Presented at
VB2017,
Oct. 6, 2017, 10 a.m.
(30 minutes).
Chkrootkit will be 20 years old in 2017. The first chkrootkit release was in 1997 and was written by a friend of mine, Klaus (CERT.br team), and me.
Chkrootkit is a suite of posix shell scripts and some tools written in ansi C, which runs in virtually all Unix environments without dependencies. It is able to detect several rootkits, malicious activity (some APTs included), and can perform post mortem forensic analysis to detect kernel module activities and similar. The tool currently detects around 70 known rootkits, worms and many malicious activities.
In this presentation I will discuss the features and methods used to detect rootkits and malware in general, the tool's limitations, and things that can be done to improve it. Chkrootkit is a open-source tool, so suggestions are always welcome. There is no other tool like chkrootkit - all similar tools are able to run only on *Linux* machines, whereas chkrootkit can run in almost all Unix environments.
Presenters:
-
Nelson Murilo Rufino
- Pangeia
Nelson Murilo Nelson Murilo has been working as a network security analyst since 1992. He is the author of two network security books in Portuguese and a regular contributor to the Brazilian Computer Emergency Response Team's published papers (security guides and technical papers). Nelson is the author of open source security tools including:
chkrootkit - Locally checks for the presence of a rootkit Beholder -Linux wireless IDS
He is a regular speaker both at events in Brazil and at international conferences such as Defcon, Thotcon, SAS Kaspersky, Ekoparty, MS Bluehat and Auscert. @nelsonmurilo
Links:
Similar Presentations: