ELASTIC Security Labs’ Hooked on Linux: Rootkit Detection Engineering (Part 2) argues that static detection is unreliable against Linux rootkits and emphasises behavioural and runtime signals instead. The piece describes a small VirusTotal experiment using a dataset of ten Linux rootkits to assess static signature detection, finding that stripping binaries and even adding a single null byte can dramatically reduce detections.
It highlights that many rootkits employ little obfuscation, yet static signatures remain fragile, shifting the focus to dynamic analysis and runtime telemetry. The article then details detection approaches for userland and kernel-space rootkits, including monitoring shared object loading, LD_PRELOAD usage, and kernel module loading, with multiple detection rules and example telemetry.
It notes that tools like Auditd and kernel logs, together with eBPF and io_uring considerations, are used to surface indicators such as unusual preload activity, tainted kernels, and out-of-tree modules. Published on 2 April 2026, the piece reinforces a layered defence strategy combining detection engineering, configuration hardening, and forensic readiness to counter evolving Linux rootkits such as Diamorphine, Reptile and Singularity.