SysAdmins creating software for SysAdmins.
Drovorub Linux Malware: A serious rootkit threat to Linux servers
You’ve probably read about the SolarWinds hack. It’s been all over the news the past couple weeks. The same group suspected of that hack is also behind a new rootkit called Drovorub. This attack specifically targets the Linux kernel versions 3.7 or lower due to a lack of adequate kernel signing enforcement. This would include a lot of Red Hat and SUSE Linux Enterprise servers currently in production environments.
How serious a threat is the Drovorub rootkit attack? It’s bad enough to compel the NSA and FBI to issue a joint security advisory.
If your Linux servers were to suffer this kind of attack, could you ever get back to where you were before it happened? Before you answer, consider that when you suffer that magnitude of attack, you’ll be doing more than just scanning files to see which ones have been corrupted. Your entire operating system will no longer be trustworthy because these serious hackers who have set their sights on Linux systems are using a rootkit to get the data they crave.
What is a rootkit? A rootkit will enable a hacker to gain unauthorized access to some part of your hardware or software. And once rootkits are in your network, they have various means of evading detection.
Some cyber security companies claim they can remove a rootkit, but in most cases the only remedy is to re-install the operating system. In extreme cases, when there’s a rootkit in your firmware, you’ll need to replace your hardware, too.
Why Rootkit Attacks Are So Hard to Fight
Your malware detection program may be top-notch. But even if it manages to identify and remove a rootkit, you’ll have a very hard time determining which other files were affected by it. For one thing, rootkits can simply prevent you from seeing all the contents of a directory. Other malicious files can then hide in plain view.
For another thing, rootkits can also change the dates of files to make them look older. As you’re cleaning up after a malware attack, you may simply decide to delete all files that were edited after the exact time of the attack. But rootkits can roll back the dates of your files to make them look as if they were untouched by the attack.
And remember, even the tools you’re using to detect rootkit attacks can be compromised by the very code they were designed to detect. We’re not talking about simple viruses here. We’re dealing with some of the most serious threats to Linux and Unix systems.
Two Safe Ways to Respond to a Rootkit Attack
As you can see, it’s virtually impossible to respond to a rootkit attack by removing the malware and all the files it affected. If you take that approach, you’ll likely discover that more and more of your files continue to get infected over time by installers that your detection tools can’t even see. Keep in mind that malware can even settle in at the kernel level, making your operating system unusable from that point on.
The only safe way forward is to start over on a clean system. To get there, you have two options. You could reinstall your operating system. This approach will also require you to reinstall all of your patches and updates, and to reapply all of your configurations. You’ll be in for many hours of work, and you may never get everything back to the satisfaction of your end users.
Your second option is to roll back to your last known good backup before the attack. If you’ve pinpointed the time of the attack, this should be no problem. But keep in mind that the all-too-common approach of backing up only applications and data isn’t enough. If your backups don’t include your operating system, they will be far too risky to rely on after a rootkit attack.
If you do back up your entire operating system, you’ll even have a reliable solution in the event of ransomware attacks. During these devastating attacks, cyber criminals encrypt your files and demand payment to unencrypt them. But if you can roll back your entire OS to before the attack, you’ll escape without paying a dime.
At Storix, we specialize in helping companies set up backups that empower them to restore their production Linux servers (including the operating system) after even the worst malware attack. We would love to provide you with a proof of concept for Storix SBAdmin. To get started, call us today at (877) 786-7491.