Mostly when I suspect that there is rootkit presence on Linux, the first I would go for is I am sure mostly all admins prefer the same or rkhunter. Yesterday just of curiosity when I checked the chkrrootkit script I saw that it would check for the default locations where the rootkit infects. If a dedicated hacker completely re-engineers the code, I don’t think it would throw out a error. I believe that the speed with which it scans out results is also because of it. I may be wrong as i have not read the complete script but rare.