Kitz Forum

Computer Software => Security => Topic started by: burakkucat on August 24, 2020, 11:36:16 PM

Title: Linux Kernel: Russian Drovorub Malware
Post by: burakkucat on August 24, 2020, 11:36:16 PM: Here is a link to the USA NSA FBI Cybersecurity Advisory titled "Russian GRU 85th GTsSS Deploys Previously Undisclosed Drovorub Malware (https://media.defense.gov/2020/Aug/13/2002476465/-1/-1/0/CSA_DROVORUB_RUSSIAN_GRU_MALWARE_AUG_2020.PDF)", downloadable as a PDF file.

The contents is relevant to all users of those OS' that deploy a Linux kernel.
Title: Re: Linux Kernel: Russian Drovorub Malware
Post by: Alex Atkin UK on August 25, 2020, 02:22:01 AM: TMI, surely all we need to know is how you get infected and if there is anything we can do to avoid it?

I assume the only way to avoid this is enabling mandatory module signing? Which by default is off as it would break NVIDIA support.
Title: Re: Linux Kernel: Russian Drovorub Malware
Post by: broadstairs on August 25, 2020, 09:15:44 AM: That document says kernel signing enforcement is there from v3.7 and one should update to at least that level, assuming the numbers are the same my kernel is 5.7 on openSUSE Tumbleweed and 4.? (not sure the point value) on Leap!

Stuart
Title: Re: Linux Kernel: Russian Drovorub Malware
Post by: meritez on August 25, 2020, 10:38:52 AM: Quote from: Alex Atkin UK on August 25, 2020, 02:22:01 AM
TMI, surely all we need to know is how you get infected and if there is anything we can do to avoid it?

I assume the only way to avoid this is enabling mandatory module signing? Which by default is off as it would break NVIDIA support.

Easier read here: https://hackaday.com/2020/08/22/fbi-reports-on-linux-drovorub-malware/

"The rootkit won’t persist if you have UEFI boot fully enabled"
Title: Re: Linux Kernel: Russian Drovorub Malware
Post by: Alex Atkin UK on August 27, 2020, 04:11:59 PM: Quote from: meritez on August 25, 2020, 10:38:52 AM
Easier read here: https://hackaday.com/2020/08/22/fbi-reports-on-linux-drovorub-malware/

"The rootkit won’t persist if you have UEFI boot fully enabled"

I assume they mean secure boot, which again has to be turned off for none-signed kernel modules which is presumably how this infection works.

So basically you're still screwed if you have an NVIDIA GPU and need to use the official binary.
Title: Re: Linux Kernel: Russian Drovorub Malware
Post by: ejs on August 27, 2020, 08:08:10 PM: I don't understand the fixation about the kernel module signing as the only way to prevent this.

The main purpose of the kernel module appears to be to hide the presence of the malware. If someone has root level access to my system to attempt to install a kernel module, their ability to hide their presence would not be my only concern. Pretty much any program set to start automatically when the system boots would also persist across reboots, it just wouldn't be hidden.
Title: Re: Linux Kernel: Russian Drovorub Malware
Post by: Alex Atkin UK on August 27, 2020, 09:05:37 PM: Being hidden is an important point though, as anything NOT hidden you can look out for, whereas if its hidden you would never know.