Comment by bflesch
13 days ago
Nice. Could it be detected by comparing output of `find /` at runtime with output of `find /` if you mount the disk on another system?
13 days ago
Nice. Could it be detected by comparing output of `find /` at runtime with output of `find /` if you mount the disk on another system?
Yes. Offline is how a lot of rootkits are analyzed after the admin notices peculiar behavior. There are a lot of other tells that could be run online to find this rootkit though, most notably, its behavior with ftrace. Disabling ftrace, and then running a program that uses ftrace would tell right away that something's wrong.
Thanks. So for virtualized systems it would make sense to routinely clone the HDD and do such a comparison. Could easily be included in the backup software.