Chkrootkit result after installing NVIDIA Driver from RPM fusion

Hello everyone! I am a new Fedora 37 user (with no significant experience with other GNU/Linux distros). My laptop has a NVIDIA GPU which I need to use with CUDA and so I installed the necessary propietary driver from the RPM Fusion repository using the Howto NVIDIA guide. Because I have SecureBoot enabled I followed the instructions in Howto Secure Boot with the mokutil --import /etc/pki/akmods/certs/public_key.derthen added the password into the prompt shown after rebooting.

After doing this I ran a chkrootkit scan (it was already installed before the NVIDIA driver) and got the following results (only showing the ones displaying some kind of warning):

Searching for suspicious files and dirs, it may take a while... /usr/lib/.build-id /usr/lib/debug/.build-id /usr/lib/debug/.dwz /usr/lib/debug/usr/.dwz /usr/lib/modules/6.0.7-301.fc37.x86_64/.vmlinuz.hmac /usr/lib/modules/6.1.11-200.fc37.x86_64/.vmlinuz.hmac /usr/lib/modules/6.1.12-200.fc37.x86_64/.vmlinuz.hmac /usr/lib/sysimage/rpm/.rpm.lock /usr/lib/sysimage/rpm/.rpmdbdirsymlink_created /usr/lib/.build-id /usr/lib/debug/.build-id /usr/lib/debug/.dwz

and then:

Searching for Linux.Xor.DDoS ... INFECTED: Possible Malicious Linux.Xor.DDoS installed /tmp/akmodsbuild.5rwnHCGo/BUILD/nvidia-kmod-525.89.02/kernel/conftest.sh /tmp/akmodsbuild.5rwnHCGo/BUILD/nvidia-kmod-525.89.02/kernel-open/conftest.sh /tmp/akmodsbuild.5rwnHCGo/BUILD/nvidia-kmod-525.89.02/_kmod_build_6.1.12-200.fc37.x86_64/conftest.sh /tmp/akmodsbuild.5rwnHCGo/SOURCES/nvidia-kmodtool-excludekernel-filterfile /tmp/akmodsbuild.5rwnHCGo/BUILDROOT/nvidia-kmod-525.89.02-1.fc37.x86_64/lib/modules/6.1.12-200.fc37.x86_64/extra/nvidia/nvidia-drm.ko /tmp/akmodsbuild.5rwnHCGo/BUILDROOT/nvidia-kmod-525.89.02-1.fc37.x86_64/lib/modules/6.1.12-200.fc37.x86_64/extra/nvidia/nvidia-modeset.ko /tmp/akmodsbuild.5rwnHCGo/BUILDROOT/nvidia-kmod-525.89.02-1.fc37.x86_64/lib/modules/6.1.12-200.fc37.x86_64/extra/nvidia/nvidia-peermem.ko /tmp/akmodsbuild.5rwnHCGo/BUILDROOT/nvidia-kmod-525.89.02-1.fc37.x86_64/lib/modules/6.1.12-200.fc37.x86_64/extra/nvidia/nvidia-uvm.ko /tmp/akmodsbuild.5rwnHCGo/BUILDROOT/nvidia-kmod-525.89.02-1.fc37.x86_64/lib/modules/6.1.12-200.fc37.x86_64/extra/nvidia/nvidia.ko

Is this something to be concerned about or is it a false positive?

Thank you for your attention!

Did you reboot after installing the nvidia drivers?
If not then

  1. The driver is likely not yet active
  2. The files used to build those kernel modules remain in /tmp and would disappear when you reboot since /tmp is virtual file system in RAM. Those as part of the build for the nvidia drivers seem definitely false positives. When you reboot those files in /tmp should disappear.

Chkrootkit tends to pick up hidden files in the system areas as potential threats. I suspect it was reporting those files which are all hidden as things to look at, but it is up to you to decide if they are real or false positive.

The hidden files reported there do not seem a threat in my experience (but I am not a security expert) and I have many more reported similarly.

Information is at /usr/share/chkrootkit/ and at chkrootkit -- locally checks for signs of a rootkit

chkrootkit is prone to certain false positives—to the point there is an extra document included in the Fedora package about it. See /usr/share/doc/chkrootkit/README.false_positives which explains about the files in /usr/lib.

Also, it apparently flags any executable file in /tmp as Linux.Xor.DDoS, which is irresponsible IMO, given the scary-looking name and “INFECTED” output.