Linux Users Should Be On High Alert For Drovorub Malware Attacks

Linux OS is perceived to have fewer security vulnerabilities than systems like Windows. However, that doesn’t mean users shouldn’t remain alert to the threat of Drovorub malware, especially when using RDP.

Linux maintains popularity among many users who view it as being faster and more secure than Windows, Android, and other OS installations. Many government organizations rely on Linux for that reason, though it is growing in popularity among many commercial and education sectors. However, a recent alert issued by the National Security Agency (NSA) and the Federal Bureau of Investigation (FBI) makes it clear that even Linux users aren’t safe from the threat of a malware attack. The warning outlined the dangers presented to Linux systems by the malware Drovorub.

Exploitation of RDP Vulnerabilities

The changing needs of businesses, school, and government institutions have people relying more and more on Remote Desktop Protocols (RDP) to access remote desktops. They do this to accomplish tasks necessary for their organizations. Many companies have employees using RDP to remote into Windows systems from a computer using Linux OS, and vice versa.

Concerns around the security of ports used for RDP connections have persisted since the introduction of the technology. Those vulnerabilities are precisely what the Drovorub malware looks to exploit. Per the report issues by the NSA and the FBI, the origins of the malware can be traced back to the same Russian hackers responsible for attacks on other business and government platforms.

Many organizations fail to properly secure their RDP setup, giving hackers an entrance to constantly bombard with stolen user credentials until they find the right combination. Once they’re in, those same credentials end up sold to other hackers, leaving institutions exposed to future cyberattacks.

Why Drovorub is a Threat to Linux Users

Drovorub is a full-featured malware toolkit designed to target the Linux OS. It consists of four main components designed to hide inside systems.

• Client — The client infects Linux devices, sending commands to and from the associated server, allowing hackers to transfer files to and from the targeted device.
• Kernel Module — The kernel functions similarly to rootkit malware. It comes packaged with the client and gets deep into the Linux system and stops the OS from registering any malicious files or processes.
• Agent — The agent acts as a go-between for any infected machines and the server sending commands. It remains under the control of hackers who can perform actions like uploading and downloading files along with forwarding network traffic through port relays.
• Server — Provides control of the agent and client to hackers using a MySQL database to hold data needed for component registration, authentication, and tasks.

Hackers use Drovorub to seize control of an organization’s systems. They may demand a ransom before they will give back control, steal valuable information to sell to other interested parties, or go ahead and implant other malicious malware that impacts the institution’s ability to function.

Protecting Linux Systems Against Drovorub

There are many different Linux RDP clients in use by various institutions with support for protocols like SSH, RDP, VNC, NX, and VNC. There are also some best practices organizations can follow to better protect their Linux systems from infestation by Drovorub malware and other cyber threats, including:

1. Frequent Scanning for Rootkits — One of the most frustrating things about Drovorub is how well it hides among standard system files. However, routine scanning for rootkits among low-level systems process can locate any Drovorub instances on network-connected Linux computers.
2. Enable UEFI Secure Boot — Setting Secure Boot to secure or thorough mode initiates checks for firmware and kernels with a cryptographic signature. It prevents unsigned drivers from loading hardware and makes it harder for hackers to direct their attacks against a Linux system.
3. Limits on Module Loading — Make sure that the Linux setup only loads modules known to the system. That means setting commands for enabling and disabling specific modules at a granular level.
4. Enable Security Enhancement Systems — More recent Linux distributions come with SELinux or AppArmor. They provide more precise control over access and security policies. Organizations should consider using these out-of-the-box tools for added protection against malware.

Other steps institutions can take to secure Linux systems include limiting API access, putting in audit processes, and allowing only the minimal amount of security needed to perform a job function. Every organization running instances of Linux OS should remain aware of the evolution of Drovorub and other malware targeted at Linux systems.

NSA flickr photo by Mario A. P. shared under a Creative Commons (BY-SA) license