Rootkit 検出ツール
Rootkit の主な検出ツールとして以下のものがある。
- Rootkit Hunter (rkhunter)
- chkrootkit
- OSSEC (Rootcheck)
OSSEC は HIDS だが Rootcheck という Rootkit 検出機能を有している。
かつて Samhain も Rootkit 検出機能を実装していたが、時代に合わなくなったとして 4.0 時点で廃止された。1
比較表
ドキュメントやコマンドの情報を元に検出可能な Rootkit の対応表を作成した。
単純な対応数では Rootkit Hunter が 72 で最も多く、次いで chkrootkit が 67、OSSEC の Rootcheck が 60 となっている。
| ルートキット | rkhunter | chkrootkit | OSSEC | 備考 |
|---|---|---|---|---|
| 55808 Trojan - Variant A | ○ | ○ | ○ | |
| ADM Worm | ○ | × | × | 2 |
| Adore Rootkit | ○ | ○ | ○ | |
| Adore Worm | × | ○ | ○ | |
| AjaKit Rootkit | ○ | ○ | ○ | |
| Ambient (ark) Rootkit | ○ | ○ | ○ | |
| Anonoying rootkit | × | ○ | ○ | |
| aPa Kit | ○ | × | ○ | |
| Apache Worm | ○ | × | × | |
| Aquatica rootkit | × | ○ | × | |
| Backdoors.linux.Mokes.a | × | ○ | × | |
| Balaur Rootkit | ○ | × | × | Red Hat 6.1 3 |
| Bash door | × | × | ○ | |
| BeastKit Rootkit | ○ | × | ○ | Red Hat 7.2 4 |
| BMBL rootkit | × | × | ○ | |
| beX2 Rootkit | ○ | × | × | |
| BOBKit Rootkit | ○ | ○ | ○ | |
| cb Rootkit | ○ | × | × | |
| cback worm | × | × | ○ | |
| CiNIK Worm (Slapper.B variant) | ○ | × | × | |
| Danny-Boy's Abuse Kit | ○ | × | × | |
| Devil RootKit | ○ | × | × | |
| Dica-Kit Rootkit | ○ | × | × | |
| Dreams Rootkit | ○ | × | × | |
| dsc-rootkit | × | ○ | × | |
| Duarawkz Rootkit | ○ | ○ | × | |
| Ducoci rootkit | × | ○ | × | |
| Enye LKM | ○ | ○ | ○ | |
| ESRK rootkit | × | ○ | ○ | |
| FreeBSD rootkit | × | ○ | × | |
| Flea Linux Rootkit | ○ | × | × | |
| Fu Rootkit | ○ | ○ | ○ | |
| Fuck`it Rootkit | ○ | × | × | |
| GasKit Rootkit | ○ | × | × | |
| George | × | ○ | × | |
| Gold2 rootkit | × | ○ | × | |
| Heroin LKM | ○ | × | × | |
| Hidrootkit | × | ○ | ○ | |
| HjC Kit | ○ | × | × | |
| ignoKit Rootkit | ○ | × | × | |
| Illogic rootkit | × | ○ | ○ | |
| IntoXonia-NG Rootkit | ○ | × | × | |
| Irix Rootkit | ○ | × | × | |
| Jynx Rootkit | ○ | × | × | |
| KBeast Rootkit | ○ | × | × | |
| Kenga3 rootkit | × | ○ | ○ | |
| kenny-rk | × | ○ | × | |
| Kitko Rootkit | ○ | × | × | |
| Knark Rootkit | ○ | ○ | ○ | |
| ld-linuxv.so Rootkit | ○ | × | × | |
| LDP Worm | × | × | ○ | |
| Linux Rootkit 64Bit | × | ○ | × | |
| Linux.Xor.DDoS Malware | × | ○ | × | |
| Li0n Worm | ○ | ○ | ○ | |
| Lockit / LJK2 Rootkit | ○ | ○ | ○ | |
| LPD Worm | × | ○ | × | |
| lrk3, lrk4, lrk5, lrk6 (and variants) | × | ○ | ○ | |
| Lupper.Worm | × | ○ | × | |
| Madalin rootkit | × | ○ | ○ | |
| Maniac-RK | × | ○ | ○ | |
| MithRa's Rootkit | × | ○ | ○ | |
| Monkit | × | ○ | ○ | |
| Mood-NT Rootkit | ○ | × | × | |
| MRK Rootkit | ○ | × | × | |
| Mumblehard backdoor/botnet | × | ○ | × | |
| Ni0 Rootkit | ○ | × | × | |
| Ohhara Rootkit | ○ | × | × | |
