1. 23
  1.  

  2. 16

    FYI, “дроворуб” is a Ukrainian word, not Russian. Russian word for lumberjack is дровосек.

    https://uk.wikipedia.org/wiki/%D0%94%D1%80%D0%BE%D0%B2%D0%BE%D1%80%D1%83%D0%B1

    1. 17

      I’m not sure if the people who try - and then publish - such attributions care a lot about precision, and “The Russian” is still (or again) a popular boogeyman while “The Ukrainian” is probably a friend to the West or something.

      I suppose the interesting part is “malware targeting Linux”, everything else is political fluff.

      1. 16

        It’s a straw man argument. If anyone cares, first of all, “lumberjack” in Ukrainian is – лісоруб. Here’s the data from Google trends with both terms [1] usage ang geo.

        Regarding the “drovorub” rootkit’s name. It has nothing to do with wood, per se.

        The rootkit exploits Linux kernel modules. Modules are hardware drivers (mostly). Drivers are in russian slang – дрова (drova) – wood (engl.). “Drova” (as slang term) is nothing but short native Russian word sounding almost like “drivers”.

        The second part of “drovo-rub” is derived from verb – рубить – to hack (engl.) ;)

        Thus, whoever coined that rootkit’s name speaks russian really well and captured the idea of the rootkit’s approach in its name quiet well.

        [1] https://trends.google.com/trends/explore?date=all&q=%D0%BB%D1%96%D1%81%D0%BE%D1%80%D1%83%D0%B1,%D0%B4%D1%80%D0%BE%D0%B2%D0%BE%D1%80%D1%83%D0%B1

        1. 5

          It’s a straw man argument.

          It’s not an argument at all. I don’t care, really.

          Proper name for lumberjack in Russian is лесоруб. Дроворуб makes no sense, unless it is a play on дрова. Which, I must say, is quite likely! Good catch!

        2. 0

          So what? If a German gives their malware a Polish name, you would argue it wouldn’t be German in origin if the NSA claimed it was German?

          1. 14

            I don’t claim anything apart from what I’ve actually stated. Don’t put words in my mouth.

            Why is even it relevant that this is an Ukrainian word, not Russian? Because of this section in original pdf 0:

            Why is the malware called “Drovorub”, and what does it mean? The name Drovorub comes from a variety of artifacts discovered in Drovorub files and from operations conducted by the GTsSS using this malware; it is the name used by the GTsSS actors themselves. Drovo [дрово] translates to “firewood”, or “wood”. Rub [руб] translates to “to fell”, or “to chop.” Taken together, they translate to “woodcutter”or “to split wood.”

            This quote is from “Attribution” section of the document. While the name is not the only (I hope) reason why they attribute this malware to GRU, making a bullshit claim that anyone with dictionary can disprove… it’s just sloppy, sloppy job.

            EDIT: although, technically, they only say how the word translates to English. They never say from what language.

            1. 4

              Actually, they do:

              The name of the malware means ‘woodcutter’ in Russian

              1. 4

                I asked you whether you would make the same argument if different nationalities were involved, because it seemed like you were arguing the malware wasn’t Russian because the name is actually Ukrainian. I don’t think I could know you were merely correcting something buried deep in the PDF linked in a sibling comment.

                1. 4

                  That would be an assumption in good faith.

                  1. 1

                    I didn’t assume anything: I asked a question to see if something could be assumed.

                    As a sibling comment thay has appeared in the mean time shows, it was not a weird thing I only considered a possibly valid assumption.

                    There are many Russia and China (and US) apologists, so nationalism as a motivation is always something to at least consider.

                    That Russia is responsible for shooting down a passenger plane of ours and still attempts to blame it on Ukraine doesn’t help for this particular case.

            1. 7

              A Linux kernel module rootkit that can survive reboots and hide itself (fs, processes, etc) from userspace.

              I wrote one decades ago, when I was in high school. The NSA doesn’t seem to make an argument for its relevance, and I also fail to see what’s remarkable about it.

              Amusingly, it uses “XOR Encryption” like my toy did, back then.

              1. 5

                I have modules disabled in my kernel (on Gentoo), so I’m probably safe. :)

                1. 4

                  Also have signature enforcement

                2. 5

                  Is there a tl;dr on how to check for the rootkit?

                  1. 2

                    From the NSA disclosure:

                    If the following commands are run on the command-line and the “testfile” disappears, the system is infected with Drovorub. If the “testfile” does not disappear, the system may still be infected with Drovorub. The signature “ASDFZXCV” could have changed or the pseudo-device used for host-based communications between Drovorub-client and Drovorub-kernel module could be something other than /dev/zero.

                    touch testfile
                    echo “ASDFZXCV:hf:testfile” > /dev/zero
                    ls