What is APT28's Drovorub Malware?
The NSA and FBI have today released an advisory (pdf) about the previously undisclosed malware called Drovorub, that has been attributed to the Russian General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (GTsSS), military unit 26165. The group also known as APT28 or FancyBear. It takes advantage of several functions available to Linux Kernels <3.7.
What the heck is it?
Well, Drovorub is actually four tools rolled into one rather than one specific thing. It's a malware suite that consists of four components: the kernel module rootkit, an implant, a file transfer and port fowarding tool as well as a C2 (Command and Control) server.
There functions can be show as:
General communication between components is done using JSON passed over websockets.
The Server This is generally installed on an environment controlled by the attacker. It uses a MySQL database to manage connecting agents and clients as well as handling authentication, tasking and registration of new agents and clients.
The Client Installed on the target by the attacker, this receives commands from the server and allows files to be transfered between them. Other capabilities include port forwarding and remote ROOT shells. The client is packaged with the kernel module to provide hiding capabilities to both.
The Kernel Module Controls the hiding of the client, it processes, files and network ports from the user-space.
The Agent Generally installed on the internet-facing hosts, it's similar to the client but with less capability and not packaged with the kernel module. It appears to be used to transfer files in and out of the network and forward network traffic.
Why is it called Drovorub? From the Russian word to split wood or cut down wood, its made up of Drovo ("wood") and Rub ("to fell"/"chop").
Should I be worried? Not unless you are running Kernel versions less than Linux Kernel 3.7. The kernels after this take advantage of kernal signing enforcement and prevent Drovorub taking hold. Another preventative method is to only allow trusted kernel modules to be loaded via a trusted certificate, this will require UEFI secure booting to be enabled. Read more about this here.
Can I detect it? A simple method that can be used to detect if the kernal module is installed is to create a test file and place in /dev/zero.
You can acheive this with these commands:
echo “ASDFZXCV:hf:testfile” > /dev/zero
If the testfile disappears (just run 'ls' afterwards) the kernal module is installed. Obviously the file remaining does not guarantee the system has not been infected and other methods should be used to check this. You may want to use the Snort and Yara rules that are available in the NSA/FBI advisory here (pdf) .