back to article This NSA, FBI security advisory has four words you never want to see together: Fancy Bear Linux rootkit

The NSA and FBI are sounding the alarm over a dangerous new strain of Linux malware being employed by Russian government hackers often dubbed the Fancy Bear crew. Uncle Sam explicitly said on Thursday the miscreants – formally known as the 85th Main Special Service Center (GTsSS) – operate within the Russian intelligence …

Page:

  1. Claverhouse Silver badge
    Angel

    85th Main Special Service Center

    It's good we have trustworthy non-partisan independent voices to sift through the wild speculation and non-evidentiary allegations to warn us of the Awful Truth.

    .

    Tom Clancy beams down on them.

    1. sanmigueelbeer Silver badge
      Coat

      Re: 85th Main Special Service Center

      What does the other 84 Main Special Service Center do?

      1. brotherelf
        Boffin

        Re: 85th Main Special Service Center

        They're busy servicing German Tanks. Apart from the 63rd, which is looking for polar-bear-sized aliens.

        1. Anonymous Coward
          Anonymous Coward

          Re: 85th Main Special Service Center

          I call bullshit on that, the germans don't have 63 operable tanks left - oh, wait.

          1. msknight Silver badge

            Re: 85th Main Special Service Center

            I believe they do... they're parked in Bovington :-)

      2. Anonymous Coward
        Anonymous Coward

        Re: 85th Main Special Service Center

        You don't want to know.

      3. Naselus

        Re: 85th Main Special Service Center

        84 is traffic control; 83 is room service, 82 is tech support....

    2. Anonymous Coward
      Anonymous Coward

      "Center"

      So these alleged Russians speak American do they?

      1. jake Silver badge

        Re: "Center"

        "So these alleged Russians speak American do they?"

        Like it or not, while American English (whatever that is!) is not by any stretch of the imagination the de jure language of TehIntraWebTubes, it is, however, the de facto lingua franca.

        1. Anonymous Coward
          Anonymous Coward

          Re: "Center"

          Are you sure it's not Latin that is the lingua franca?

          1. gerdesj Silver badge

            Re: "Center"

            "Are you sure it's not Latin that is the lingua franca?"

            No, French (or Frankish) is the language of the Franks.

            1. Anonymous Coward
              Anonymous Coward

              Re: "Center"

              Although Franks referred to the whole of western europe at the time the phrase was coined.

              1. Anonymous Coward
                Anonymous Coward

                Re: "Center"

                I know Frank. He only speaks English.

            2. jake Silver badge

              Re: "Center"

              Lingua franca is from a bastardized North-med Italian trade dialect/cant. The Latin components are de facto and de jude.

              1. Anonymous Coward
                Anonymous Coward

                Re: "Center"

                "The Latin components are de facto and de jude."

                Is that a typo? The Latin is usually "de facto" and "de jure". The former is something which is done by custom or assumed power - and the latter something which has legal backing.

                1. John Brown (no body) Silver badge
                  Coat

                  Re: "Center"

                  So Soup de Jure is a legally mandated starter?

                  1. Anonymous Coward
                    Anonymous Coward

                    Re: "Center"

                    "So Soup de Jure is a legally mandated starter?"

                    In much the same way that English-speakers steered clear of the poisson on the menu.

                    Then there is the Canadian beer which might not sell well in New Zealand.

                    Mars have announced a limited retro edition of their Snickers bar to be sold in the UK. It will carry the original UK-only bowdlerised name of Marathon.

                  2. jake Silver badge

                    Re: "Center"

                    "So Soup de Jure is a legally mandated starter?"

                    Not in my world ... Life's short, eat dessert first.

                  3. 2+2=5 Silver badge

                    Re: "Center"

                    > So Soup de Jure is a legally mandated starter?

                    Soup de Jure is what's printed on the menu. Soup de Facto is what's left.

