Drovorub: Russia Pushing Invisible Malware, say NSA and FBI

Fancy Bear is at it again, claim the National Security Agency and the Federal Bureau of Investigation. This time, it’s said to be infecting Linux machines with Drovorub, rootkit malware that’s very hard to detect.

Also known as APT28, it’s known for such state-sponsored hacks as leaking the DNC’s email and sending death threats to U.S. military wives. The malware itself has been sourced to the Russian GRU, we’re told.

But is there a There there? In today’s SB Blogwatch, there’s the rub.Russia

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: Mashup mastery.

Penguin vs. Bear

What’s the craic? Ionut Ilascu reports—“NSA discloses new Russian-made Drovorub malware targeting Linux”:

 The malicious framework has various modules that ensure stealthiness, persistence, and complete access to the compromised machine with the highest privileges. [The] technical report (a joint effort with the FBI) detail[s] Drovorub’s capabilities … offer[s] detection and prevention solutions [and] says that the framework includes a kernel module rootkit.

The NSA and the FBI attribute the malware to the Russian General Staff Main Intelligence Directorate 85th Main Special Service Center (GTsSS), military unit 26165, [which] is linked to … the advanced hacking collective known as Fancy Bear (APT28, Strontium, Group 74, PawnStorm, Sednit, Sofacy, Iron Twilight). … The name of the malware means ‘woodcutter’ in Russian and the NSA says that it is how GTsSS refers to the toolset.

As prevention methods, the NSA recommends installing the latest Linux updates … at least Linux Kernel 3.7, which offers kernel signing enforcement [and] the latest software versions available.

And Shaun Nichols adds—“four words you never want to see together: Fancy Bear Linux rootkit”:

 What is particularly nasty about the malicious code is its kernel module, which runs at the heart of the operating system. This hooks into the kernel to intercept and filter system calls so that users, administrators, and automated antivirus tools cannot see its files on disk nor observe its activities.

That the Fancy Bear crew would be the ones to wield something like this is not surprising. This military unit … is far more sophisticated and organized than your common or garden hacker gang, judging from its past exploits. [It] tends to work on extremely high-value areas that the Kremlin has an interest in – things like foreign governments, technology blueprints, commercial deals, and compromising information aka kompromat.

No Such Agency? The NSA and FBI say they “conduct investigations in the cyber space”:

 When deployed on a victim machine, Drovorub provides the capability for direct communications with actor-controlled command and control infrastructure; file download and upload capabilities; execution of arbitrary commands; port forwarding of network traffic to other hosts on the network; and implements hiding techniques to evade detection. … NSA and FBI are sharing this information to counter the capabilities … of the GRU GTsSS, an
organization which continues to threaten the United States and its allies.

GTsSS … uses a wide variety of proprietary and publicly known techniques to target networks and to persist their malware on commercial devices. … Implementing SecureBoot in “full” or “thorough” mode should reliably prevent malicious kernel modules. … This will prevent Drovorub from being able to hide itself on a system.

Such words. Many cyber. Wow. Bill McGonigle cuts to the chase:

 By all means read the full vulnerability report. … However, if you just want to check an existing system (cf. p.36) for an extant compromise, you can try:

touch testfile
echo “ASDFZXCV:hf:testfile” > /dev/zero
ls testfile

If the file appears to be missing, then the drovorub kernel module is loaded and hiding the file (its rootkit method).

NSA recommends UEFI full secure boot as a remedy, though this is widely unavailable from hosting providers and not currently reliable under GRUB2 until the entire Boothole fiasco is resolved. Perhaps an initramfs-based sanity check could be developed using a signature list kept on storage with hardware write-protect (real or enforced by hypervisor).

What’s missing from the report? This Anonymous Coward sounds nonplussed:

 Except that they don’t mention the most important thing: how the nastyware gets installed on the server. Yeah, spearfishing sure! I don’t know many people who are checking their email on a Linux production server.

I’ve been reading this for decades now. It is called a rootkit, so I don’t see anything special about it. … Really, nothing new to see here and I don’t know why those two TLAs are wasting their resources.

Also, it you’re running Linux kernel v3 you clearly demonstrate you have no clue.

True, dat. FudRucker agrees:

 the 3.7.xx kernels are old old kernels, even slackware-14 which was released 4 years ago ran a 4.4.xx kernel, not sure about android builds, or linux based router builds, kernel.org dont even have a 3.7.xx kernel on their page so i guess it is … obsolete.

It gets worse, complains svrb:

 If you’re running a module-enabled kernel then you were already pwned to begin with; nothing to see here. There is absolutely no need for modules except on live CDs and the like. Of course, kernel configuration is another huge headache; don’t get me wrong.

Your tax dollars at work? A slightly sarcastic gavron bars no holds:

 Kernel 3.7 – 2012. … Wow, thank you FBI and NSA for being so transparent and helpful to tell us about something the Linux kernel resolved 8 years ago.

Maybe in 2028 you’ll tell us what threats we’re facing today, you useless ****s.

Meanwhile, nospam007 simply can’t resist:

 Drovorub? Sounds like a muscle cream.

And Finally:

Mashup mastery

Previously in And Finally

You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi or [email protected]. Ask your doctor before reading. Your mileage may vary. E&OE. 30.

Image sauce: Department of Information and Mass Communications of the Ministry of Defense of the Russian Federation (cc:by)

Richi Jennings

Richi Jennings is a foolish independent industry analyst, editor, and content strategist. A former developer and marketer, he’s also written or edited for Computerworld, Microsoft, Cisco, Micro Focus, HashiCorp, Ferris Research, Osterman Research, Orthogonal Thinking, Native Trust, Elgan Media, Petri, Cyren, Agari, Webroot, HP, HPE, NetApp on Forbes and CIO.com. Bizarrely, his ridiculous work has even won awards from the American Society of Business Publication Editors, ABM/Jesse H. Neal, and B2B Magazine.

richi has 583 posts and counting.See all posts by richi