same directory, which you then execute as root. In Ubuntu, that's as easy as entering sudo ./chkrootkit in the installation directory.

When run without any options, Chkrootkit performs all the tests in its repertoire. If you're only interested in specific tests, you can specify them as options, and only they will be executed. To list all the available tests, enter ./chkrootkit -l. If you only want to test for slapper, for example, enter ./chkrootkit slapper.

Running Chkrootkit on my desktop system without any arguments took less than 15 seconds and produced about 115 lines of output.. You can instruct Chkrootkit to limit its output of test results with the -q option. It's not any quicker, but only results indicating a problem or suspected problem are printed.

If less is not more for you, or if you want to check on Chkrootkit's parsing yourself, run it in expert mode by using the -x option. Be warned, however, that this produces nearly 30K lines of output on my system.

Rootkit Hunter

Rootkit Hunter -- AKA RKH or rkhunter -- version 1.3.0 was released last September, making it just a tad older than Chkrootkit. Originally created by Michael Boelen, project management was assumed by others in 2006, when Boelen found it difficult to both make a living and support his creation. Version 1.3.0 was the first major release from the new crew.

We reviewed Rootkit Hunter in April of 2004, at the 1.0.3 level. The latest version contains additional and refined tests for all manner of malware. Installation is still as simple as decompressing the tarball, entering the rkhunter-1.3.0 directory, and running ./ --layout default --install as root.

If you don't want to actually install Rootkit Hunter, you can run it as a standalone tool by entering the files sub-directory in the rkhunter-1.3.0 directory, and then -- as root -- entering ./rkhunter --check. To run Rootkit Hunter after installing it, do the same thing without entering the ./ preceding the program name.

RKH is more sophisticated than Chkrootkit, and it does a lot more than rootkit tests. It runs for about 2.5 minutes on my system and produces roughly 300 lines of output. In the default mode, as shown above, it is interactive, waiting on you to press Enter as it goes from one series of tests to the next. You can avoid the delays by specifying -sk as an option.

Other essential options for regular use are --update, which will keep the local store of data files used in detecting malware threats current, provided that you have wget, lynx, curl, or other RKH supported tool for retrieving data across the Internet, and --versioncheck, which will call home to check and see if you have the latest release. For more options and detailed configuration instructions, peruse the README in the files subdirectory.


Both Chkrootkit and Rootkit Hunter focus on rootkit detection, even though both go beyond that. OSSEC is a complete Host Intrusion Detection System, meant to detect any and all attempts at intrusion. We reviewed OSSEC in 2006, when it was at the 0.9 release. But even though its much larger and more complex than the other two tools, OSSEC installation is a breeze.

In my opinion, OSSEC is not really in the same category as Chkrootkit and Rootkit Hunter. It's much more suited to installation on a server than a desktop machine, though you can install it to run locally. The only reason I've included it in this comparison is that I've had problems finding other rootkit detectors for Linux which are actively maintained. That said, OSSEC is very good at rootkit detection. As you can see in my informal spreadsheet comparison, it detects more rootkits and worms than either of the other two tools.

Grab the latest version from the OSSEC download page, decompress it, enter the resulting directory and execute as the root user. Assuming that you have the gcc compiler installed, the install script will compile, configure, install and start OSSEC running.


These three security tools test for a total of 80 different rootkits, plus worms, trojans, and back doors. My informal comparison -- minor differences in spelling and versions makes it decidedly not a scientific survey -- shows that Chkrootkit tests for 64 types of malware, Rootkit Hunter tests for 60, and OSSEC for 56. Exactly how many each checks for is less important than the fact that each runs tests for malware that the others don't.

My thinking is that OSSEC would be the best choice if you are checking multiple machines on your SOHO LAN, but one of the other two would be best for use on a single desktop or laptop. Which one to choose? That's a good question, but I am leaning towards the opinion given by Michael Boelen, the original Rootkit Hunter author, when he proclaimed that it wasn't being written as a replacement for Chkrootkit, but rather to provide a second opinion. So why not run both? It can't hurt, and the second one might find the rootkit the other missed, or didn't check for.