rkhunter, Mac OS X and the Dica-Kit Rootkit

Last: 29/12/2015

1) Rootkit Hunter

rkhunter (Rootkit Hunter) is a Unix-based tool that scans for rootkits, backdoors and possible local exploits. It does this by comparing SHA-1 hashes of important files with known good ones in online databases, searching for default directories of rootkits, wrong permissions, hidden files, suspicious strings in kernel modules.

rkhunter is not a binary file doing “black system magic”. It is a well-documented and open shell script using classic command line tools to detect known modifications of the system files and system tools, possibly made by malicious software. The database of known modifications is huge and the result of 10 years of knowledge collection.

rkhunter is a script that everybody should run from time to time, especially on machines not having a controlled and well-scheduled workflow. The official web home is http://rkhunter.sourceforge.net/ (beware of SourceForge!) and the latest version at the time of writing is 1.4.2, 24-02-2014.

On OS X, using homebrew, the installation is performed by “brew install rkhunter” and the first test swipe applying the default configuration can be started with “sudo rkhunter -c”.

Since the tool is a huge shell script, one can have a look into the source code: “nano /usr/local/Cellar/rkhunter/1.4.2/bin/rkhunter”.

2) Dica-Kit Rootkit False-positive

Running the tool on my Mac OS X Yosemite (10.10.5), produced however some alarming results.

Execution output showed various warnings. A “warning” is a statement like “you might check this, since it might be a problem”. This is totally fine – Better safe than sorry.

:
Checking for rootkits...
  Performing check of known rootkit files and directories
    55808 Trojan - Variant A                                 [ Not found ]
    ADM Worm                                                 [ Not found ]
    AjaKit Rootkit                                           [ Not found ]
    Devil RootKit                                            [ Not found ]
    Dica-Kit Rootkit                                         [ Warning ]
    Dreams Rootkit                                           [ Not found ]
:  

The output ended with this:

:
System checks summary
=====================

Rootkit checks...
    Rootkits checked : 268
    Possible rootkits: 1
    Rootkit names    : Dica-Kit Rootkit
:

Knowing that a statement à la “possible problem” generally translates “I found a problem” in mind, one might be a bit worried now.

As I use this machine for development and computer security research, I have all kind of tools installed that may trigger “false-true” alarms.  The first thing to do is to check the log file, which was way more precise on the finding:

$ nano /var/log/rkhunter.log
:
[17:01:34] Checking for Dica-Kit Rootkit...
[17:01:34]   Checking for file '/lib/.sso'                   [ Not found ]
[17:01:34]   Checking for file '/lib/.so'                    [ Not found ]
[17:01:34]   Checking for file '/var/run/...dica/clean'      [ Not found ]
[17:01:34]   Checking for file '/var/run/...dica/dxr'        [ Not found ]
[17:01:34]   Checking for file '/var/run/...dica/read'       [ Not found ]
[17:01:34]   Checking for file '/var/run/...dica/write'      [ Not found ]
[17:01:34]   Checking for file '/var/run/...dica/lf'         [ Not found ]
[17:01:34]   Checking for file '/var/run/...dica/xl'         [ Not found ]
[17:01:34]   Checking for file '/var/run/...dica/xdr'        [ Not found ]
[17:01:34]   Checking for file '/var/run/...dica/psg'        [ Not found ]
[17:01:34]   Checking for file '/var/run/...dica/secure'     [ Not found ]
[17:01:34]   Checking for file '/var/run/...dica/rdx'        [ Not found ]
[17:01:34]   Checking for file '/var/run/...dica/va'         [ Not found ]
[17:01:34]   Checking for file '/var/run/...dica/cl.sh'      [ Not found ]
[17:01:34]   Checking for file '/var/run/...dica/last.log'   [ Not found ]
[17:01:34]   Checking for file '/usr/bin/.etc'               [ Not found ]
[17:01:34]   Checking for file '/etc/sshd_config'            [ Found ]
[17:01:34]   Checking for file '/etc/ssh_host_key'           [ Found ]
[17:01:35]   Checking for file '/etc/ssh_random_seed'        [ Not found ]
[17:01:35]   Checking for directory '/var/run/...dica'       [ Not found ]
[17:01:35]   Checking for directory '/var/run/...dica/mh'    [ Not found ]
[17:01:35]   Checking for directory '/var/run/...dica/scan'  [ Not found ]
[17:01:35] Warning: Dica-Kit Rootkit                         [ Warning ]
[17:01:35]          File '/etc/sshd_config' found
[17:01:35]          File '/etc/ssh_host_key' found
:

It states clearly that it is a warning and that the reason is the presence, not the content, of two files that are actually totally common to have on development machines.

The list of possible rootkit files can be found in the script source code as well:

 :
 # Dica-Kit (T0rn variant) Rootkit    
 DICA_FILES="/lib/.sso   
             /lib/.so  
               :
             /var/run/...dica/cl.sh
             /var/run/...dica/last.log
             /usr/bin/.etc
             /etc/sshd_config
             /etc/ssh_host_key
             /etc/ssh_random_seed"
        DICA_DIRS="/var/run/...dica
                   /var/run/...dica/mh
                   /var/run/...dica/scan"
        DICA_KSYMS=
:

On OS X, the files sshd_config and ssh_host_key are created when activating the functionality “Remote (Shell) Login” in the “Sharing” preferences dialog. This option makes it possible to login into the Mac via the network using a text-based SSH terminal, which is rather a common wish for developers and system administrators.

Just to be sure, I verified the content of sshd_config and ssh_host_key. Everything was as expected, concluding: FALSE ALARM – which is clearly the outcome that I privileged.

Disclaimer: It’s your responsibility to react to alarms triggered by any type of malware scanner in the adequate way. This blog text is merely an additional hint of a possible (!) option that you might potentially could consider.

A Problem? No Problem!

rkhunter is not a tool supposed to be downloaded, quickly executed in its default configuration and then having the system owner sleeping tight for the next 5 years.

The tool has his strengths in having it adapted to an environment and having it monitoring changes over time. For this, it requires a correct configuration and, for instance, a cron job sending mails in case of new issues arising.

The configuration file is well documented and has hundreds of customisation options. The file is generally located in places similar to “/etc/rkhunter.conf” (linux) or “/usr/local/Cellar/rkhunter/1.4.2/etc” (homebrew).

You might say that hackers being able to install a rootkit are also able to stop rkhunter from running, and this is a valid remark. On the other hand, todays hacking is often automatised or performed by people simply using base functionalities of tools like metasploit or a WordPress scanner. They may not have the reflex to stop rkhunter from running – or they simply don’t care. Moreover, hacks are often only partially successful, letting detectable traces on the field system.

rkhunter is one tool being part of an utility box. It is not, and does not pretend to be, a miracle protection system.

One thought on “rkhunter, Mac OS X and the Dica-Kit Rootkit”

  1. This is exactly what happened to me. Thanks for getting me through it. The information about having rkhunter properly configured for the system you are running was a very helpful note.

Leave a Reply

Your email address will not be published. Required fields are marked *