- Comparing the MD5 hash with a known MD5 algorithm so it scans the most important files.
- Default files: scanning a lot of ‘default’ files and directories (used by rootkits).so no much time is consumed.
- Hidden files: scanning for hidden files on places where they are not supposed to be (like in /tmp), to track down malicous files.
- Operating system specific tests: you can select the OS you are using the advantage is that some parts of an operating system are not available to others, so you can use not all tests every time. For example in Linux we can compare processes in `ps` against the available files in /proc.
- File permissions: All clean system have ‘normal’ permissions. Searching for unusual file permissions can help in detecting any rootkit installed.
- Kernel modules: Operating systems like Linux and FreeBSD support the use of ‘kernel modules’. These modules give an administrator the power to load and unload modules (on the fly) to extend the possibilities of the kernel.
- Listening ports some rootkits listen to a static port for incoming connections. Here it will be possible to grab some rootkits over port listening.
- String scanner: scanner scans plaintext and binary files on the presence of strings which are used in malicious files. Scanner will use a dictionary to compare scanned files with known Trojans, sniffers, backdoors etc.
You can find more details and download the tool on the official website.