FBI and NSA warn about Drovorub - Russian military malware for Linux

The FBI and NSA issued a joint security alert to warn about Drovorub, a piece of malware believed to be developed by Russian military hackers. Or to be more precie, the military unity 26165 of the Russian General Staff Main Intelligence Directorate (GRU) 85th Main SpecialService Center (GTsSS).

Drovorub was discovered in real-world attacks and what makes it so special is that it targets Linux. It's a multi-component system that uses an implant, a kernel module rootkit, a file transfer tool, a port-forwarding module, and a command-and-control (C2) server.

"Drovorub is a 'swiss-army knife' of capabilities that allows the attacker to perform many different functions, such as stealing files and remote controlling the victim's computer," McAfee CTO, Steve Grobman, told ZDNet in an email today.

"In addition to Drovorub's multiple capabilities, it is designed for stealth by utilizing advanced 'rootkit' technologies that make detection difficult," the McAfee exec added. "The element of stealth allows the operatives to implant the malware in many different types of targets, enabling an attack at any time."

However, there's a big caveat. It appears Linux systems with kernel version 3.7 or later are not vulnerable, as kernel signing enforcement prevents the installation of Drovorub's rootkit. Linux kernel 3.7 was released in December 2012 so this attack only works on very outdated systems. Full details at ZD Net.