Organization wide scan for rootkit(s)

New Contributor II

A security concern has come up in our facility that may require deep scans of systems to detect possibly installed rootkits. A specific case that had come up is the rootkit rubilyn that can hide processes at will, and even goes undetected by most detectors. The only method I see currently is from Volatility and its latest release version. This requires a full memory dump, which for our facility includes quite a few 32GB systems, and then a detailed scan to find processes hidden by this rootkit.

Has anyone ventured into deep scans on systems within their organization and if so, how big of a scale is it implemented on? Site-wide, department based, or even case by case basis. A rootkit as stealth as this is quite scary for a government facility such as ours, and we will eventually need concrete proof that our systems are not being compromised by them.


Honored Contributor II
Honored Contributor II

Whenever we do this it's usually organization wide as the hard work in creating the Casper EA has already been done, generally up to 1,000 devices per site.

From what I have read about rubilyn, it will hide from ps but can be seen using launchctl so an EA based around that could be worth looking into.