Chkrootkit Linux/Ebury message - What now?

Updated: December 19, 2018

Occasionally, I test the few security tools that exist in Linux distributions, to see what they offer and whether they really have merit. One such tool is Chkrootkit, and so far, I've reported not one but two false positives over the years - including lkm warning and suckit infected message. And now I've stumbled upon another dud, and this is one called Linux/Ebury - Operation Windigo.

I came across this result while testing the Ubuntu-based Robolinux 9.3, and given its strong focus on security, the finding is doubly alarming. But as I suspected right away, it seems to be another false positive, and so I did a little more testing and checking. Let me show you what gives.

Problem in more detail

The actual result is (typos included) the following line in the printed run report from chkrootkit:

Searching for Linux/Ebury - Operation Windigo ssh... Possible Linux/Ebury - Operation Windigo installetd

Investigation & solution

I started reading a little more on this issue, and came across several interesting findings. First, there's the actual technical article that explains the issue in detail, so you can actually run the different commands and ascertain whether there are any suspicious files on your system. Robolinux is based on Ubuntu 16.04 Xerus, so that's something that we need to remember in this particular case.

The commands that you need to run include the following:

The libkeyutils shared library has the expected size of less than 25KB.

find /lib* -type f -name libkeyutils.so* -exec ls -la {} \;
-rw-r--r-- 1 root root 14256 Dec 10 2015 /lib/x86_64-linux-gnu/libkeyutils.so.1.5

Netstat reports no rogue sockets:

sudo netstat -nap | grep "@/proc/udevd"

There is no libns2.so file anywhere on the system.

locate libns2.so

From the purely technical perspective, we seem to be okay. However, if we look at what chkrootkit does, then the actual command that is executed to verify whether Ebury is installed on the system is the following:

ssh -G 2>&1 | grep -e illegal -e unknown > /dev/null && echo "System clean" || echo "System infected"
System infected

With the change in the ssh syntax, this command will fail, hence the false positive. This is true for chkrootkit version 0.50, verified by a bug report. Indeed, it is worth checking the utility version, and it seems that Robolinux, as well as Ubuntu 16.04, but possibly also many other flavors and/or editions of this distro family, have an old, outdated version of chkrootkit in the repos (two or three years old at least) - a security tool without frequent and relevant updates is detrimental to security as it will raise issues that do not exist.

chkrootkit -V
chkrootkit version 0.50

So we see that the issue is one of bad implementation and not a real problem.

Conclusion

Security tools can cause quite a bit of panic when they flag something in the system, and this becomes an even bigger problem when the tools do not have the latest or most up-to-date definitions. I don't believe in arbitrary change of software if they satisfy functionality, or most of it, but with security programs, there's really no middle ground. They either must be relevant and 100% accurate - or not at all. Chkrootkit causes more problems than it solves, especially if you take into account the previous two instances I've written about.

Most people will probably never use chkrootkit, but I felt it important to highlight this issue. There are two key learnings here. One, I've outlined above. Two, do not panic. Even if there's something seemingly wrong with your system, correlate the results. Use other tools of similar nature or perform manual, independent checks of your own. It is important to be thorough and methodical in problem solving. Finally, it is important to take things in the right perspective, Linux desktop (security) included, and exercise common sense. And that means there's more fun than security problems to be had in the Linux world. Take care.

Cheers.