FBI and NSA Expose New Linux Malware Drovorub, Used by Russian State Hackers

The FBI and NSA have published today a joint security alert containing details about a new strain of Linux malware that the two agencies say was developed and deployed in real-world attacks by Russia's military hackers. From a report: The two agencies say Russian hackers used the malware, named Drovorub, was to plant backdoors inside hacked networks. Based on evidence the two agencies have collected, FBI and NSA officials claim the malware is the work of APT28 (Fancy Bear, Sednit), a codename given to the hackers operating out of military unity 26165 of the Russian General Staff Main Intelligence Directorate (GRU) 85th Main SpecialService Center (GTsSS). Through their joint alert, the two agencies hope to raise awareness in the US private and public sectors so IT administrators can quickly deploy detection rules and prevention measures.

Re:

[edis]

He did his best, do not judge too hard.

Re:

[Dao Singh]

Some one beaten first post by spammer. What worst; DogDude attempt to get "first post" or Hitler actually gotten it? Even I would able to troll better than DogDude ability, try again, poor post contents, DogDude.

Re:

[AutodidactLabrat]

Yeah, they know but, hey, if you don't do your job, the next elected Chief Executive MIGHT just hand you over for trial.

Re:

[DogDude]

Russian collusion was confirmed by the Mueller investigation. It's not a conspiracy theory. You should read the report if you think it's somehow fake. Or, you can just look at all of the Trump friends who are in prison or on their way to prison for working with or covering up working with the Russians.

Re:

[Train0987]

The Mueller Reports states explicitly - in plain, small words that even you should be able to understand - that no collusion took place. Whatever foreign interference there was was done for both sides.

Re:

[jbengt]

No, the Mueller report narrowly defines collusion as criminal conspiracy, and states that they didn't gather enough evidence for an indictment on that. It also states that that being unable to interview everyone, being lied to, and other obstructing acts made it impossible to know for sure. It did not come to the conclusion that "no collusion took place".

Re:

[mi]

It did not come to the conclusion that "no collusion took place".

Allow me to teach you, how to make a citation on Slashdot.

By early to mid-2016, [Internet Research Agency] operations included supporting the Trump Campaign and disparaging candidate Hillary Clinton. The IRA made various expenditures to carry out those activities, including buying political advertisements on social media in the names of U.S. persons and entities. Some IRA employees, posing as U.S. persons and without revealing their Russian a

Re:

[mjm1231]

that no collusion took place. Whatever foreign interference there was was done for both sides.

What an interesting non-sequitur. It is entirely possible for interference to be done for both sides and for there still to be collusion. In fact, there could be collusion without any interference taking place. And there can be interference without any collusion. Having interference for both sides doesn't erase the collusion for one or either.

Re:

[Train0987]

" It is entirely possible for interference to be done for both sides and for there still to be collusion. "

And that is exactly what the Mueller Report and the foreign prosecutions that came from the Mueller investigation says happened. Foreign actors interfered on both sides but neither candidate or their campaigns knew about it or helped in any way (i.e. "colluded"). Those responsible were simply trying to cause chaos.

Re:

[mi]

Russian collusion was confirmed by the Mueller investigation

Please, cite the relevant parts.

Note, that any follow-ups not containing the requested citations will be returned unopened.

Re:

[youngone]

Ok then, I'll bite. Not that it took very long: [wikipedia.org]

...The investigation culminated with the Mueller Report which concluded that — though the Trump campaign welcomed Russian interference and expected to benefit from it — there was insufficient evidence to bring any conspiracy charges against Trump or his associates. The Report did not reach a conclusion about possible obstruction of justice, citing a Justice Department guideline that prohibits the federal indictment of a sitting president

A Justice Department guideline that was written by William Barr by the way, because William Barr wants the president of your country to be a king.

The report concluded that the Internet Research Agency's social media campaign supported Trump's presidential candidacy while attacking Clinton's, and Russian intelligence hacked and released damaging material from the Clinton campaign and various Democratic Party organizations.

Re:

[mi]

You're citing Wikipedia, not Mueller's report, which — according to DogDude [slashdot.org] — "confirmed" Russian collusion.

You've used up your sole free reply. Further follow-ups not containing the requested citation(s) will be returned unopened.

Re:

[youngone]

Are you 12?
Find me some evidence!
No, not that evidence!
Lalala! I can't hear you!
Idiot.

Re:

[ilguido]

He may be 12, but, unlike you, he can understand what he reads.
I break it down for you:

Dogdude: "Russian collusion was confirmed by the Mueller investigation"

Mi: "Please, cite the relevant parts."

You: "Wikipedia! DOJ guidelines!! MY FEELINGS!!!" (Where is the Muller investigation?)

It is simple: Muller specifically investigated the claims of Russian collusion, but in the end his report could not confirm them. Wikipedia did not. The DOJ guidelines neither.

Re:

[youngone]

You didn't read the link or my post, did you?

