Topic: Linux Kernel: Russian Drovorub Malware (Read 3269 times)

burakkucat · « **on:** August 24, 2020, 11:36:16 PM »

Here is a link to the USA NSA FBI Cybersecurity Advisory titled "Russian GRU 85th GTsSS Deploys Previously Undisclosed Drovorub Malware", downloadable as a PDF file.

The contents is relevant to all users of those OS' that deploy a Linux kernel.

Alex Atkin UK · « **Reply #1 on:** August 25, 2020, 02:22:01 AM »

TMI, surely all we need to know is how you get infected and if there is anything we can do to avoid it?

I assume the only way to avoid this is enabling mandatory module signing? Which by default is off as it would break NVIDIA support.

broadstairs · « **Reply #2 on:** August 25, 2020, 09:15:44 AM »

That document says kernel signing enforcement is there from v3.7 and one should update to at least that level, assuming the numbers are the same my kernel is 5.7 on openSUSE Tumbleweed and 4.? (not sure the point value) on Leap!

Stuart

meritez · « **Reply #3 on:** August 25, 2020, 10:38:52 AM »

Quote from: Alex Atkin UK on August 25, 2020, 02:22:01 AM

TMI, surely all we need to know is how you get infected and if there is anything we can do to avoid it?

I assume the only way to avoid this is enabling mandatory module signing? Which by default is off as it would break NVIDIA support.

Easier read here: https://hackaday.com/2020/08/22/fbi-reports-on-linux-drovorub-malware/

"The rootkit won’t persist if you have UEFI boot fully enabled"

Alex Atkin UK · « **Reply #4 on:** August 27, 2020, 04:11:59 PM »

Quote from: meritez on August 25, 2020, 10:38:52 AM

Easier read here: https://hackaday.com/2020/08/22/fbi-reports-on-linux-drovorub-malware/

"The rootkit won’t persist if you have UEFI boot fully enabled"

I assume they mean secure boot, which again has to be turned off for none-signed kernel modules which is presumably how this infection works.

So basically you're still screwed if you have an NVIDIA GPU and need to use the official binary.

ejs · « **Reply #5 on:** August 27, 2020, 08:08:10 PM »

I don't understand the fixation about the kernel module signing as the only way to prevent this.

The main purpose of the kernel module appears to be to hide the presence of the malware. If someone has root level access to my system to attempt to install a kernel module, their ability to hide their presence would not be my only concern. Pretty much any program set to start automatically when the system boots would also persist across reboots, it just wouldn't be hidden.

Alex Atkin UK · « **Reply #6 on:** August 27, 2020, 09:05:37 PM »

Being hidden is an important point though, as anything NOT hidden you can look out for, whereas if its hidden you would never know.

News:

Author Topic: Linux Kernel: Russian Drovorub Malware (Read 3269 times)

burakkucat

Linux Kernel: Russian Drovorub Malware

Alex Atkin UK

Re: Linux Kernel: Russian Drovorub Malware

broadstairs

Re: Linux Kernel: Russian Drovorub Malware

meritez

Re: Linux Kernel: Russian Drovorub Malware

Alex Atkin UK

Re: Linux Kernel: Russian Drovorub Malware

ejs

Re: Linux Kernel: Russian Drovorub Malware

Alex Atkin UK

Re: Linux Kernel: Russian Drovorub Malware