BusyBox Rootkit Detection & Removal

TL;DR

A BusyBox rootkit replaces standard Linux utilities with compromised versions, giving attackers control of your system. This guide shows you how to detect and remove it.

Detecting a BusyBox Rootkit

1. Check File Hashes: A rootkit will alter file hashes of core utilities. You need known-good hashes for comparison.
   • Download official package lists/hashes from your distribution’s website (e.g., Debian, Ubuntu, Fedora).
   • Use md5sum or sha256sum to calculate the hashes of files on your system:

     md5sum /bin/ls

   • Compare these with the official hashes. Any mismatch is a strong indicator of compromise.
2. Examine File Sizes: Rootkits often change file sizes, even if hashes don’t immediately reveal issues.
   • Use ls -l to view file sizes:

     ls -l /bin/ls /sbin/init

   • Compare these sizes with those from a clean system or official package information.
3. Look for Hidden Files: Rootkits may hide files to conceal their presence.
   • Use ls -la to list all files, including hidden ones (starting with a dot):

     ls -la /bin /sbin /etc

   • Pay attention to unusual or unexpected files.
4. Check Running Processes: Rootkits often run malicious processes.
   • Use ps aux or top to list running processes:

     ps aux | less

   • Look for unfamiliar process names, high CPU/memory usage by unknown processes, and processes with unusual parent IDs.
5. Network Activity: Rootkits often establish network connections.
   • Use netstat -tulnp or ss -tulnp to list listening ports and established connections:

     netstat -tulnp | less

   • Identify any unexpected connections.

Removing a BusyBox Rootkit

Warning: Removing a rootkit is risky and can render your system unusable if done incorrectly. Back up your data before proceeding.

1. Boot from Live Media: The safest way to remove a rootkit is to boot from a clean live CD/USB (e.g., Ubuntu Live, Fedora Live).
   • Download the ISO image for your distribution.
   • Create a bootable USB drive using a tool like Rufus or Etcher.
   • Boot your computer from the USB drive.
2. Mount Your Root Partition: Once booted into the live environment, mount your root partition.
   • Identify your root partition using lsblk or fdisk -l.
   • Create a mount point:

     sudo mkdir /mnt/root

   • Mount the partition (replace /dev/sda1 with your actual root partition):

     sudo mount /dev/sda1 /mnt/root

3. Replace Compromised Files: Replace any compromised files with known-good versions from the live environment.
   • Use your distribution’s package manager to reinstall core utilities:

     sudo apt update && sudo apt --reinstall install busybox

     (This example is for Debian/Ubuntu. Use yum or dnf for Fedora/CentOS.)

   • Alternatively, copy the files from a known-good system (if available).
4. Check and Repair Bootloader: Rootkits can modify the bootloader.
   • Use grub-rescue or similar tools to check for bootloader corruption.
   • Reinstall GRUB:

     sudo grub-install /dev/sda

     (Replace /dev/sda with your boot drive.)

5. Unmount and Reboot: Unmount the root partition and reboot your system.

   • sudo umount /mnt/root

   • Reboot.
6. Post-Removal Checks: After rebooting, repeat the detection steps to ensure the rootkit is completely removed.

If you are unsure about any step, seek help from a cybersecurity professional.