The Hidden Threat: Analysis of Linux Rootkit Techniques and Limitations of Current Detection Tools

This article addresses the significant threat posed by rootkits as part of the diverse malware landscape of today. Rootkits enable an attacker to regain access to an already comprised system at root-level making their prompt identification and removal crucial. However, rootkits implement advanced stealth features, enabling them to evade detection by conventional measures during analysis. Consequently, analysts generally rely on customized tools to detect the presence of a rootkit. However, our research highlights significant deficits in the tools available for the detection of rootkits on the Linux operating system, which is frequently encountered in investigations of server environments. Recognizing the need for improved awareness and capabilities among investigators, we conducted an in-depth analysis of 21 distinct Linux rootkits allowing us to dive into their techniques and features. Furthermore, we critically assessed the effectiveness of standard detection tools, revealing their limitations. Based on these insights, we propose best practices for investigators to effectively identify and detect signs of rootkit infections. Additionally, we provide a repository of indicators of compromise we extracted during our analyses to facilitate the detection of the analyzed rootkits on compromised systems along with a utility to detect rootkits via hidden files on a live system.