Go to Qiita Advent Calendar Top
LoginSignup
7
5

Delete article

Deleted articles cannot be recovered.

Draft of this article would be also deleted.

Are you sure you want to delete this article?

More than 5 years have passed since last update.

@bezeklik(Bezeklik)

ルートキット検出ツールの比較

Last updated at Posted at 2016-11-06

Rootkit 検出ツール

Rootkit の主な検出ツールとして以下のものがある。

OSSEC は HIDS だが Rootcheck という Rootkit 検出機能を有している。
かつて Samhain も Rootkit 検出機能を実装していたが、時代に合わなくなったとして 4.0 時点で廃止された。1

比較表

ドキュメントやコマンドの情報を元に検出可能な Rootkit の対応表を作成した。
単純な対応数では Rootkit Hunter が 72 で最も多く、次いで chkrootkit が 67、OSSEC の Rootcheck が 60 となっている。

ルートキット rkhunter chkrootkit OSSEC 備考
55808 Trojan - Variant A
ADM Worm × × 2
Adore Rootkit
Adore Worm ×
AjaKit Rootkit
Ambient (ark) Rootkit
Anonoying rootkit ×
aPa Kit ×
Apache Worm × ×
Aquatica rootkit × ×
Backdoors.linux.Mokes.a × ×
Balaur Rootkit × × Red Hat 6.1 3
Bash door × ×
BeastKit Rootkit × Red Hat 7.2 4
BMBL rootkit × ×
beX2 Rootkit × ×
BOBKit Rootkit
cb Rootkit × ×
cback worm × ×
CiNIK Worm (Slapper.B variant) × ×
Danny-Boy's Abuse Kit × ×
Devil RootKit × ×
Dica-Kit Rootkit × ×
Dreams Rootkit × ×
dsc-rootkit × ×
Duarawkz Rootkit ×
Ducoci rootkit × ×
Enye LKM
ESRK rootkit ×
FreeBSD rootkit × ×
Flea Linux Rootkit × ×
Fu Rootkit
Fuck`it Rootkit × ×
GasKit Rootkit × ×
George × ×
Gold2 rootkit × ×
Heroin LKM × ×
Hidrootkit ×
HjC Kit × ×
ignoKit Rootkit × ×
Illogic rootkit ×
IntoXonia-NG Rootkit × ×
Irix Rootkit × ×
Jynx Rootkit × ×
KBeast Rootkit × ×
Kenga3 rootkit ×
kenny-rk × ×
Kitko Rootkit × ×
Knark Rootkit
ld-linuxv.so Rootkit × ×
LDP Worm × ×
Linux Rootkit 64Bit × ×
Linux.Xor.DDoS Malware × ×
Li0n Worm
Lockit / LJK2 Rootkit
LPD Worm × ×
lrk3, lrk4, lrk5, lrk6 (and variants) ×
Lupper.Worm × ×
Madalin rootkit ×
Maniac-RK ×
MithRa's Rootkit ×
Monkit ×
Mood-NT Rootkit × ×
MRK Rootkit × ×
Mumblehard backdoor/botnet × ×
Ni0 Rootkit × ×
Ohhara Rootkit × ×
Old rootkits × ×
Omega Worm ×
OpenBSD rk v1 × ×
Operation Windigo × ×
Optic Kit (Tux) Worm
OSX.RSPlug.A × ×
ovas0n rootkit × ×
Override rootkit × ×
Oz Rootkit × ×
Phalanx Rootkit ×
Phalanx2 Rootkit × ×
Phalanx2 Rootkit (extended tests) × ×
Pizdakit × ×
Portacelo Rootkit × ×
R3dstorm Toolkit × ×
Ramen Worm ×
RH-Sharpe's Rootkit
RK17 ×
Romanian rootkit ×
rootedoor rootkit ×
rpv21 (Reverse Pimpage) × ×
RSHA's Rootkit
RST.b trojan × ×
Sadmind/IIS Worm × × Solaris 5
Scalper Worm FreeBSD 6
Sebek LKM × ×
ShitC Worm ×
Shkit rootkit ×
Showtee ×
Shutdown Rootkit × ×
SHV4 Rootkit ×
SHV5 Rootkit
Sin Rootkit × ×
SK rootkit. × ×
Slapper Worm 7
Sneakin Rootkit × ×
Sniffer log × ×
Solaris rootkit ×
Spanish' Rootkit × ×
Suckit Rootkit
Superkit Rootkit × ×
Suspicious file × ×
T.R.K × ×
T0rn Rootkit
t0rn v8.0 × ×
TBD (Telnet BackDoor) × ×
TC2 Worm ×
TeLeKiT Rootkit ×
Tribe bot × ×
TRK rootkit × ×
trNkit Rootkit × ×
Trojanit Kit × ×
Tuxtendo Rootkit ×
URK Rootkit × ×
Vampire Rootkit × ×
VcKit Rootkit × ×
Volc Rootkit
Wormkit Worm × ×
x.c Worm × ×
Xzibit Rootkit × ×
zaRwT.KiT Rootkit
ZK Rootkit

  1. "This option has been removed as of samhain 4.0 because it has been obsoleted by modern kernel developments." - 10. Detecting Kernel rootkits

  2. https://www.trendmicro.com/vinfo/us/threat-encyclopedia/archive/malware/UNIX_ADM.WORM.A

  3. https://packetstormsecurity.com/files/29748/last1.tgz.html

  4. http://ossec-docs.readthedocs.io/en/latest/rootcheck/rootcheck-beastkit.html

  5. http://www.iss.net/security_center/reference/jp/vuln/sol-sadmind-amslverify-bo.htm

  6. https://www.symantec.com/ja/jp/security_response/writeup.jsp?docid=2002-062814-5031-99

  7. http://www.mcafee.com/japan/security/virS.asp?v=Linux/Slapper.worm.a

7
5
0

Register as a new user and use Qiita more conveniently

  1. You get articles that match your needs
  2. You can efficiently read back useful information
  3. You can use dark theme
What you can do with signing up
Sign upLogin
7
5

Delete article

Deleted articles cannot be recovered.

Draft of this article would be also deleted.

Are you sure you want to delete this article?