Sandfly Blog

This is a video of the presentation on Linux Stealth Rootkit Hunting from the FIRST conference in Oslo. See below for link to the presentation and additional resources.

The PDF of the full presentation is below:

Linux Stealth Rootkit Hunting Presentation

This presentation covers techniques for rapidly investigating a host to see if it is running particular types of Loadable Kernel Module (LKM) rootkits trying to evade detection. This presentation covered the recently disclosed China/Korean rootkit by Phrack magazine that we discuss below, but applies to other rootkit styles as well:

Leaked China/North Korean Stealth Rootkit Analysis

This presentation covers general advice on hunting for threats hiding on Linux by focusing on three critical areas:

1) Data leaks

2) Inconsistent answers

3) System impacts

Applying these principles with simple command line tools on Linux can reveal a wide variety of rootkits and evasive malware.

While these methods work great for one-off investigations, we recommend you use Sandfly to do this at scale and also to get access to much deeper malware decloaking tools. Please contact us to find out more or get a license today.

Links

https://phrack.org/issues/72/7_md#article

https://sandflysecurity.com/blog/leaked-north-korean-linux-stealth-rootkit-analysis

https://github.com/sandflysecurity

https://docs.kernel.org/admin-guide/tainted-kernels.html