Detecting Kernel Rootkits on Linux

TL;DR

Yes, kernel rootkits *can* exist that modify the kernel directly (without using modules). They’re rare but very dangerous. Detecting them is hard because they operate at a low level. This guide explains how to look for them.

Detecting Kernel Rootkits

1. Understand the Threat
   • Traditional rootkits often hide in user space or as kernel modules. Module-based rootkits are easier to detect.
   • Direct kernel modification rootkits change the core operating system code itself, making detection much harder. They can alter system calls, data structures, and more.
   • These rootkits typically require recompiling the kernel or patching it while running (livepatching).
2. Check Kernel Integrity

   This is your first line of defence. We’ll compare the current kernel with a known good version.

   • Option 1: Using Package Manager History

     apt history | grep 'linux-image-'

     This shows you when your kernel was updated. If there are unexpected updates, investigate further.

   • Option 2: Comparing Kernel Hashes
     • Download the official kernel source or a pre-built package for your distribution from a trusted source.
     • Calculate its SHA256 hash:

       sha256sum /path/to/kernel_image

     • Compare this hash to the hash of your running kernel:

       sha256sum /boot/vmlinuz-$(uname -r)

     • If the hashes don’t match, your kernel has been altered.
3. System Call Table Inspection

   Rootkits often hook system calls to intercept and modify behaviour.

   • Find the System Call Table Address

     cat /proc/kallsyms | grep sys_call_table

     This will show you where the table is located in memory. The address can change on reboot.

   • Examine System Call Entries

     Use a debugger (like GDB) or tools like ksymdump to inspect the system call entries. Look for unexpected addresses or code modifications.
     This is advanced and requires kernel debugging knowledge.

4. Rootkit Scanners

   While not foolproof, scanners can help identify known rootkit signatures.

   • Chkrootkit: https://www.chkrootkit.org/

     sudo chkrootkit

   • Rkhunter: https://rkhunter.github.io/

     sudo rkhunter --checkall

   • Remember that scanners can produce false positives and may not detect sophisticated rootkits.
5. Integrity Measurement Architecture (IMA)

   IMA helps verify the integrity of files, including the kernel.

   • Enable IMA in your kernel configuration. This requires rebuilding the kernel.
   • IMA uses cryptographic hashes to ensure that files haven’t been tampered with.
6. Live System Analysis (Forensic Approach)

   If you suspect a rootkit, boot from a clean live environment and analyse the compromised system.

   • Mount the compromised file systems read-only.
   • Use tools like dd to create disk images for detailed analysis.
   • Compare kernel files with known good versions.