Zeppoo: Decent Rootkit Detection for Linux

rootkit detection has been going on for a long time on linux, far longer than on windows.

often it was just “signature based” such as with chkrootkit, finding already known rootkits. windows rootkit detection tools only showed up in the last couple of years and are more generic in nature, looking at different hooks and signs of foul play. still, they are far from mature and the technology for detection is still behind what the bad guys are using.

zeppoo is a new tool for rootkit detection on linux that works generically, catching up to the windows technology.

on dick’s diary, he writes of this new tool, and says:

a clever tool i’ve been watching for some time called zeppoo has reached a mature release stage today. zeppoo allows the user to detect rootkits on the i386 architecture under linux by using /dev/kmem and /dev/mem. it’s very useful at detecting hidden tasks, modules, syscalls, some corrupted symbols, and hidden connections. anti-rootkits which don’t use these methods can be fooled easily.

you can find more information on zeppoo’s project page here.

zeppoo’s homepage is here.

gadi evron,
ge@beyondsecurity.com.

Share