Tools

Chkrootkit: Eating APTs at Breakfast Since 1997


Tools (716A) November 14, 2017 2:40 pm - 3:40 pm Feedback     

Bookmark and Share

Nelson Murilo

Chkrootkit will be 20 years old in 2017! The first Chkrootkit release was in 1997 and was written by my friend Klaus (CERT.br team) and I. Chkrootkit is a suite of posix shell scripts and tools written in ansi C, intended to run smoothly in virtually all Unix environments without dependencies. It is able to detect several rootkits, malicious activity (some APTs included) and is able to do post mortem forensic analysis to detect kernel modules activities. This tool currently detects ~70 known Rootkits, Worms and many malicious activities.

In this presentation, I will discuss the features and methods to detect rootkits and malware in general, their limitations and the ways to improve it. Chkrootkit is an open source tool so suggestions are welcome.

There is no other tool like Chkrootkit. All similar tools are able to run on Linux machines whereas Chkrootkit can run in almost all Unix environments.