Fwiw, my take when I saw the report was along the lines of "Oh, that's interesting, what was the infection vector, how do I discover if a box is infected, etc" and the supposed "technical details" were a bunch of handwaving and then a suggestion to not run a kernel before 3.6 or something. Who is still running a kernel as old as 3.6?
"To prevent a system from being susceptible to Drovorub’s hiding and persistence, system administrators should update to Linux Kernel 3.7 or later in order to take full advantage of kernel signing enforcement." ... like, when was this report written and why is it only now becoming public? The last 3.6.x stable release was in December 2012. If the operating system is hiding its parts from you, why not boot a live system to investigate? It just reads like weird baffle-them-with-bs. On Tue, Aug 18, 2020 at 7:28 PM King Beowulf <[email protected]> wrote: > On 8/14/20 5:33 AM, Rich Shepard wrote: > > As a computer user and a non-professional I'd like your thoughts on this > > Ars > > Technica article, "NSA and FBI warn that new Linux malware threatens > > national security." > > > > < > https://arstechnica.com/information-technology/2020/08/nsa-and-fbi-warn-that-new-linux-malware-threatens-national-security/ > > > > > > > > Rich > > > > The media hype this is hysterical...because RUSSIA! > > There have been numerous toolkits over the years with similar > functionality (rootkit + botnet + spyware etc), so I'm not surprised a > government spy agency cleans it up. Heck, UK probably has the same > thing called "007" or similar and USA's some sort of unpronounceable > acronym... > > From what I can tell, it is unlikely for this to be an issue without > local root privileges since is it MALWARE and not an EXPLOIT: > > 1. needs local access to computer OR > 2. trick user to installing the software via email or compromised > download (gee, does that STILL happen?) OR > 3. piggyback on existing remote access exploit to gain root access > (privilege escalation). > > Thus, the same rules apply to keeping this off your systems and servers > as have for decades: don't click random links, don't download random > executable files, etc. > > -Ed > > _______________________________________________ > PLUG: https://pdxlinux.org > PLUG mailing list > [email protected] > http://lists.pdxlinux.org/mailman/listinfo/plug > _______________________________________________ PLUG: https://pdxlinux.org PLUG mailing list [email protected] http://lists.pdxlinux.org/mailman/listinfo/plug
