April 7, 2004

Is there a rootkit hunter in your arsenal?

Author: Joe Barr

It's been about three years since I woke up one morning and discovered my Web/mail server was rooted. Thinking back, I must have assumed that just running Linux was enough to keep me out of harm's way. These days I am not so cocky. I try to keep current with security patches for the apps I run. I don't run services I don't need or use. And there is a firewall between me and the wild. One thing I haven't made a part of my regular routine -- not yet, at least -- is checking for rootkits on a regular basis. That may be about to change, since I found a nifty little project called rootkit hunter.

Michael Boelen was motivated to create the rootkit hunter one day after he and a friend accidentally scanned a machine with a brand new installation of FreeBSD 5.0. The machine had no Internet connection, and yet the tool they used, chkrootkit, reported "backdoored" binaries. Since chkrootkit is open source, they looked at the code and found that a reserved keyword for a new option in FreeBSD was causing the false positive. As a result, he decided to write his own script from scratch. Not because he disliked chkrootkit -- he says he still uses it -- but simply to create a tool for a "second opinion" when chkrootkit indicated a problem.

Boelen's "second opinion" script is now more than 3,000 lines long. It will run on virtually any flavor or Unix. It calls other shell or Perl scripts to do things like check to see if a module is running, what ports are open, generate MD5 checksums, and scan critical directories for tell-tale "evil" strings which give away the presence of certain kits.

According to the website, rkhunter scans for "rootkits, backdoors, and local exploits" by running:

- MD5 hash compare
- Look for default files used by rootkits
- Wrong file permissions for binaries
- Look for suspected strings in LKM and KLD modules
- Look for hidden files
- Optional scan within plaintext and binary files

Installation is as easy as downloading and decompressing the tarball (using the p argument to ensure permissions are set correctly), then -- as root -- executing the install.sh script found in the rkhunter directory. Root permissions are required to run the script.

Once installed, entering the command rkhunter without any arguments simply prints the help page. The first time I ran it for real (with the -c (for "check all") and --createlogfile arguments) rkhunter ran for 31 seconds. After familiarizing itself with the landscape of my machine and running some selftests, it ran more than 300 tests to scan for nearly 50 different rootkits. The log reports it searched unsuccessfully for: 55808 Trojan - Variant A, aPa Kit, Apache Worm, Ambient (ark) Rootkit, BeastKit, BOBKit, CiNIK Worm (Slapper.B variant), Danny-Boy's Abuse Kit, Devil RootKit, Dica, Dreams Rootkit, Duarawkz, Flea Linux Rootkit, FreeBSD Rootkit, Fuck`it Rootkit, GasKit, Heroin LKM, HjC Kit, ImperalsS-FBRK, Kitko, Knark, Li0n Worm, Lockit / LJK2, MRK, RootKit for SunOS / NSDAP, Optic Kit (Tux), Oz Rootkit, Portacelo, R3dstorm Toolkit, Scalper Worm, Shutdown, SHV4, Sin Rootkit, Slapper, Sneakin Rootkit, Suckit Rootkit, SunOS Rootkit, Superkit, TBD (Telnet BackDoor), TeLeKiT, T0rn Rootkit, Trojanit Kit, VcKit, Volc Rootkit, X-Org SunOS Rootkit, and zaRwT.KiT Rootkit.

After finishing its check for rootkits, rkhunter continued checking my system for malware, promiscuous Ethernet adapters, hidden files, and configuration errors. For example, it found the Debian default for SSH ("RootLoginPermitted = Y") to be a security risk worth mentioning, and left a tip in the logfile recommended using normal user signon and the use of su when root permissions are needed.

Running rkhunter with just the two arguments I used leaves it in interactive mode, which requires you to hit Enter between sections of the run. I've got it set it up now as a cron job, so that's no longer necessary. You can also run it manually with the --skip-keypress argument to avoid its interactive nature. Not counting the first time I ran it when it had some extra housekeeping to do, it now takes only 7 seconds or so to run.

Future enhancements

Author Boelen explained his roadmap for the future of rkhunter. He said it includes:

-Integrating the optional stringscanner into the base checker
-adding more undetected rootkits
- improving the currently used whitelist of system binaries (MD5 hashes)
- adding a blacklist of "bad" binaries (backdoors, bad CGI scripts, misused IRC tools, and so forth)
- adding an application version check to check for "bad" versions with possibile vulnerabilities
- improving the installer and making the application somewhat more dynamic through the use of file paths
- setting up mirrors for the databases mentioned above and for the application and its Web site
- creating a server-client relation between the checker and a RootkitHunter management server

Boelen has been working on the project for only about 9 months. The final 1.0.0 release was downloaded amost 2,000 times in the first few days of availability, and that was prior to it being announced on mailing lists and on Freshmeat.

Boelen says he gets a pretty fair amount of feedback and suggestions for his efforts, but what he really needs are "new undetected rootkits, especially ones found on different honeypots." The more his users contribute to the project, the better it's going to get.

Note: This review based on version 1.0.3. A new version (1.0.5) was released April 5, 2004.


  • Security