Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Security Linux

FBI and NSA Expose New Linux Malware Drovorub, Used by Russian State Hackers (zdnet.com) 72

The FBI and NSA have published today a joint security alert containing details about a new strain of Linux malware that the two agencies say was developed and deployed in real-world attacks by Russia's military hackers. From a report: The two agencies say Russian hackers used the malware, named Drovorub, was to plant backdoors inside hacked networks. Based on evidence the two agencies have collected, FBI and NSA officials claim the malware is the work of APT28 (Fancy Bear, Sednit), a codename given to the hackers operating out of military unity 26165 of the Russian General Staff Main Intelligence Directorate (GRU) 85th Main SpecialService Center (GTsSS). Through their joint alert, the two agencies hope to raise awareness in the US private and public sectors so IT administrators can quickly deploy detection rules and prevention measures.
This discussion has been archived. No new comments can be posted.

FBI and NSA Expose New Linux Malware Drovorub, Used by Russian State Hackers

Comments Filter:
  • Drovorub? (Score:5, Funny)

    by nospam007 ( 722110 ) * on Thursday August 13, 2020 @02:20PM (#60398291)

    Sounds like a muscle cream.

  • by FudRucker ( 866063 ) on Thursday August 13, 2020 @02:30PM (#60398357)
    the 3.7.xx kernels are old old kernels, even slackware-14 which was released 4 years ago ran a 4.4.xx kernel, not sure about android builds, or linux based router builds, kernel.org dont even have a 3.7.xx kernel on their page so i guess it is an obsolete kernel,
    • by edis ( 266347 )

      Don't spoil. Let axe-handlers enjoy. They tried so hard.

    • Re: (Score:2, Informative)

      by Anonymous Coward
      I know a large company that still uses 2.6.XX versions for their oracle DB servers holding millions worth of medical data.....
      • I would certainly be thinking about the competence of a company director who thinks that's acceptable having had years to think an execute digital transformation programmes to address the issue.
      • by emil ( 695 )

        Yes, this is still in extended support.

        $ uname -r
        2.6.18-419.0.0.0.2.el5PAE

        $ cat /etc/redhat-release /etc/oracle-release
        Red Hat Enterprise Linux Server release 5.11 (Tikanga)
        Oracle Linux Server release 5.11

        $ $ORACLE_HOME/bin/sqlplus /nolog

        SQL*Plus: Release 11.2.0.4.0 Production on Fri Aug 14 13:32:43 2020

        Copyright (c) 1982, 2013, Oracle. All rights reserved.

        SQL>

    • Re: (Score:2, Informative)

      by Anonymous Coward
      many enterprises have fleets of servers with older kernels than that on them. I was working at one in December last year that would have had almost a 1000 servers with kernels below 3.7.xx
    • Re: (Score:3, Informative)

      by transwarp ( 900569 )
      My read is that module signing was introduced in 3.7, and they are recommending you use module signing to keep the rogue module from being loaded. The 3.7 is the wrong detail being picked up.
    • by pnutjam ( 523990 )
      Tell that to Redhat, only RHEL 8 has a kernel newer then 3.7 and there is still a ton of RHEL 7 out there, as well as RHEL 6.
      • by whitroth ( 9367 )

        Um, yo, CentOS 7 (RHEL 7), current kernel, which I just updated last night, is 3.10.

        I love seeing all the white wing trolls, complaining about slashdot not being news for nerds.

        So, what are they recommending to try to detect the malware? The one thing I saw in the article has it using mysql, so does that mean that if mysql isn't running, or is not installed, the malware can't run?

    • The Unbreakable Enterprise Kernel is supported on RedHat. It also works on CentOS.

      $ rpm -qa | grep ^kernel | sort
      kernel-3.10.0-1127.18.2.el7.x86_64
      kernelcare-2.32-1.el7.x86_64
      kernel-devel-3.10.0-1127.18.2.el7.x86_64
      kernel-headers-3.10.0-1127.18.2.el7.x86_64
      kernel-tools-3.10.0-1127.18.2.el7.x86_64
      kernel-tools-libs-3.10.0-1127.18.2.el7.x86_64
      kernel-uek-5.4.17-2011.5.3.el7uek.x86_64
      kernel-uek-devel-5.4.17-2011.5.3.el7uek.x86_64

      They also return support for many drivers that RedHat removes, both drive

  • Kernel 3.7 - 2012 (Score:3, Interesting)

    by gavron ( 1300111 ) on Thursday August 13, 2020 @02:41PM (#60398415)

    Wow, THANK YOU FBI and NSA for being so TRANSPARENT and HELPFUL to tell us about something the Linux kernel resolved 8 years ago.

    Maybe in 2028 you'll tell us what threats we're facing today, you useless fucks.

