The author shares their expertise on userland rootkits, highlighting a clever Linux rootkit called Symbiote. Despite the sophisticated hiding techniques employed, such as injecting libraries into processes and hiding files and processes, the rootkit is ultimately vulnerable to detection. The use of statically compiled binaries like busybox can mitigate the effectiveness of userland rootkits. The author suggests using tools like /proc/self/maps, examining stack environment variables, and comparing file lists to detect and defeat these rootkits. Overall, userland rootkits are deemed weak and easily countered with the right tools and methods.
https://grugq.substack.com/p/userland-rootkits-are-lame