FBI Reports On Linux Drovorub Malware

The FBI and the NSA released a report on the Russian-based malware that attacks Linux known as Drovorub (PDF) and it is an interesting read. Drovorub uses a kernel module rootkit and allows a remote attacker to control your computer, transfer files, and forward ports. And the kernel module takes extraordinary steps to avoid detection while doing it.

What is perhaps most interesting though, is that the agencies did the leg work to track the malware to its source: the GRU — Russian intelligence. The name Drovorub translates into “woodcutter” and is apparently the name the GRU uses for the program.

A look inside the code shows it is pretty mundane. There’s a server with a JSON configuration file and a MySQL backend. It looks like any other garden-variety piece of code. To bootstrap the client, a hardcoded configuration allows the program to make contact with the server and then creates a configuration file that the kernel module actively hides. Interestingly, part of the configuration is a UUID that contains the MAC address of the server computer.

The rootkit won’t persist if you have UEFI boot fully enabled (although many Linux computers turn UEFI signing off rather than work through the steps to install an OS with it enabled). The malware is easy to spot if you dump raw information from the network, but the kernel module makes it hard to find on the local machine. It hooks many kernel functions so it can hide processes from both the ps command and the /proc filesystem. Other hooks remove file names from directory listings and also hides sockets. The paper describes how to identify the malware and they are especially interested in detection at scale — that is, if you have 1,000 Linux PCs on a network, how do you find which ones have this infection?

This is a modern spy story, but not quite what we’ve come to expect in Bond movies. “Well, Moneypenny, it appears Spectre is using the POCO library to generate UUIDs,” is hard to work into a trailer. We prefer the old days when high-tech spying meant nonlinear junction detectors, hacking Selectrics, moon probe heists, and passive bugging.

26 thoughts on “FBI Reports On Linux Drovorub Malware

  1. The English translation of the name (woodcutter) sounds like one of those oddball names from the NSA ANT catalog: bulldozer, candygram, deitybounce, entourage, firewalk, gensis, iratemonk, jetplow, waterwitch, ….

    And the hack of hiding at an extremely low level in a system and modifying everything on the fly that could normally be used to detect it and to in effect report back “everything is normal exactly as you would expect” sounds almost like that “2004 greek wire tap”, where the person trying to investigate it was murdered.

    1. It may come as surprise to you, but the word ‘drovorub’ doesn’t exist in Russian. Those under educated folks in CIA are trying to invent something to cover their own actions, again.

      1. The English word woodcutter translates to Russian as дровосек which is pronounced by an English speaker as drovosek.

        The English word woodcutter translates to Ukrainian as дроворуб which is pronounced by an English speaker as drovorub.

        Is the name Russian, no. Is the name from that general region of the world, yes.

        1. According to google translate the Ukrainian word дроворуб could also be translated to English as “lumberjack” or “chipper”, all of which still sound like a name that would be right at home as a item on the NSA ANT catalog.

    2. Name “drova” in russian are used as kinda shortening for “drivers”.
      “Did you update mainboard drivers?” – “Ты обновил дрова материнки?”

      Hence “drovorub” could be translated as “driver” cuttter, ripper, disabler, knocker etc.

      вырубить пацана – to knock down guy

  2. A friend points out if you boot off CD you should be able to mount the HD and see the module, which makes me think about setting up the computer to netboot off a share every xth time it reboots.

  3. Last time I checked, the GRU was their military intelligence agency. Usually Army intel. And they view their counterparts the agency who took over the Intel brach who typically got involved with what we did, with let’s just say extreme upset.

    The only time they could agree to anything was during the early part of the Cold War, figure the late 1940s to the early 1950s. And yes the beginnings of the James Bond era.

  4. > The name Drovorub translates into “woodcutter”

    It does not.

    Honestly, they failed with the name. There no word “drovorub” in russian. Woodcutter is “drovosek”. “Drovorub” looks like bad google translation, nonsense word. For russian ear that “Drovorub” sounds like somebody asks “how much watch” to find out current time.

    Russian military prefer some non-agressive flower names, say, tear-gas is “cheremukha” (“bird-cherry” in english), “romashaka” (“daisy”) for nuclear reactor, or natural phenomenon names for internal use.

