In-Depth Study of Linux Rootkits: Evolution, Detection, and Defense
2024-10-22 , Europe - Main Room

This talk, "In-Depth Study of Linux Rootkits," will provide a comprehensive examination of the evolution of Linux rootkits, from their inception to the sophisticated variants seen today. Participants will gain insights into advanced rootkit techniques, effective detection strategies, and the future landscape for defenders. By exploring the historical context, current methodologies, and emerging threats, attendees will be equipped with the knowledge and tools necessary to safeguard Linux systems against rootkit attacks.


  1. Introduction to Linux Rootkits
  • Overview of Linux rootkit capabilities
  1. A History of Linux Rootkits
  • Early rootkits: origins and initial capabilities
  • Evolution of rootkit techniques over time
  1. Advanced Rootkits: Techniques and Analysis
  • Kernel-level rootkits:
    • Techniques for hooking and modifying kernel functions
  • User-mode rootkits:
    • Methods for intercepting and manipulating user-space processes
  • Hybrid rootkits:
    • Combining kernel and user-space techniques
  • Rootkit persistence mechanisms and stealth techniques
  1. Detection Strategies for Linux Rootkits
  • Signature-based detection:
    • Tools and techniques for identifying known rootkits
    • Limitations of signature-based methods
  • Behavioral analysis:
    • Monitoring system behavior for anomalies
    • Case studies of successful behavioral detection
  • Integrity checking:
    • Verifying the integrity of system files and binaries
    • Challenges in maintaining accurate baselines
  • Advanced detection tools and frameworks:
    • Overview of popular rootkit detection tools
    • Demonstration of practical detection techniques

Stephan Berger has over a decade of experience in cybersecurity. Currently working with the Swiss-based company InfoGuard, Stephan investigates breaches and hacked networks as Head of Investigation of the Incident Response team. An avid Twitter user under the handle @malmoeb, he actively shares insights on cybersecurity trends and developments. Stephan also authors the blog DFIR.ch, where he provides in-depth analysis and commentary on digital forensics and incident response. Stephan has spoken at numerous conferences, sharing his expertise with audiences worldwide.

This speaker also appears in: