Language Selection

English French German Italian Portuguese Spanish

Unix/Linux rootkits 101

Filed under

The term rootkit originated with a reference to the root user account on Unix systems. Rootkits are not limited to Unix, however, or even to administrative user accounts like the Unix root account. No matter what operating system you use, you should be familiar with good practices for detecting and dealing with the threat of rootkits.

What is a rootkit?

As Mike Mullins explained in Windows rootkits 101, rootkits are not exploits. They are not the means of cracking security and accessing your system in the first place. Instead, rootkits are inserted into your system after it has already been compromised for the first time. Rootkits then cover the malicious security cracker’s tracks when he or she revisits the system later, or the tracks of other malicious software left behind. A rootkit may also include a “back door” allowing the security cracker to gain access at any time in the future.

On Unix systems such as Solaris or FreeBSD, and on Unix-like systems such as Linux, a number of different means may be employed to cover the security cracker’s tracks. Common tactics include replacing system utility binaries such as ls and diff so that when they are used they will hide changes to the system and files on it from the user. The key point to keep in mind when dealing with the threat of rootkits is that once a rootkit has been installed on your system, you are no longer able to trust any of the tools installed on that system to give you accurate information.

This can make accurate detection of rootkits and other changes to a system by malicious security crackers a challenge.

Rootkit detection


Like a lot of people, I use the free anti-virus program Clamav on my mail server. Last week, I was seriously impressed with its performance.

It started last wednesday, 25 July. At about noon, I received a mail by amavisd-new that it had blocked an e-mail containing a virus, Trojan.Downloader-11827. What was strange, is that I received this message on an e-mail account which is protected by my ISPs proprietary anti-virus solution. So it had not caught this virus, while Clamav did. Then I submitted the file to, and apparently only a few (about five) anti-virus programs detected the virus. Amongst others, Kaspersky, F-Secure, NOD32, Bitdefender, Symantec and of course Clamav. In the clamav-virusdb mailing list archives, I found that Clamav had detection for this virus since 7h21 CEST, so it was really amongs the first to detect this virus.

Clamav is great

More in Tux Machines

today's howtos

Games Chronicon, BROKE PROTOCOL, Internet Archive

  • 2D action RPG 'Chronicon' to arrive on Linux with the next big update
    The colourful action RPG Chronicon [Steam, Official Site] should arrive on Linux with the next big update, the developer has said.
  • BROKE PROTOCOL is like a low-poly GTA Online and it's coming to Linux
    BROKE PROTOCOL [Steam], a low-poly open-world action game that's a little like GTA Online and it's coming to Linux.
  • The Internet Archive Just Uploaded a Bunch of Playable, Classic Handheld Games
    The non-profit Internet Archive is perhaps best known for its Wayback Machine that takes snap shots of web sites so you can see what they looked like in the past. However, it also has a robust side project where it emulates and uploads old, outdated games that aren’t being maintained anymore. Recently, the organization added a slew of a unique kind of game that’s passed into memory: handheld LCD electronic games. The games–like Mortal Kombat, depicted above–used special LCD screens with preset patterns. They could only display the exact images in the exact place that they were specified for. This meant the graphics were incredibly limited and each unit could only play the one game it was designed to play. A Game Boy, this was not.
  • Internet Archive emulator brings dozens of handheld games back from obscurity
    Over the weekend, the Internet Archive announced it was offering a new series of emulators. This time, they’re designed to mimic one of gaming’s most obscure artifacts — handheld games. When I say a “handheld game,” I don’t mean the Game Boy or the PSP — those are handheld consoles. These are single-game handheld or tabletop devices that look and feel more like toys. The collection includes the very old, mostly-forgotten games sold in mini-handhelds from the 80s onward.

Linux Foundation Videos and Projects

LibrePlanet free software conference celebrates 10th anniversary, this weekend at MIT, March 24-25

This weekend, the Free Software Foundation (FSF) and the Student Information Processing Board (SIPB) at the Massachusetts Institute of Technology (MIT) present the tenth annual LibrePlanet free software conference in Cambridge, March 24-25, 2018, at MIT. LibrePlanet is an annual conference for people who care about their digital freedoms, bringing together software developers, policy experts, activists, and computer users to learn skills, share accomplishments, and tackle challenges facing the free software movement. LibrePlanet 2018 will feature sessions for all ages and experience levels. LibrePlanet's tenth anniversary theme is "Freedom Embedded." Embedded systems are everywhere, in cars, digital watches, traffic lights, and even within our bodies. We've come to expect that proprietary software's sinister aspects are embedded in software, digital devices, and our lives, too: we expect that our phones monitor our activity and share that data with big companies, that governments enforce digital restrictions management (DRM), and that even our activity on social Web sites is out of our control. This year's talks and workshops will explore how to defend user freedom in a society reliant on embedded systems. Read more Also: FSF Blogs: Friday Free Software Directory IRC meetup time: March 23rd starting at 12:00 p.m. EDT/16:00 UTC