    Also, working for the government for russian hacker is no go at all. The quality and competence of any government workers connected with IT is very low. That is due to very low salaries, bad attitude to workers and overall distrust to the government in highly educated people. That is historical fact, and nothing changing over many decades. Every good IT specialist with russian origin is working for Eastern company, emigrated or work for himself. In the worst case, russian IT specialist will work for some Yandex or Sberbank, but that is a terminal case.

    So, I higly doubt that this exploit is really have something with GRU lamers and have russian origin. The best thing GRU could really do is to take some other people exploit and pass it off as their own to get some budgetary financing. And even in that case they definitely would not name it “Drovorub”.

    Also, looking in NSA paper I find out that keys and vars in JSON is correctly named in english. That is highly improbable for software originated from russian state agency. Usually there will be a lot of grammar mistakes and heavy usage of transliterated to latin russian words.

    So, if you really interested on the exploit origin it is better to search it on github :)

      1. Russians programmers usually use english key and var names in programs.

        But there is one interesting moment. If a russian programmer knows english good enough and did not make any mistakes at least in code, it’s highly likely that programmer already work for Western company, have own business or emigrated. Such person will never work for state agency. At least for financial reasons. So, state agencies have to use some students with low skills and bad knowledge of english who unclaimed for better job. Nobody need a programmer who don’t know english well. And that programmers make a lot of mistakes in naming keys and vars, trying to use english they don’t know, or just use transliterated russian words.

  5. To me as a Russian speaker the name sounds totally fake. The proper translation of “woodcutter” would be either “drovosek” or “lesorub”. “Drovorub” is a chimera of the two.

    1. Yeah, but that’s similar to lots of exploit names in English, where there’s a play on words to make it sound different enough you can recognize it by itself. (Or just to sound l33t).

      1. That does not work in that manner in russian. You can’t take any two words and make a “word play” like in english. There are a lot of unwritten rules in russian about words combinig and modification. You can’t say, for example “Derevnyanin” or “Derevnuk” trying to figure out how to name a villager knowing that a village is “Derevnya”. It’s the mistake often made by non-native speakers, and even if it is clear what the speaker means, it is sounds ugly, wrong and foreign, not like a word play. “Drovorub” looks like some foreigner making a mistake trying to speak russian. Exactly like that.

        Really, I could be even some kind of proud, if some modern Russian three-letter agency made something really cool and hacky, something like KGB’s non-transmitting undetectable microphone bug in US embassy in 40’s known as The Thing. But now that agencies is just state budget eaters, mostly plundering tax money, racketeering and bullying russian citizens to show their necessity for powers, nothing more.

        Also russian hackers and programmers rarely use russian words to name projects. You could easily check github for that.

    2. The NSA/FBI document only says that the Russian GRU deployed the Drovorub Malware, nowhere in the document did it say that the Drovorub Malware was actually developed in Russia. It could even be an item from the NSA ANT catalog, I’m not saying it is.

      The problem is that a security organisation have it ingrained in their nature to control the narrative and keep it as simple and pure as possible. They are used to ELI5 (explain like I’m five), when dealing with people outside of their organisation. Selectively presenting facts to further a agenda is what they are used to doing (basic propaganda 101). If the malware was developed in the Ukraine, or even if that is a false flag, it does not fit into a simple narrative so leave it out.

      (woodcutter in Ukrainian is дроворуб which is pronounced by an English speaker as drovorub)

  6. Something about this seemed fishy to me… but look at all the /other/ reasons! No comment whatsoever about the friggin’ MAC address? I mean, who would be so stupid? Maybe that’s the point, I’m the only one dumb-enough to believe anyone wouldn’t see that… making me, then, “Captain Obvious”, eh?

  7. I’m sure that FBI had no reason to pin blame on Russia for this software. OTOH, they have been doing Russian witchhunt for 4 years now with no success. Maybe attempt number 57 will stick …

  8. It would be interesting to hear HOW the FBI tracked it back to the GRU. And how it was found to begin with. Equally likely is someone stumbled on a CIA or NSA product which was in use but hadn’t yet been leaked. IP addresses and MACs can be spoofed.

  9. I find it odd that all the commentary on this tried to either nitpick the name to say it isn’t Russian, this is tool by the CIA, or some other non-tech distraction.