...The investigation culminated with the Mueller Report which concluded that — though the Trump campaign welcomed Russian interference and expected to benefit from it — there was insufficient evidence to bring any conspiracy charges against Trump or his associates. The Report did not reach a conclusion about possible obstruction of justice, citing a Justice Department guideline that prohibits the federal indictment of a sitting president

The report concluded that the Internet Research Agency's social media campaign supported Trump's presidential candidacy while attacking Clinton's, and Russian intelligence hacked and released damaging material from the Clinton campaign and various Democratic Party organizations.

Or was that too hard?
Not sure what my feelings have to do with anything.

Re:

[ilguido]

Cite The Actual Words From The Muller Report - CTAWFTMR

Is it hard to understand that he wanted the actual citations from the report and _not_ some random interpretations that fit a given narrative?
For example:

Russian intelligence hacked and released damaging material from the Clinton campaign and various Democratic Party organizations

is a false statement, regarding the Muller report.

Re:

[youngone]

All righty then! [wikimedia.org]
That is the actual report. Its a PDF, but it is searchable.

At the sametime that the IRA operation began to focus on supporting candidate Trump in early 2016, the Russian government employed a second form of interference: cyber intrusions (hacking)and releases of hacked materials damaging to the Clinton Campaign. The Russian intelligence service known as the Main Intelligence Directorate of the General Staff of the RussianArmy (GRU) carried out these operations.

Is a quote from the executive summary. Page 4.

You can find your own references from there, if you want.

Drovorub?

[nospam007]

Sounds like a muscle cream.

Re:

[btroy]

I wish I +1 your post.

Re:

[dunkelfalke]

it really doesn't - the rub part is pronounced as roob, but shorter.
the whole word is either a kenning for a lumberjack or a splitting axe.
probably a bilingual pun about hacking.

Re:

[account_deleted]

Comment removed based on user account deletion

they recommend linux-3.7 or newer

[FudRucker]

the 3.7.xx kernels are old old kernels, even slackware-14 which was released 4 years ago ran a 4.4.xx kernel, not sure about android builds, or linux based router builds, kernel.org dont even have a 3.7.xx kernel on their page so i guess it is an obsolete kernel,

Re:

[edis]

Don't spoil. Let axe-handlers enjoy. They tried so hard.

Re:

[Anonymous Coward]

I know a large company that still uses 2.6.XX versions for their oracle DB servers holding millions worth of medical data.....

Re:

[mjmartin]

I would certainly be thinking about the competence of a company director who thinks that's acceptable having had years to think an execute digital transformation programmes to address the issue.

11g

[emil]

Yes, this is still in extended support.

$ uname -r
2.6.18-419.0.0.0.2.el5PAE

$ cat /etc/redhat-release /etc/oracle-release
Red Hat Enterprise Linux Server release 5.11 (Tikanga)
Oracle Linux Server release 5.11

$ $ORACLE_HOME/bin/sqlplus /nolog

SQL*Plus: Release 11.2.0.4.0 Production on Fri Aug 14 13:32:43 2020

Copyright (c) 1982, 2013, Oracle. All rights reserved.

SQL>

Re:

[Anonymous Coward]

many enterprises have fleets of servers with older kernels than that on them. I was working at one in December last year that would have had almost a 1000 servers with kernels below 3.7.xx

Re:

[transwarp]

My read is that module signing was introduced in 3.7, and they are recommending you use module signing to keep the rogue module from being loaded. The 3.7 is the wrong detail being picked up.

Re:

[pnutjam]

Tell that to Redhat, only RHEL 8 has a kernel newer then 3.7 and there is still a ton of RHEL 7 out there, as well as RHEL 6.

Re:

[whitroth]

Um, yo, CentOS 7 (RHEL 7), current kernel, which I just updated last night, is 3.10.

I love seeing all the white wing trolls, complaining about slashdot not being news for nerds.

So, what are they recommending to try to detect the malware? The one thing I saw in the article has it using mysql, so does that mean that if mysql isn't running, or is not installed, the malware can't run?

Re: they recommend linux-3.7 or newer

[pnutjam]

Oops, your right. I got confused by the decimal... To much math.

Oracle Linux has newer kernels than Red Hat

[emil]

The Unbreakable Enterprise Kernel is supported on RedHat. It also works on CentOS.

$ rpm -qa | grep ^kernel | sort
kernel-3.10.0-1127.18.2.el7.x86_64
kernelcare-2.32-1.el7.x86_64
kernel-devel-3.10.0-1127.18.2.el7.x86_64
kernel-headers-3.10.0-1127.18.2.el7.x86_64
kernel-tools-3.10.0-1127.18.2.el7.x86_64
kernel-tools-libs-3.10.0-1127.18.2.el7.x86_64
kernel-uek-5.4.17-2011.5.3.el7uek.x86_64
kernel-uek-devel-5.4.17-2011.5.3.el7uek.x86_64

They also return support for many drivers that RedHat removes, both drive

Re:

[Swave An deBwoner]

CentOS 7 current update kernel:

-rwxr-xr-x. 1 root root 6761064 Jul 26 11:31 /boot/vmlinuz-3.10.0-1127.18.2.el7.x86_64

Kernel 3.7 - 2012

[gavron]

Wow, THANK YOU FBI and NSA for being so TRANSPARENT and HELPFUL to tell us about something the Linux kernel resolved 8 years ago.