    E

    • by dark.nebulae ( 3950923 ) on Thursday August 13, 2020 @03:00PM (#60398517)

      You are aware that linux is embedded in a lot of devices, not just your computer, right? There's tons of equipment out there from home routers to printers to IoT devices that are plugged into the net and never getting an update?

      So sure, a modern desktop is likely not going to be running such an old kernel. But what about that camera you just plugged in? Or your internet provider's hardware sitting between you and the net?

      • Re: (Score:1, Insightful)

        by gavron ( 1300111 )

        You are aware that you can't upgrade most IoT kernels, right?

        You were in SUCH A RUSH to correct me, because slashdot.

        Next time focus on the meat, not how to show yourself to be smarter because you found an edge case, junior.

        E

        • by JSG ( 82708 ) on Thursday August 13, 2020 @06:55PM (#60399509) Homepage

          Both of you are right and wrong. (kids etc)

          Why don't we all focus on securing our systems and those of our nearest and dearest, if we have the skills.

          I have an awful lot of of equipment running on my home and work and my customer's networks that might be considered a bit IoT. However those devices such as cameras etc are on their own VLANs. At home I have two IoT VLANS: THINGS and SEWER. Sewer is for those devices I am really, really scared of!

          No doubt my firewalls may have some snags somewhere but I do not allow access to the GUI from just anywhere. I generally allow a minimal access except for icmp echo request and a few other icmp things that are handy. You can ping me and DOS me but you probably wont get in.

          Must work on that probably thing ...

        • by clovis ( 4684 )

          You are aware that you can't upgrade most IoT kernels, right?

          You were in SUCH A RUSH to correct me, because slashdot.

          Next time focus on the meat, not how to show yourself to be smarter because you found an edge case, junior.

          E

          Sure you can. Once you learn about the threat, You unplug the bad device and replace it with a new one that doesn't have that threat exposure. Otherwise, you throw it in the trash.

        • My reply wasn't posted as a rush, nor because of slashdot, nor did it ignore the "meat" of your original post.

          You were trying to say the FBI and NSA were late to the game pointing at kernel vulnerabilities 8 years ago.

          As if it was not at all a current problem or concern to any person, business or government entity, that 3.7 kernel series is not going to be found anywhere in the wild.

          And I'm sorry if you think that routers, switches, gateways, cable/fiber/etc modems using some version of Linux are all consid

    • by rtb61 ( 674572 )

      You know the way the system works. They project, the projection here an announcement by the NSA that they are no longer using that vector for attacks and are now closing it but Russia, Russia, Russia (as they are no longer using it, they warn people about it, they very people they were attacking surreptitiously). So now they are using a different vector to attack Linux servers, which they will announce when they stop using it, that 'er' 'um', the Chinese, yes, this time the Chinese are using it and the Iran

  • Quick Check (Score:5, Informative)

    by bill_mcgonigle ( 4333 ) * on Thursday August 13, 2020 @02:58PM (#60398505) Homepage Journal

    My goodness, a stack of articles, press releases , FAQ's and a 40-page advisory.

    Check your machines quickly before GRU pushes out an update:

    https://bfccomputing.com/quick... [bfccomputing.com]

  • It'll never be over Wendy. Even now Russians are lurking in our playgrounds, our breezeways, perhaps even...our slashdot comment threads!
  • How does this “new strain of Linux malware” get onto your computer without clicking on a malicous URL or opening a malicous email attachment?

    The two agencies say Russian hackers used the malware, named Drovorub, was to plant backdoors inside hacked networks

    slashdot: enough with this neocon cyber BS. And you're quiting zdnet, zdnet .. really. The Microsoft zdnet.
    • ninjas

    • How does this âoenew strain of Linux malwareâ get onto your computer without clicking on a malicous URL or opening a malicous email attachment?

      There have been remote root holes on Linux systems before.

      You're right that not mentioning this is bullshit, though.

  • I'm curious how much is still running on Linux 3.6 or earlier. I imagine the big issue is routers and switches that never get updated.

  • how do i get this virus? pdf says it's installed by the actor but doesn't say how.
  • by t4eXanadu ( 143668 ) on Thursday August 13, 2020 @09:30PM (#60399897)

    Drovorub sounds like the happy ending you get from a Russian masseuse. I suspect it doesn't have a happy ending, though.

  • by Plugh ( 27537 )
    More Linux users should use AIDE, it is simple and easy and Free. I think maybe they just donâ(TM)t know about it: https://aide.github.io/ [github.io]
    • If you are running an old enough Linux Kernel for this exploit to work, you are either running an embedded system you can't install AIDE on, or you really should have updated your system sometime in the last 8 years ...

      • by Plugh ( 27537 )
        Yes, I was thinking more in terms of Linux users being concerned about exploits in general than about this one
  • Like I would believe anything the fbi or nsa say. They probably developed it themselves but have since come up with something better so are using it in another anti-russia campaign.

Every nonzero finite dimensional inner product space has an orthonormal basis. It makes sense, when you don't think about it.

Working...