The Quick and Dirty Personal Scan
A common technique used by some malware authors is to replace a normal system binary with one that takes additional or alternative actions. Many of them try to protect themselves by making their corrupted versions immutable in an attempt to make the infection harder to remove. Fortunately, this leaves traces behind that can be picked up by normal system tools.
Use the lsattr command to display the attributes of your system’s binary files in locations such as /bin, /sbin, and /usr/bin, as shown here.
Normal, non-suspicious output should look something like this.
You may need root privileges to scan some places like /sbin. If the output contains other attributes like s, i, or a, that could possibly be a sign that something is wrong, and you may wish to try a deeper scan as shown below.
Scanner #1 – Chkrootkit
Chkrootkit is a tool to scan your systems vital files to determine if any of them show signs of known malware. It’s a group of scripts that use existing system tools and commands to validate your system files and /proc information. Because of this, it’s recommended than it be run from a live CD, where there can be higher confidence that the base tools have not already been compromised. You can run it from the command line with just
but since chkrootkit does not create a log file by default, I’d recommend redirecting the output to a log file, like with and when it finishes, just open up the log file in your text editor of choice.
Scanner #2 – Rootkit Hunter (rkhunter)
Rootkit Hunter acts a lot like chkrootkit, but bases much of its functionality on hash checks. The software includes known good SHA-1 hashes of common system files, and if it finds that yours differ, it will issue an error or warning as appropriate. Rootkit Hunter could also be called more thorough than chkrootkit, as it includes additional checks regarding network status, kernel modules and other pieces that chkrootkit does not scan.
To start a normal local scan, just run
When it’s completed, you’ll be shown a summary with the results of your scan.
Rootkit Hunter does create a log file by default, and saves it to /var/log/rkhunter.log.
Conclusion
Be warned – both of these applications, as well as the “manual” method, may produce false positives. If you get a positive result, investigate it thoroughly before taking any action. Hopefully, one of these methods can help you identify a threat before it becomes a problem. If you’ve got any other suggestions for ways to detect nasty files or appliations, please let us know in the comments below. Image credit: rykerstribe