                2. jake Silver badge
                  Pint

                  Re: "Center"

                  Typo, brain-fart, or bit-rot in ElReg's servers. You decide :-)

                  (For the intended meaning, see my original comment.)

      2. Anonymous Coward
        Anonymous Coward

        Re: "Center"

        the Proper pronunciation is 'Merican.

        The A is Silent..

        We used this knowledge when we were helping (pre 9/11 days) people across the US/Mexican border when they were not in possession of the appropriate travel documents.

        We would shave their heads... put them in 'Merican civies... give them megaliters of tequila... Cross the border (we had a friendly marine as a driver from Camp Pendelton... ) At the border they used to ask your citizenship.. We simply taught out charges to spew the words 'MERICAN... "Semper Fi, Oorah..."

        Never a problem.. Many successful customers...

        Anonymous for a good reason.... ;)

        1. keith_w Bronze badge

          Re: "Center"

          the Proper pronunciation is 'Merican.

          'Murican.

          1. hnwombat
            Pint

            Re: "Center"

            Actually, it's "murkin". We drop as many vowels as we can. And that it ends up being a bit salacious is a plus.

        2. jake Silver badge

          Re: "Center"

          "Anonymous for a good reason.... ;)"

          ElReg knows your email address, IP address, etc.

          So no, you are not anonymous. Not really.

          HTH, HAND

    3. JohnG

      Re: 85th Main Special Service Center

      In Russia, I think the they are known as "Military Unit 26165" and according to their Rusprofile listing, they are engaged in "military security activities" and "other unspecified activities". The address given is the HQ of the GRU.

      https://www.rusprofile.ru/id/7337085

  2. Anonymous Coward
    Anonymous Coward

    How nice.

    Except that they don't mention the most important thing, how the nastyware gets installed on the server. Yeah, spearfishing sure! I don't know many people who are checking their email on a Linux production server. Let me see if I get this. First they use spearfishing to infect a Windows PC, praying that the hapless user be a Linux admin who then will have to use SCP or something to get the malware on the server where they will have to execute it manually. God damn those Russians, they are so smart.

    I've been reading this for decades now, it is called a rootkit so I don't see anything special about it. Also, it you're running Linux kernel v3 you clearly demonstrate you have no clue about IT.

    Really, nothing new to see here and I don't know why those two TLAs are wasting their resources.

    1. Pascal Monett Silver badge

      Re: How nice.

      I would have liked to know how it gets installed as well. The article says "When deployed on a victim machine" and stops there.

      How does the nasty get deployed ? Phishing ? Targeted email ? USB carried by a sleeper agent ?

      Is this a plot of The Americans ?

      1. vtcodger Silver badge

        Re: How nice.

        I would have liked to know how it gets installed as well.

        Hold on ... Let me check and see what today's party line is. ... Ah, yes ... It's either the Chinese. Or the Democrats. Or the fake news people. Or Iran. One thing is certain. Putin has nothing to do with it.

        Seriously. If I were trying to root a Linux server and couldn't find open ports and externally accessible accounts with no/default/trivial passwords, I'd quite likely go after Windows or smartphone users on the same network with legitimate access, then try every privilege escalation exploit known to man. Keep in mind that Unix security was designed to keep users from screwing up each others' work (which it does quite well), not to provide ironclad protection against sophisticated attackers with massive resources. Someplace out in the garage I have a copy of a BTL paper by (as I recall) Ken Thompson explaining that Unix was not designed to be a perfectly secure system. I looked for a current web link to the paper, but couldn't find one.

      2. jake Silver badge

        Re: How nice.

        "How does the nasty get deployed ? Phishing ? Targeted email ? USB carried by a sleeper agent ?"

        Yes. And any other way the target lets their guard down. Same as any other rootkit.

        Will there be any more questions?

      3. Anonymous Coward
        Anonymous Coward

        Re: How does it get installed?

        Via a webserver running a fingerprintable CMS with unknown/unpatched vulnerabilities, and with known folders which are writable by the webserver (eg, for CMS users to use to upload images for the website) is sadly far too common a way for malware to be able to find its way aboard a server.

