Blog | G5 Cyber Security

BusyBox Rootkit Detection & Removal

G5 Cyber Security

TL;DR

A BusyBox rootkit replaces standard Linux utilities with compromised versions, giving attackers control of your system. This guide shows you how to detect and remove it.

Detecting a BusyBox Rootkit

  1. Check File Hashes: A rootkit will alter file hashes of core utilities. You need known-good hashes for comparison.
    • Download official package lists/hashes from your distribution’s website (e.g., Debian, Ubuntu, Fedora).
    • Use md5sum or sha256sum to calculate the hashes of files on your system: 
      md5sum /bin/ls
    • Compare these with the official hashes. Any mismatch is a strong indicator of compromise.
  2. Examine File Sizes: Rootkits often change file sizes, even if hashes don’t immediately reveal issues.
    • Use ls -l to view file sizes: 
      ls -l /bin/ls /sbin/init
    • Compare these sizes with those from a clean system or official package information.
  3. Look for Hidden Files: Rootkits may hide files to conceal their presence.
    • Use ls -la to list all files, including hidden ones (starting with a dot): 
      ls -la /bin /sbin /etc
    • Pay attention to unusual or unexpected files.
  4. Check Running Processes: Rootkits often run malicious processes.
    • Use ps aux or top to list running processes: 
      ps aux | less
    • Look for unfamiliar process names, high CPU/memory usage by unknown processes, and processes with unusual parent IDs.
  5. Network Activity: Rootkits often establish network connections.
    • Use netstat -tulnp or ss -tulnp to list listening ports and established connections: 
      netstat -tulnp | less
    • Identify any unexpected connections.

Removing a BusyBox Rootkit

Warning: Removing a rootkit is risky and can render your system unusable if done incorrectly. Back up your data before proceeding.

  1. Boot from Live Media: The safest way to remove a rootkit is to boot from a clean live CD/USB (e.g., Ubuntu Live, Fedora Live).
    • Download the ISO image for your distribution.
    • Create a bootable USB drive using a tool like Rufus or Etcher.
    • Boot your computer from the USB drive.
  2. Mount Your Root Partition: Once booted into the live environment, mount your root partition.
    • Identify your root partition using lsblk or fdisk -l.
    • Create a mount point: 
      sudo mkdir /mnt/root
    • Mount the partition (replace /dev/sda1 with your actual root partition): 
      sudo mount /dev/sda1 /mnt/root
  3. Replace Compromised Files: Replace any compromised files with known-good versions from the live environment.
    • Use your distribution’s package manager to reinstall core utilities: 
      sudo apt update && sudo apt --reinstall install busybox

      (This example is for Debian/Ubuntu. Use yum or dnf for Fedora/CentOS.)

    • Alternatively, copy the files from a known-good system (if available).
  4. Check and Repair Bootloader: Rootkits can modify the bootloader.
    • Use grub-rescue or similar tools to check for bootloader corruption.
    • Reinstall GRUB: 
      sudo grub-install /dev/sda

      (Replace /dev/sda with your boot drive.)

  5. Unmount and Reboot: Unmount the root partition and reboot your system. 
    • sudo umount /mnt/root
    • Reboot.
  6. Post-Removal Checks: After rebooting, repeat the detection steps to ensure the rootkit is completely removed.

If you are unsure about any step, seek help from a cybersecurity professional.

Exit mobile version