Abstract

This article addresses the significant threat posed by rootkits as part of the diverse malware landscape of today. Rootkits enable an attacker to regain access to an already comprised system at root-level making their prompt identification and removal crucial. However, rootkits implement advanced stealth features, enabling them to evade detection by conventional measures during analysis. Consequently, analysts generally rely on customized tools to detect the presence of a rootkit. However, our research highlights significant deficits in the tools available for the detection of rootkits on the Linux operating system, which is frequently encountered in investigations of server environments. Recognizing the need for improved awareness and capabilities among investigators, we conducted an in-depth analysis of 21 distinct Linux rootkits allowing us to dive into their techniques and features. Furthermore, we critically assessed the effectiveness of standard detection tools, revealing their limitations. Based on these insights, we propose best practices for investigators to effectively identify and detect signs of rootkit infections. Additionally, we provide a repository of indicators of compromise we extracted during our analyses to facilitate the detection of the analyzed rootkits on compromised systems along with a utility to detect rootkits via hidden files on a live system.

Talk to us

Join us for a 30 min session where you can share your feedback and ask us any queries you have

Schedule a call

Disclaimer: All third-party content on this website/platform is and will remain the property of their respective owners and is provided on "as is" basis without any warranties, express or implied. Use of third-party content does not indicate any affiliation, sponsorship with or endorsement by them. Any references to third-party content is to identify the corresponding services and shall be considered fair use under The CopyrightLaw.