The most recent stable version of rkhunter failed to detect Jynx on my machine. The rootkit was not installed in one of the typical locations "/xochikit" or "/omgxochi", but resided in "/var/local/^^", instead. Reading "/var/local" with "ls" was prevented by the rootkit (resulted in an error). Also, "/etc/ld.so.preload" was made invisible by the rootkit. I was able to detect the rootkit, by running "ldd" against any executable, which listed the library "ld_poison.so" as a prerequisite. "lsof | grep ld_poison" showed that the library was loaded by many processes. Furthermore, launching 32-bit executables showed an error that "ld_poison.so" could not be loaded, because the OS was 64-bit and the library obviously, too. 32-bit executables ran fine, regardless. I suggest that the detection mechanism of rkhunter be extended by the methods which allowed me to detect the presence of the rootkit. I am sorry, I cannot provide logs, because the OS has been wiped. If you have any questions, I will do my best to answer them, though.
Can I ask how ' "/etc/ld.so.preload" was made invisible'?
I suspect that if the SCANROOTKITMODE was set to thorough, then the rootkit would have been detected. However, use of that option is not recommended.
Perhaps extend the shared_libs check to run ldd against a common binary and check the output against a list of known bad libraries? And/or run lsof and again check against the list. Perhaps use a '.dat' file??
The rootkit (in particular ld_poison) overwrites functions necessary for directory listings, e.g., stat(). I assume it made /etc/ld.so.preload invisible simply by omitting it from the result of certain functions.
Your suggested methods of detecting the particular rootkit on my system sound like they would work. I am not sure, though, what you mean by '.dat' file.
Thanks for looking into this and your effort in general!
Fixed with rkhunter-1.4.2 ClamAV sig RKH_jynx.ldb.