Friday, August 14, 2020


TECH

FBI and CIA discover previously unknown highly lethal complex malware

 The CIA and FBI published a joint report on the discovery of a previously unknown complex malware Drovorub, whose developers, according to the researchers, are associated with Russian special services and the hacking group Fancy Bear, also known as APT28, Grupo 74, Iron Twilight, PawnStorm, Sednit, Sofacy and Strontium.
"Woodcutter" includes four main executable components: an implant client module, a rootkit in the form of a Linux kernel module, a client module for file transfer and port / traffic redirection and a management server. server is responsible for registering, authenticating and sending the task to clients. For communication, the WebSocket protocol is used.
The client part comes with ready-made configurations to connect to the server and can execute arbitrary commands as a root user, download and send any files, redirect traffic to other hosts and clients, including organizing tunnels to other infected hosts on the compromised network , who may not have access to the Internet.

After installing the client, the kernel module (rootkit) is loaded and that's where the fun begins. The Drovorub-kernel module hooks the system calls of the kernel itself and intercepts them. The module hides the presence of itself, the customer and its processes in the list of processes. It is impossible to see at least some traces of the presence of unnecessary software in the system. It also hides any files and directories from the client itself and any others upon request. In addition, the rootkit filters packets, sockets (including raw) and netfilter rules.
The communication between the client and the kernel module is organized in an interesting way. The module creates a pseudo device (like / dev / zero) and “listens” to all the data flow that passes through it, extracting customer data. For feedback, the module sends a signal to the customer and, when addressed to the pseudo-device, provides the necessary part of the data. And that, by the way, provides one of the easiest ways to check for a rootkit on the system, by sending a command to hide a file on a pseudo device.

Other local methods involve more expensive memory and disk image analysis. You can also see traces of network activity and kernel logs. To avoid infection, it is recommended to update the Linux kernel to version 3.7 or later, install updates, disable the loading of untrusted and unsigned kernel modules and use UEFI Secure Boot.

 AVnewws
at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

DIGITAL LIFE Global layoffs hit new record in 2025 as AI reshapes workforces The year 2025 was marked by large-scale layoffs in the global t...

  • (no title)
      DIGITAL LIFE Virtual prostitution(girls sell communication with their virtual copies) Karyn Marjorie, a 23-year-old American social media ...
  • (no title)
    TECH In Memoriam: The Tech That Died in 2018 A bongo enthusiast once said, "time is a flat circle," which is a pretentious...
  • (no title)
      OPPO New and unprecedented model Find X6 will debut with a huge photo sensor Oppo has a strong smartphone lineup lately, offering great fo...