
Linux Malware “Drovorub” developed by Russian exposed by NSA and FBI - richardowright
https://www.nsa.gov/news-features/press-room/Article/2311407/nsa-and-fbi-expose-russian-previously-undisclosed-malware-drovorub-in-cybersecu/
======
iLemming
Note that "drovorub" isn't even a Russian word, "drovosek" is. It means
"woodcutter".

~~~
jmt_
Why would a natively Russian speaking team misspell this word? Is it possible
this software wasn't developed in Russia/by Fancy Bear or that it's some sort
of play on words that I don't understand as an English speaker?

~~~
rsfern
The article says it’s a composite of two recovered strings from one of the
malicious programs involved. So I wouldn’t read too much into it

Edit: sorry, this article, which we on another thread
[https://arstechnica.com/information-
technology/2020/08/nsa-a...](https://arstechnica.com/information-
technology/2020/08/nsa-and-fbi-warn-that-new-linux-malware-threatens-national-
security/)

------
alsdkfjkqjwer
<quote> Preventative Mitigations

NOTE: The mitigations that follow are not meant to protect against the initial
access vector. The mitigations are designed to prevent Drovorub’s persistence
and hiding technique only.

Apply Linux Updates

System administrators should continually check for and run the latest version
of vendor-supplied software for computer systems in order to take advantage of
software advancements and the latest security detection and mitigation
safeguards (National Security Agency, 2018). System administrators should
update to Linux Kernel 3.7 or later in order to take full advantage of kernel
signing enforcement.

Prevent Untrusted Kernel Modules

System owners are advised to configure systems to load only modules with a
valid digital signature making it more difficult for an actor to introduce a
malicious kernel module into the system. An adversary could use a malicious
kernel module to control the system, hide, or persist across reboots (National
Security Agency, 2017).

Activating UEFI Secure Boot is necessary to ensure that only signed kernel
modules can be loaded. This requires a UEFI-compliant platform configured in
UEFI native mode (not legacy or compatibility modes) in Thorough or Full
enforcement mode. Once enabled, Secure Boot creates an integrity chain at boot
by verifying signatures of firmware, bootloader(s), and Machine Owner Key
(MOK). The kernel, initial filesystem, and kernel modules are then verified by
this MOK, which is distributed with Secure Boot-ready Linux distributions.
Components with untrusted or absent signatures are denied from execution by
Secure Boot policy. Enabling Secure Boot may prevent some products from
loading, potentially affecting system functionality, and may require custom
configuration (National Security Agency, 2017). </quote>

------
svrb
> kernel module

If you're running a module-enabled kernel then you were already pwned to begin
with; nothing to see here. There is absolutely no need for modules except on
live cds and the like. Of course, kernel configuration is another huge
headache; don't get me wrong.

~~~
renewiltord
Can someone explain this? I have DKMS enabled because I use the proprietary
nvidia drivers. Also all my drivers are kernel modules. I feel like I'm
missing something here, though.

~~~
posix_me_less
If you use proprietary binary code in kernel, it runs with high privileges and
can be used to provide remote root access to your system. Don't worry much
about it, your computer most probably already runs proprietary binary code
with such high privileges before your OS boots.

------
Stierlitz
¿Do they seriously expect us to believe this neocon cyber BS?

