Tool and Usage
chkrootkit is a malware scanner to locally check for signs of a rootkit. It is written in shell script and runs on the host system itself.
The chkrootkit tool consists of multiple parts that may detect the presence of rootkit parts of rootkit behavior on a system.
Some areas that are checked include:
- interface in promiscuous mode
- lastlog deletions
- wtmp deletions
- wtmpx deletions
- signs of LKM trojans
- utmp deletions
Why this tool?
Chkrootkit is typically used to perform daily security scans to detect traces of malware.
How it works
Tools like chkrootkit compare actual behavior with the expected behavior of a system. For example, the tool may look at the list of processes with a common utility like the ps command. During that same moment, it queries the kernel and requests the same information. If there are any differences, this is suspected and marked as such.
Usage and audience
chkrootkit is commonly used for malware detection or malware scanning. Target users for this tool are system administrators.
- chkrootkit is written in C, shell script
- Command line interface
Tool review and remarks
The review and analysis of this project resulted in the following remarks for this security tool:
- + Used language is shell script
- + Project is mature (10+ years)
- - Long time between releases
History and highlights
- Demoed at Black Hat USA 2017
Supported operating systems
Chkrootkit is known to work on FreeBSD, Linux, macOS, NetBSD, OpenBSD, and Solaris.
Several alternative tools are available that might be a good replacement for chkrootkit.
Security tool to search for traces of rootkits, backdoors, and other malicious components on systems running Linux and other flavors of Unix
OSSEC is an open source host-based intrusion detection system (HIDS). It performs log analysis, integrity checking, rootkit detection, and more.
|Latest release||0.52 [2017-03-15]|
|Last updated||April 18, 2018|