Rootkit Hunter (commonly abbreviated as “RKH”) is a security monitoring and analyzing tool for POSIX compliant systems, to help you detect known rootkits, malware and signal general bad security practices. Rootkits have a certain structure and files in certain areas, known to the Rootkit Hunter team. This is similar to virus signatures. RKH offers additional scans that may assist you.
- Whitelist rootkit strings (RTKT_FILE_WHITELIST).
- Whitelist items not always present (EXISTWHITELIST).
- Whitelist combined pathname and port number (PORT_WHITELIST).
- Added Whirlpool and Ripemd160 hashes to file properties check.
- Support for DragonFly BSD.
- Support for Solaris OS package management.
- The ‘suspicious files’ check display each item individually.
- The ‘–enable’ and ‘–disable’ command-line options may now be specified more than once.
- Grsecurity-enabled systems may now run the network ‘ports’ test.
- Allow test names for the ‘unhide’ command (UNHIDE_TESTS).
- Rootkit checks added: OS X Togroot and Boonana (Koobface.A) trojan, Solaris Wanuk backdoor and worm and Inqtana worm.
- Better support for *BSD commands and OS X.
For Installation,Modification and more read here