Drovorub (or drovorun) malware analysis.

Updated -

Drovorub is a malware and not a new vulnerability. For more information regarding Red Hat's generic guidance, see Rootkits, Trojans and Malware on Red Hat Enterprise Linux for more information.

Drovorub is Linux malware attributed to a nation-state actor that targets Linux systems. Once in effect, it allows persistent remote access by an attacker.

The Drovorub malware is part of a malware campaign that requires multiple steps to function correctly. The malware alone does not provide immediate access to a system and requires an existing vulnerability or vulnerabilities to be exploited to gain root access before it can be used. Red Hat Product Security strongly recommends that all systems are updated to the most recent security fixes as they become available and that security mechanisms such as SELinux are enabled and configured correctly.

Current attack vector.

This malware is not an exploit, and it requires that attackers gain root privileges using another vulnerability before successful installation.

How does Secure Boot solve this problem?

Secure Boot does not stop an attacker from being able to violate your system. When Secure Boot is in effect, unsigned kernel modules cannot be loaded, even when instructed by privileged (root) users. Loading a kernel module is not a required step for an attacker to attack the system.

Enabling Secure Boot will not prevent the system from being affected, but ensures that hiding a successful attack is less effective. While this may prevent some versions the malware running, there may be variants or versions that do not have this requirement. Enabling Secure Boot is a trusted security practice.

How does SELinux solve this problem?

SELinux is an additional protection layer that limits attackers' abilities to transition to new attack vectors when they have a foothold in the system. While this will not prevent the malware from running, enabling SELinux creates additional protection and is a trusted security practice.


Disclaimer: Links contained herein to external website(s) are provided for convenience only. Red Hat has not reviewed the links and is not responsible for the content or its availability. The inclusion of any link to an external website does not imply endorsement by Red Hat of the website or their entities, products or services. You agree that Red Hat is not responsible or liable for any loss or expenses that may result due to your use of (or reliance on) the external site or content.