I ran rkhunter in sys-firewall, sys-net and in 2 more offline (netvm set to none) appvms, and it indicated possible presence of dica-kit rootkit.
Here is the part from /var/log/rkhunter/rkhunter.log
Info: Starting test name ‘running_procs’
Checking running processes for suspicious files [ Warning ]
Warning: The following processes are using suspicious files:
Command: xl
UID: 0 PID: 513
Pathname: /usr/sbin/xl
Possible Rootkit: Dica-Kit Rootkit
Command: xl
UID: 514 PID: 513
Pathname: 212360
Possible Rootkit: Dica-Kit Rootkit