[WfAjWDYpDHDYCN5]

If you have a rootkit that you're concerned about copying around, that can somehow persist through pretty much everything on the system being upgraded at some point or another... you should probably also be worried about the various vectors that the rootkit could use to persist across OS reloads.

[sascha_sl]

It doesn't really need to be well hidden if you're not actively looking. A shell script and a crontab entry / bashrc exec / init system entry is very low tech.

Pair that with a slightly higher (but still low overall) tech LD_PRELOAD libc shim so it hides itself and you got something just stealthy enough that you wouldn't find it if you don't look for it.

Remember, the easiest privilege escalation is aliasing sudo and patience.

[TacticalCoder]

I don't disagree with that but some OS re-installs also correspond with buying an entirely new machine. And I'm the kind of paranoid person which burns instal DVDs and then checks the DVD's checksums from an offline computer before doing an install on my desktop, for example. Now, sure, the rootkit may try to hide in my Git repos (but that's not the easiest trick to pull) or shell scripts (but they're versioned with Git) etc.

I still like it that way: a good old write-once DVD, checksum'ed, and a brand new install. Ideally on new hardware but that's not always the case.