    2. jake Silver badge

      Re: How nice.

      "Also, it you're running Linux kernel v3 you clearly demonstrate you have no clue about IT."

      Slackware (14.0 & 14.1 have no EOL at the moment) and Debian (Wheezy) still have maintained 3.x kernels. There is a need for old code on old machines. People with a clue about IT understand the realities of working with an installed base and take steps to see that it is as safe and as secure as practical. Including maintaining old kernels.

      HTH, HAND

    3. Cliffwilliams44 Bronze badge

      Re: How nice.

      Targeting IT admins who have not clue is common practice for these baddies.

    4. Anonymous Coward
      Anonymous Coward

      Re: How nice.

      I'm fortunate to be still running 2.6.

  3. HildyJ Silver badge
    Big Brother

    Access vector

    Maybe I'm cynical but when the NSA says "its advice is not meant to protect against the initial access vector" I wonder if it's because the access vector is one of their Linux backdoors.

    1. This post has been deleted by its author

    2. Sanguma

      Re: Access vector

      More than likely.

  4. slimshady76

    Word. This reminds me when Kaspersky eggheads found a Russian intrusion on a server and then an Israeli one, on the same machine...

    1. seven of five Silver badge

      Probably how the NSA found this russian infection in first place, wanted to use the same technique.

  5. Joe Harrison

    Daft story

    Do the government pay you to print this stuff?

    1. amanfromMars 1 Silver badge

      Re: Daft story

      Do the government pay you to print this stuff? .... Joe Harrison

      Wow, is that daft, or is that daft, JH?

    2. _LC_ Silver badge
      Thumb Up

      Re: Daft story

      ++++++++++++++++++++++++++++++

      uv

  6. Alan Mackenzie

    Modules in Linux?

    What are these "high value" targets doing, using a Linux kernel with modules? It's perfectly possible to build Linux without modules (I do). A mechanism like modules is bound to introduce security risks. So why do it?

    1. vtcodger Silver badge

      Re: Modules in Linux?

      "What are these "high value" targets doing, using a Linux kernel with modules?"

      My understanding -- which could be wrong -- is that a unix module is pretty much what we old time MSDOS folks used to call a "loadable device driver". All incorporating it into the kernel accomplishes is to make it a permanently loaded device driver. If it contains malicious/exploitable code before building into the kernel, it'll still contain malicious/exploitable code after incorporation?

      1. Imhotep Silver badge

        Re: Modules in Linux?

        That was my understanding too.

        1. cyberdemon Silver badge
          Linux

          Re: Modules in Linux?

          Correct, but it is possible to turn off support for loadable modules entirely, if you have compiled everything you will ever need into the kernel executable image in the first place.

          Distributions never do that, because either the kernel would be huge, or it would not work on most systems.

      2. jake Silver badge

        Re: Modules in Linux?

        A module is a bit of code that hooks into the kernel to provide added functionality as needed. It can be hardware drivers, yes. Also support for file systems, extensions to the kernel API, and etc. They can mostly be loaded and unloaded on the fly, so no need for a reboot after some changes to the kernel in a running system (see "modular kernel" vs "static kernel"). Most modern OSes have support for this in one form or another.

        As with most such thingies, there are advantages and disadvantages. I like the flexibility of modules on my working desktop machines, but prefer a static kernel in the servers (for example).

  7. Anonymous Coward
    Anonymous Coward

    "Four words you never want to see together..."

    Well, actually, two words: Linux rootkit.

    Well, actually, one word: rootkit.

    1. seven of five Silver badge
      Joke

      Re: "Four words you never want to see together..."

      Which leaves us with just one more combination to fill: three words you do not want to see together.

      Lemme try:

      "Mother in law"

      1. jake Silver badge

        Re: "Four words you never want to see together..."

        "Paint My House"

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2021