Chkrootkit: eating APTs for breakfast since 1997

Friday 6 October 10:00 - 10:30, Red room

Nelson Murilo Rufino (Pangeia)

Chkrootkit will be 20 years old in 2017. The first chkrootkit release was in 1997 and was written by a friend of mine, Klaus ( team), and me.

Chkrootkit is a suite of posix shell scripts and some tools written in ansi C, which runs in virtually all Unix environments without dependencies. It is able to detect several rootkits, malicious activity (some APTs included), and can perform post mortem forensic analysis to detect kernel module activities and similar. The tool currently detects around 70 known rootkits, worms and many malicious activities.

In this presentation I will discuss the features and methods used to detect rootkits and malware in general, the tool's limitations, and things that can be done to improve it. Chkrootkit is a open-source tool, so suggestions are always welcome. There is no other tool like chkrootkit - all similar tools are able to run only on Linux machines, whereas chkrootkit can run in almost all Unix environments.



Nelson Murilo

Nelson Murilo has been working as a network security analyst since 1992. He is the author of two network security books in Portuguese and a regular contributor to the Brazilian Computer Emergency Response Team's published papers (security guides and technical papers).

Nelson is the author of open source security tools including:

  • chkrootkit - Locally checks for the presence of a rootkit
  • Beholder -Linux wireless IDS

He is a regular speaker both at events in Brazil and at international conferences such as Defcon, Thotcon, SAS Kaspersky, Ekoparty, MS Bluehat and Auscert.







Other VB2017 papers

XAgent: APT28 cyber espionage on macOS

Tiberius Axinte (Bitdefender)

This paper provides an in-depth analysis of the macOS version of the APT28 component known as XAgent. We will dissect the…

Walking in your enemy's shadow: when fourth-party collection becomes attribution hell

Juan Andres Guerrero-Saade (Kaspersky Lab)
Costin Raiu (Kaspersky Lab)

Attribution is complicated under the best of circumstances. Sparse attributory indicators and the possibility of overt…

Keynote address: Inside Cloudbleed

John Graham-Cumming (Cloudflare)

In February 2017, Cloudflare was revealed to have been leaking private information including HTTP headers, cookies and POST data…

We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.