GCIH Question #307: Real Exam Question with Answer & Explanation

The correct answer is C: chkrootkit. chkrootkit (Check Rootkit) is a classic open-source Unix/Linux tool that detects rootkits by using standard system utilities - primarily 'strings' (to extract printable strings from binaries) and 'grep' (to search for known rootkit signatures within core system programs like 'ps'

Malware Analysis & Advanced Persistent Threats

Question

Which of the following tools uses common UNIX/Linux tools like the strings and grep commands to search core system programs for signatures of the rootkits?

Options

Arkhunter
BOSSEC
Cchkrootkit
DBlue Pill

Explanation

chkrootkit (Check Rootkit) is a classic open-source Unix/Linux tool that detects rootkits by using standard system utilities - primarily 'strings' (to extract printable strings from binaries) and 'grep' (to search for known rootkit signatures within core system programs like 'ps', 'ls', 'netstat', etc.). It works by comparing these programs against known rootkit indicators without requiring a dedicated database engine. In contrast, rkhunter (Rootkit Hunter) uses its own database of SHA-1 hashes and properties to detect changes - it does not rely on strings/grep in the same way. OSSEC is a host-based intrusion detection system (HIDS) focused on log analysis, file integrity monitoring, and alerting. Blue Pill is a hypervisor-based rootkit concept (not a detection tool), originally demonstrated by Joanna Rutkowska, which exploits AMD-V virtualization to place the running OS inside a virtual machine without the OS detecting it.

Topics

#chkrootkit#rootkit detection#strings grep#Unix tools

Community Discussion

No community discussion yet for this question.

Full GCIH Practice