Maybe in 2028 you'll tell us what threats we're facing today, you useless fucks.

E

Re:Kernel 3.7 - 2012

[dark.nebulae]

You are aware that linux is embedded in a lot of devices, not just your computer, right? There's tons of equipment out there from home routers to printers to IoT devices that are plugged into the net and never getting an update?

So sure, a modern desktop is likely not going to be running such an old kernel. But what about that camera you just plugged in? Or your internet provider's hardware sitting between you and the net?

Re:

[gavron]

You are aware that you can't upgrade most IoT kernels, right?

You were in SUCH A RUSH to correct me, because slashdot.

Next time focus on the meat, not how to show yourself to be smarter because you found an edge case, junior.

E

Re:Kernel 3.7 - 2012

[JSG]

Both of you are right and wrong. (kids etc)

Why don't we all focus on securing our systems and those of our nearest and dearest, if we have the skills.

I have an awful lot of of equipment running on my home and work and my customer's networks that might be considered a bit IoT. However those devices such as cameras etc are on their own VLANs. At home I have two IoT VLANS: THINGS and SEWER. Sewer is for those devices I am really, really scared of!

No doubt my firewalls may have some snags somewhere but I do not allow access to the GUI from just anywhere. I generally allow a minimal access except for icmp echo request and a few other icmp things that are handy. You can ping me and DOS me but you probably wont get in.

Must work on that probably thing ...

Re:

[clovis]

You are aware that you can't upgrade most IoT kernels, right?

You were in SUCH A RUSH to correct me, because slashdot.

Next time focus on the meat, not how to show yourself to be smarter because you found an edge case, junior.

E

Sure you can. Once you learn about the threat, You unplug the bad device and replace it with a new one that doesn't have that threat exposure. Otherwise, you throw it in the trash.

Re:

[dark.nebulae]

My reply wasn't posted as a rush, nor because of slashdot, nor did it ignore the "meat" of your original post.

You were trying to say the FBI and NSA were late to the game pointing at kernel vulnerabilities 8 years ago.

As if it was not at all a current problem or concern to any person, business or government entity, that 3.7 kernel series is not going to be found anywhere in the wild.

And I'm sorry if you think that routers, switches, gateways, cable/fiber/etc modems using some version of Linux are all consid

Re:

[rtb61]

You know the way the system works. They project, the projection here an announcement by the NSA that they are no longer using that vector for attacks and are now closing it but Russia, Russia, Russia (as they are no longer using it, they warn people about it, they very people they were attacking surreptitiously). So now they are using a different vector to attack Linux servers, which they will announce when they stop using it, that 'er' 'um', the Chinese, yes, this time the Chinese are using it and the Iran

Quick Check

[bill_mcgonigle]

My goodness, a stack of articles, press releases , FAQ's and a 40-page advisory.

Check your machines quickly before GRU pushes out an update:

https://bfccomputing.com/quick... [bfccomputing.com]

Re:

[lessSockMorePuppet]

Thank you for the simple instructions. Much obliged. +1, Informative.

Best post this story.

Re: Quick Check

[Plugh]

Thank you as always for the quick analysis and handy check procedure, Bill!

I'm just glad the nightmare is over

[majorme]

It'll never be over Wendy. Even now Russians are lurking in our playgrounds, our breezeways, perhaps even...our slashdot comment threads!

Re:

[mcswell]

Previet, tavarish!

New strain of Linux malware ?

[Walter.Koschach]

How does this “new strain of Linux malware” get onto your computer without clicking on a malicous URL or opening a malicous email attachment?

“The two agencies say Russian hackers used the malware, named Drovorub, was to plant backdoors inside hacked networks”

slashdot: enough with this neocon cyber BS. And you're quiting zdnet, zdnet .. really. The Microsoft zdnet.

Re:

[Narcocide]

ninjas

Re:

[drinkypoo]

How does this âoenew strain of Linux malwareâ get onto your computer without clicking on a malicous URL or opening a malicous email attachment?

There have been remote root holes on Linux systems before.

You're right that not mentioning this is bullshit, though.

Kernel 3.7

[reanjr]

I'm curious how much is still running on Linux 3.6 or earlier. I imagine the big issue is routers and switches that never get updated.

vector

[commentariat]

how do i get this virus? pdf says it's installed by the actor but doesn't say how.

Drovorub

[t4eXanadu]

Drovorub sounds like the happy ending you get from a Russian masseuse. I suspect it doesn't have a happy ending, though.

AIDE

[Plugh]

More Linux users should use AIDE, it is simple and easy and Free. I think maybe they just donâ(TM)t know about it: https://aide.github.io/ [github.io]

Re:

[JasterBobaMereel]

If you are running an old enough Linux Kernel for this exploit to work, you are either running an embedded system you can't install AIDE on, or you really should have updated your system sometime in the last 8 years ...

Re:

[Plugh]

Yes, I was thinking more in terms of Linux users being concerned about exploits in general than about this one

I don't believe you.

[dwater]

Like I would believe anything the fbi or nsa say. They probably developed it themselves but have since come up with something better so are using it in another anti-russia campaign.