Kitz ADSL Broadband Information
adsl spacer  
Support this site
Home Broadband ISPs Tech Routers Wiki Forum
 
     
   Compare ISP   Rate your ISP
   Glossary   Glossary
 
Please login or register.

Login with username, password and session length
Advanced search  

News:

Author Topic: Linux Kernel: Russian Drovorub Malware  (Read 369 times)

burakkucat

  • Global Moderator
  • Senior Kitizen
  • *
  • Posts: 30477
  • Over the Rainbow Bridge
    • The ELRepo Project
Linux Kernel: Russian Drovorub Malware
« on: August 24, 2020, 11:36:16 PM »

Here is a link to the USA NSA FBI Cybersecurity Advisory titled "Russian GRU 85th GTsSS Deploys Previously Undisclosed Drovorub Malware", downloadable as a PDF file.

The contents is relevant to all users of those OS' that deploy a Linux kernel.
Logged
:cat:  100% Linux and, previously, Unix. Co-founder of the ELRepo Project.

Please consider making a donation to support the running of this site.

Alex Atkin UK

  • Kitizen
  • ****
  • Posts: 1531
    • My Broadband History
Re: Linux Kernel: Russian Drovorub Malware
« Reply #1 on: August 25, 2020, 02:22:01 AM »

TMI, surely all we need to know is how you get infected and if there is anything we can do to avoid it?

I assume the only way to avoid this is enabling mandatory module signing?  Which by default is off as it would break NVIDIA support.
Logged
Exchange: INTAKE (ECI) ISP/Modems: Zen (Home Hub 5A running OpenWrt) + Plusnet (VMG-3925-B10B) + Three (Hauwei B535-232)
Router: pfSense (i5-7200U) WiFi: Ubiquiti nanoHD

broadstairs

  • Kitizen
  • ****
  • Posts: 3336
Re: Linux Kernel: Russian Drovorub Malware
« Reply #2 on: August 25, 2020, 09:15:44 AM »

That document says kernel signing enforcement is there from v3.7 and one should update to at least that level, assuming the numbers are the same my kernel is 5.7 on openSUSE Tumbleweed and 4.? (not sure the point value) on Leap!

Stuart
Logged
ISP:TalkTalk Connection:FTTC Cab:ECI Router:Netgear D6220

meritez

  • Reg Member
  • ***
  • Posts: 119
Re: Linux Kernel: Russian Drovorub Malware
« Reply #3 on: August 25, 2020, 10:38:52 AM »

TMI, surely all we need to know is how you get infected and if there is anything we can do to avoid it?

I assume the only way to avoid this is enabling mandatory module signing?  Which by default is off as it would break NVIDIA support.

Easier read here: https://hackaday.com/2020/08/22/fbi-reports-on-linux-drovorub-malware/

"The rootkit won’t persist if you have UEFI boot fully enabled"
Logged

Alex Atkin UK

  • Kitizen
  • ****
  • Posts: 1531
    • My Broadband History
Re: Linux Kernel: Russian Drovorub Malware
« Reply #4 on: August 27, 2020, 04:11:59 PM »

Easier read here: https://hackaday.com/2020/08/22/fbi-reports-on-linux-drovorub-malware/

"The rootkit won’t persist if you have UEFI boot fully enabled"

I assume they mean secure boot, which again has to be turned off for none-signed kernel modules which is presumably how this infection works.

So basically you're still screwed if you have an NVIDIA GPU and need to use the official binary.
Logged
Exchange: INTAKE (ECI) ISP/Modems: Zen (Home Hub 5A running OpenWrt) + Plusnet (VMG-3925-B10B) + Three (Hauwei B535-232)
Router: pfSense (i5-7200U) WiFi: Ubiquiti nanoHD

ejs

  • Kitizen
  • ****
  • Posts: 2052
Re: Linux Kernel: Russian Drovorub Malware
« Reply #5 on: August 27, 2020, 08:08:10 PM »

I don't understand the fixation about the kernel module signing as the only way to prevent this.

The main purpose of the kernel module appears to be to hide the presence of the malware. If someone has root level access to my system to attempt to install a kernel module, their ability to hide their presence would not be my only concern. Pretty much any program set to start automatically when the system boots would also persist across reboots, it just wouldn't be hidden.
Logged

Alex Atkin UK

  • Kitizen
  • ****
  • Posts: 1531
    • My Broadband History
Re: Linux Kernel: Russian Drovorub Malware
« Reply #6 on: August 27, 2020, 09:05:37 PM »

Being hidden is an important point though, as anything NOT hidden you can look out for, whereas if its hidden you would never know.
Logged
Exchange: INTAKE (ECI) ISP/Modems: Zen (Home Hub 5A running OpenWrt) + Plusnet (VMG-3925-B10B) + Three (Hauwei B535-232)
Router: pfSense (i5-7200U) WiFi: Ubiquiti nanoHD