| Old rootkits | × | × | ○ | |
| Omega Worm | × | ○ | ○ | |
| OpenBSD rk v1 | × | ○ | × | |
| Operation Windigo | × | ○ | × | |
| Optic Kit (Tux) Worm | ○ | ○ | ○ | |
| OSX.RSPlug.A | × | ○ | × | |
| ovas0n rootkit | × | × | ○ | |
| Override rootkit | × | × | ○ | |
| Oz Rootkit | ○ | × | × | |
| Phalanx Rootkit | ○ | × | ○ | |
| Phalanx2 Rootkit | ○ | × | × | |
| Phalanx2 Rootkit (extended tests) | ○ | × | × | |
| Pizdakit | × | ○ | × | |
| Portacelo Rootkit | ○ | × | × | |
| R3dstorm Toolkit | ○ | × | × | |
| Ramen Worm | × | ○ | ○ | |
| RH-Sharpe's Rootkit | ○ | ○ | ○ | |
| RK17 | × | ○ | ○ | |
| Romanian rootkit | × | ○ | ○ | |
| rootedoor rootkit | × | ○ | ○ | |
| rpv21 (Reverse Pimpage) | × | × | ○ | |
| RSHA's Rootkit | ○ | ○ | ○ | |
| RST.b trojan | × | ○ | × | |
| Sadmind/IIS Worm | × | × | ○ | Solaris 5 |
| Scalper Worm | ○ | ○ | ○ | FreeBSD 6 |
| Sebek LKM | ○ | × | × | |
| ShitC Worm | × | ○ | ○ | |
| Shkit rootkit | × | ○ | ○ | |
| Showtee | × | ○ | ○ | |
| Shutdown Rootkit | ○ | × | × | |
| SHV4 Rootkit | ○ | ○ | × | |
| SHV5 Rootkit | ○ | ○ | ○ | |
| Sin Rootkit | ○ | × | × | |
| SK rootkit. | × | ○ | × | |
| Slapper Worm | ○ | ○ | ○ | 7 |
| Sneakin Rootkit | ○ | × | × | |
| Sniffer log | × | × | ○ | |
| Solaris rootkit | × | ○ | ○ | |
| Spanish' Rootkit | ○ | × | × | |
| Suckit Rootkit | ○ | ○ | ○ | |
| Superkit Rootkit | ○ | × | × | |
| Suspicious file | × | × | ○ | |
| T.R.K | × | ○ | × | |
| T0rn Rootkit | ○ | ○ | ○ | |
| t0rn v8.0 | × | ○ | × | |
| TBD (Telnet BackDoor) | ○ | × | × | |
| TC2 Worm | × | ○ | ○ | |
| TeLeKiT Rootkit | ○ | × | ○ | |
| Tribe bot | × | × | ○ | |
| TRK rootkit | × | × | ○ | |
| trNkit Rootkit | ○ | × | × | |
| Trojanit Kit | ○ | × | × | |
| Tuxtendo Rootkit | ○ | × | ○ | |
| URK Rootkit | ○ | × | × | |
| Vampire Rootkit | ○ | × | × | |
| VcKit Rootkit | ○ | × | × | |
| Volc Rootkit | ○ | ○ | ○ | |
| Wormkit Worm | × | ○ | × | |
| x.c Worm | × | ○ | × | |
| Xzibit Rootkit | ○ | × | × | |
| zaRwT.KiT Rootkit | ○ | ○ | ○ | |
| ZK Rootkit | ○ | ○ | ○ |
-
"This option has been removed as of samhain 4.0 because it has been obsoleted by modern kernel developments." - 10. Detecting Kernel rootkits ↩
-
https://www.trendmicro.com/vinfo/us/threat-encyclopedia/archive/malware/UNIX_ADM.WORM.A ↩
-
https://packetstormsecurity.com/files/29748/last1.tgz.html ↩
-
http://ossec-docs.readthedocs.io/en/latest/rootcheck/rootcheck-beastkit.html ↩
-
http://www.iss.net/security_center/reference/jp/vuln/sol-sadmind-amslverify-bo.htm ↩
-
https://www.symantec.com/ja/jp/security_response/writeup.jsp?docid=2002-062814-5031-99 ↩
-
http://www.mcafee.com/japan/security/virS.asp?v=Linux/Slapper.worm.a ↩