I've been thinking about this rootkit detection and exposure issue, and here are my thoughts:
To me, in determining the integrity of any system, the core question is, have the system utilites been compromised? In the equestrian sporting world there is a saying, "Pretty is as Pretty does." From this philosophy, what do the utilites say, and is there a difference between the output of the utilities on the machine and "known clean" utilities? I can't get completely past the feeling that any other test is just window dressing, and while they are all useful tools, it seems to me that any of them could possibly be compromised with a sophisticated enough rootkit. When you are root, _in theory_ you can rewrite md5sums, dates, and even remote hosts used to retrieve live trusted sums. I know of no rootkits that currently do this, but I can imagine how it might be possible.
Anyways, with help from a "Building a live CD" article in this month's Linux Journal, here is the procedure that I have come up with to test system utilities on any machine without a reboot:
You need about 2 gig of space to use the utilites on a knoppix cd, and a knoppix cd. Here's the recipe:
Drop a KNOPPIX cd into the tray. Download the cloop-utils package, on debian this is
# apt-get install cloop-utils
Mount the Knoppix cd:
# mount /dev/cdrom /mnt
Extract the compressed knoppix filesystem (this will take a while: go bake a cake or something)
# extract_compressed_fs /mnt/KNOPPIX/KNOPPIX > /tmp/knoppix-compressed
Then mount the extracted filesystem.
# mkdir /tmp/knoppix; mount -o loop /tmp/knoppix-compressed /tmp/knoppix
Symlink the libraries to the knoppix directory:
Okay, now you're all set. Does the output of the utilites match?
# ps ax > /tmp/sysout; env LD_LIBRARY_PATH=/tmp/knoppix/lib \ /tmp/knoppix/bin/ps ax > /tmp/knoppixout; \ diff /tmp/sysout /tmp/knoppixout
Obviously these commands must be edited for any utility that you wish to check, I'm sure that there are lots of lists of "normally rewritten utilities" for most rootkits on the web and a script could be written check them all. ps ax will show expected differences, but any seriously funny stuff should reach out and grab you by the throat.
If anybody sees any flaws in my thinking here, feel free to point them out. At this point I don't see why this wouldn't work, and I can't imagine how a rootkit could hide from this type of scrutiny.
Regards,
-Don