--- /dev/null
+Rootkit detection techniques used by the OSSEC HIDS
+by Daniel B. Cid, daniel.cid@gmail.com
+
+
+Starting on version 0.4, the OSSEC HIDS will perform
+rootkit detection on every system where the agent is
+installed. The rootcheck (rootkit detection engine) will
+be executed every X minutes (user specified --by default
+every 2 hours) to detect any possible rootkit installed.
+Used witht the log analysis and the integrity checking
+engine, it will become a very powerful monitoring solution
+(the OSSEC HIDS performs log analysis and integrity
+checking since version 0.1).
+
+Other feature included on version 0.4 is that the analysis
+server will automatically forward the rootkit detection
+signatures to the agents, reducing the administration
+overhead for the system admin. The agents and server will
+keep contact every 10 minutes and if the server is
+updated with a new signature file, it will forward them
+to all configured agents. Take a look at the management
+documentation for more information.
+
+The rootcheck will perform the following steps on the
+system trying to find rootkits:
+
+
+1- Read the rootkit_files.txt which contains a big database
+ of rootkits and files used by them. It will try to stats,
+ fopen and opendir each specified file. We use all these
+ system calls, because some kernel-level rootkits, hide
+ files from some system calls. The more system calls we
+ try, the better the detection. This method is more like
+ an anti-virus rule that needs to be updated constantly.
+ The chances of false-positives are small, but false
+ negatives can be produced by modifying the rootkits.
+
+2- Read the rootkit_trojans.txt which contains a database
+ of signatures of files trojaned by rootkits. This
+ technique of modifying binaries with trojaned versions
+ was commonly used by most of the popular rootkits
+ available. This detection method will not find any
+ kernel level rootkit or any unknown rootkit.
+
+3- Scan the /dev directory looking for anomalies. The /dev
+ should only have device files and the Makedev script.
+ A lot of rootkits use the /dev to hide files. This
+ technique can detect even non-public rootkits.
+
+4- Scan the whole filesystem looking for unusual files and
+ permission problems. Files owned by root, with written
+ permission to others are very dangerous and the rootkit
+ detection will look for them. Suid files, hidden directories
+ and files will also be inspected.
+
+5- Look for the presence of hidden processes. We use getsid()
+ and kill() to check if any pid is being used or not. If
+ the pid is being used, but "ps" can't see it, it is the
+ indication of kernel-level rootkit or a trojaned version
+ of "ps". We also verify the output of kill and getsid that
+ should be the same.
+
+6- Look for the presence of hidden ports. We use bind() to
+ check every tcp and udp port on the system. If we can't
+ bind to the port (it's being used), but netstat does not
+ show it, we probably have a rootkit installed.
+
+7- Scan all interfaces on the system and look for the ones
+ with "promisc" mode enabled. If the interface is in promiscuous
+ mode, the output of "ifconfig" should show that. If not,
+ we probably have a rootkit installed.
+
+
+EOF