
FBI release a report on Russian Linux Malware called Drovorub [pdf] - Adiauxin
https://media.defense.gov/2020/Aug/13/2002476465/-1/-1/0/CSA_DROVORUB_RUSSIAN_GRU_MALWARE_AUG_2020.PDF
======
fuoqi
>In addition to NSA's and FBI's attribution to GTsSS, operational Drovorub
command and control infrastructure has been associated with publicly known
GTsSS operational cyber infrastructure

Publicly known GRU malware C&C infrastructure??? If it's became "public",
wouldn't they move from it immediately? Also I guess evil GRU hackers are too
stupid to use technologies like I2P, Tor, or even something simpler like
Bitmessage and route control traffic via botnets of hacked routers and IoT
appliances.

>The name Drovorub comes from a variety of artifacts discovered in Drovorub
files and from operations conducted by the GTsSS using this malware

So they again found some Cyrillic letters in binary dumps and used it for
attribution? Can we download those artifacts and see for ourselves? Or should
we simply trust gentleman's word?

And if I haven't missed something the report contains a lot of unimportant
noise, but fails to explain how this malware gets into systems in the first
place.

~~~
whatshisface
> _So they again found some Cyrillic letters in binary dumps and used it for
> attribution?_

Yeah, these always get me, you see attribution almost every time an alphabet
agency goes to the media with malware they analyzed, but it's never reported
to be more sophisticated than "a д showed up in the hex dump."

~~~
colek42
Attribution probably gets into some classified tradecraft most of the time.

~~~
whatshisface
Ahh yes, the "inverse conspiracy theory." The government is secretly
competent. ;)

------
rodionos
> The Drovorub-server uses a MySQL database to manage the connecting Drovorub-
> client(s) and Drovorub-agent(s).

This assumes the NSA was able to infiltrate the Drovorub C2 server, I guess.

~~~
dclusin
Not necessarily. You could probably infer it from a MySQL client in the
malware itself and the queries its making to tables and such.

~~~
FDSGSG
That sounds reaaally unlikely. If the malware shipped a mysql client the NSA
would definitely be able to pop the mysql server it connects to.

~~~
stevehawk
the point wasnt whether or not they could or did. the point was that it could
be inferred based on what sql client the malware client was using without ever
touching the sever.

~~~
FDSGSG
It is extraordinarily unlikely that the malware would ship with a mysql client
or talk mysql with the C2

If it does, that's an easy claim to prove.

~~~
enkid
Read the document. They have the server software. They have configuration
files for the server, they know how it processes communication, they know how
it generates UUID's. They have the server software.

~~~
dclusin
Why RTFA when I can make baseless speculations? :D

------
djsumdog
> Linux Kernel 3.7

I thought I had read that incorrectly in previous reports, but I guess not.
Which major distributions still have supported releases running 3.7?! I'm
guessing it's gotta be RedHat and older Ubuntu LTS releases? Everything I
currently have access to seems to be running at least the 4.x series.

So the most vulnerable would probably be legacy systems or old servers riddled
with technical debt?

~~~
mgkimsal
Centos/RHEL 6 is still 'supported' through Nov 2020, and ships with 2.6
kernel. Centos/RHEL 7 ships with 3.1, and will be supported through June 2024.

~~~
SEJeff
CentOS / RHEL7 ships with Linux 3.10. That is not the same as 3.1.

~~~
iso1631
Which Centos shipped with 3.11 for workgroups?

------
peterwwillis
Here's a breakdown of the rootkit:
[https://www.splunk.com/en_us/blog/security/a-little-
splunk-m...](https://www.splunk.com/en_us/blog/security/a-little-splunk-
medicinalrub-for-your-drovorub-rootkit-questions.html)

------
oleganza
Lol. Except no Russian ever would say "drovorub". It's either "drovokol"
(firewood + chop) or "lesorub" (wood + cut). Seems like only Ukranians say
"drovorub".

~~~
anonymfus
You know regional differences exist?

[http://az.lib.ru/m/maminsibirjak_d/text_1004.shtml](http://az.lib.ru/m/maminsibirjak_d/text_1004.shtml)

I am from Moscow, I had relatives from Ryazan and Verholensk, for me drovokol
is a specialised axe for splitting firewood, lesorub (and it's forest+chop,
not wood, wood is only called les by people who sell it, we buy drevesina) is
a person who cuts trees in the forest as a job, drovosek is a person who cuts
trees for firewood as a job, drovoseksual is a person sexually attracted to
trees, and drovorub sounds like a word that somebody both from Verholensk and
Ryazan could say.

~~~
anonymfus
Thinking about it more, trying to recall conversations with my father and
actually reading the story I linked above, I feel that the difference between
drovosek and drovorub is that drovosek's job is in the beginning of the
process of turning trees into firewood, and drovorub is in the end. So
drovosek turns trees into the firewood, and drovorub makes firewood into a
proper size.

