
NSA and FBI warn that new Linux malware threatens national security - aw1621107
https://arstechnica.com/information-technology/2020/08/nsa-and-fbi-warn-that-new-linux-malware-threatens-national-security/
======
Cactus2018
> Also included are rules that network administrators can plug in to the
> _Yara_ and _Snort_ intrusion detection systems to catch and halt network
> traffic passing to or from control servers or to flag obfuscated Drovorub
> files or processes already running on a server.

Page 35
[https://media.defense.gov/2020/Aug/13/2002476465/-1/-1/0/CSA...](https://media.defense.gov/2020/Aug/13/2002476465/-1/-1/0/CSA_DROVORUB_RUSSIAN_GRU_MALWARE_AUG_2020.PDF)

------
sevensor
Today I learned about Volatility. I've never really looked into forensics
before; it's interesting that there's an entirely separate set of tools for
determining the state a system was in when the memory was dumped, defined by
analogy with tools like pstree that you'd ordinarily use to examine a running
system. Seems like a bit of cat-and-mouse though; as an attacker with a code
running in the kernel, you'd want to politely excuse yourself from memory
images. Admittedly I don't understand malware very well; there may be
techincal reasons why this is not possible.

------
rurban
Cannot imagine any security aware kernel being left with modules and eBPF
support on. Nobody should do that. We disabled kernel modules in the early
90ies already.

The OracleLinux kernel with dTrace looks fine though. But Oracle

------
nix23
>Government officials said Drovorub gets its name from strings unintentionally
left behind in the code.

Imagine being a highly trained topnotch agency and being that stupid ;)
...really happy that something like that never happens at the NSA