    Nothing Russian to see here. Move along or drink this very healthy tea comrad.

  10. But how does this get installed?

    That’s the main thing I want to know about any sort of malware so as to avoid it.

    Clearly this needs root access to be installed on a computer. It even has a kernel module!
    It’s not like Linux users are typically downloading installers for strange programs and running them as root. Most I assume would get pretty much everything through their distro’s repos and I would expect there to be a lot of eyes on that to keep malware out.

    Also, how does the FBI know so much about the server side? I can see knowing the servers API by having access to the client and maybe inferring something about it’s operation from that but they even know that it uses a MySQL backend? Is the client sending back sql? That would be a terrible design wouldn’t it? Maybe someone should send them some commands to DELETE * or DROP TABLES.

    And then there’s the language thing. So many comments that it’s not Russian. Even after someone already pointed out that it’s actually Ukranian. Don’t people read the comments before them before they post?

    Someone else posted that a good programmer who doesn’t make a lot of mistakes wouldn’t be working for a state agency, that the state agencies have to make do with students. Well, I again point out that somehow the FBI seems to know that the server uses MySQL. Sending actual SQL statements from client to server sounds like something a beginner might do to me.

    So is this maybe a Ukranian malware program? Or did Russia hire Ukranians? Or is it the FBI trying to cover up a piece of American malware like some commenters here have said? If the latter though, why can’t they use Google and get the correct word for woodcutter? That kind of ineptitude seems almost hard to believe.

    1. > Or did Russia hire Ukranians?

      Highly improbable. Official narrative in Russia is that Ukrainians are Western shills and no state agency will be allowed to pay something to Ukrainian company. Also it is financially unprofitable for agency high-rank stuff to spend the money that way. They prefer to spend tax money on their villas, furs and diamonds.

      > Or is it the FBI trying to cover up a piece of American malware like some commenters here have said?

      Not necessary. It could be just random rootkit circulating in internet.

      > If the latter though, why can’t they use Google and get the correct word for woodcutter?

      You will probably be amased, if I tell you, that there exists russian-hollywood paradox. If plot of american movie assume something russian it would be filmed in ugliest way possible. And that’s not about how the russians painted, bad or good (who cares, it’s movie), it’s about details – “russian language” dialogs, labels, writings, papers, traditions even proverbs etc. It’s impossible to imagine that movie creators with millions in budget could not spent miserable money to hire somebody with russian origin for making things properly. Hollywood production is one of huge meme sources in Russia, because of nonsence picturing of russian details. You will find hundreds and thousands screenshots with weird writings, documents, labels etc. from movies that make russians laugh a lot. Just one example – https://trailmax.info/wp-content/uploads/2012/02/bourne_passport-1024×532.jpg , it’s the russian passport from ‘The Bourne Identity’. The russian version is just random cyrillic letters. Real russian text should be “КИНЯЕВ ФОМА”. Movie had $60M budget, they did find/made correct russian passport blank and they didn’t find few bucks to pay somebody for a correct russian translation. It’s everyvhere in US movies, from labels on “russian” doomsday machines to “russian” roadsigns. They have millions, they bothered to create all that not so cheap props, but failed to make corrent translation. I’ts really paradoxical, fascinating and provide an endless fun for russians. :)

      So, I don’t think that some FBI bureaucrat would bother with something “russian” more than hollywood with $ millions.

    2. > “Clearly this needs root access to be installed on a computer. It even has a kernel module!
      It’s not like Linux users are typically downloading installers for strange programs and running them as root. Most I assume would get pretty much everything through their distro’s repos and I would expect there to be a lot of eyes on that to keep malware out.”

      Users downloading/installing 3rd party repos are the bane of my existence. Many of them are off-shore, and at least 2 of the most popular ones have .ro domains built right into them.

      1. Well, I just install the latest kernel update that Mint recommends…
        If those kernels have the bad stuff, I’ve put too much trust in their product.
        (yes, I am that naive at times)

Leave a Reply to kc8rwr Cancel reply

Please be kind and respectful to help make the comments section excellent. (Comment Policy)

This site uses Akismet to reduce spam. Learn how your comment data is processed.