back to article This NSA, FBI security advisory has four words you never want to see together: Fancy Bear Linux rootkit

The NSA and FBI are sounding the alarm over a dangerous new strain of Linux malware being employed by Russian government hackers often dubbed the Fancy Bear crew. Uncle Sam explicitly said on Thursday the miscreants – formally known as the 85th Main Special Service Center (GTsSS) – operate within the Russian intelligence …

  1. Claverhouse Silver badge
    Angel

    85th Main Special Service Center

    It's good we have trustworthy non-partisan independent voices to sift through the wild speculation and non-evidentiary allegations to warn us of the Awful Truth.

    .

    Tom Clancy beams down on them.

    1. sanmigueelbeer Silver badge
      Coat

      Re: 85th Main Special Service Center

      What does the other 84 Main Special Service Center do?

      1. brotherelf
        Boffin

        Re: 85th Main Special Service Center

        They're busy servicing German Tanks. Apart from the 63rd, which is looking for polar-bear-sized aliens.

        1. Anonymous Coward
          Anonymous Coward

          Re: 85th Main Special Service Center

          I call bullshit on that, the germans don't have 63 operable tanks left - oh, wait.

          1. msknight

            Re: 85th Main Special Service Center

            I believe they do... they're parked in Bovington :-)

      2. Archtech Silver badge

        Re: 85th Main Special Service Center

        You don't want to know.

      3. Naselus

        Re: 85th Main Special Service Center

        84 is traffic control; 83 is room service, 82 is tech support....

    2. Anonymous Coward
      Anonymous Coward

      "Center"

      So these alleged Russians speak American do they?

      1. jake Silver badge

        Re: "Center"

        "So these alleged Russians speak American do they?"

        Like it or not, while American English (whatever that is!) is not by any stretch of the imagination the de jure language of TehIntraWebTubes, it is, however, the de facto lingua franca.

        1. Archtech Silver badge

          Re: "Center"

          Are you sure it's not Latin that is the lingua franca?

          1. gerdesj Silver badge

            Re: "Center"

            "Are you sure it's not Latin that is the lingua franca?"

            No, French (or Frankish) is the language of the Franks.

            1. Anonymous Coward
              Anonymous Coward

              Re: "Center"

              Although Franks referred to the whole of western europe at the time the phrase was coined.

              1. Anonymous Coward
                Anonymous Coward

                Re: "Center"

                I know Frank. He only speaks English.

            2. jake Silver badge

              Re: "Center"

              Lingua franca is from a bastardized North-med Italian trade dialect/cant. The Latin components are de facto and de jude.

              1. Anonymous Coward
                Anonymous Coward

                Re: "Center"

                "The Latin components are de facto and de jude."

                Is that a typo? The Latin is usually "de facto" and "de jure". The former is something which is done by custom or assumed power - and the latter something which has legal backing.

                1. John Brown (no body) Silver badge
                  Coat

                  Re: "Center"

                  So Soup de Jure is a legally mandated starter?

                  1. Anonymous Coward
                    Anonymous Coward

                    Re: "Center"

                    "So Soup de Jure is a legally mandated starter?"

                    In much the same way that English-speakers steered clear of the poisson on the menu.

                    Then there is the Canadian beer which might not sell well in New Zealand.

                    Mars have announced a limited retro edition of their Snickers bar to be sold in the UK. It will carry the original UK-only bowdlerised name of Marathon.

                  2. jake Silver badge

                    Re: "Center"

                    "So Soup de Jure is a legally mandated starter?"

                    Not in my world ... Life's short, eat dessert first.

                  3. 2+2=5 Silver badge

                    Re: "Center"

                    > So Soup de Jure is a legally mandated starter?

                    Soup de Jure is what's printed on the menu. Soup de Facto is what's left.

                2. jake Silver badge
                  Pint

                  Re: "Center"

                  Typo, brain-fart, or bit-rot in ElReg's servers. You decide :-)

                  (For the intended meaning, see my original comment.)

      2. Anonymous Coward
        Anonymous Coward

        Re: "Center"

        the Proper pronunciation is 'Merican.

        The A is Silent..

        We used this knowledge when we were helping (pre 9/11 days) people across the US/Mexican border when they were not in possession of the appropriate travel documents.

        We would shave their heads... put them in 'Merican civies... give them megaliters of tequila... Cross the border (we had a friendly marine as a driver from Camp Pendelton... ) At the border they used to ask your citizenship.. We simply taught out charges to spew the words 'MERICAN... "Semper Fi, Oorah..."

        Never a problem.. Many successful customers...

        Anonymous for a good reason.... ;)

        1. keith_w Bronze badge

          Re: "Center"

          the Proper pronunciation is 'Merican.

          'Murican.

          1. hnwombat
            Pint

            Re: "Center"

            Actually, it's "murkin". We drop as many vowels as we can. And that it ends up being a bit salacious is a plus.

        2. jake Silver badge

          Re: "Center"

          "Anonymous for a good reason.... ;)"

          ElReg knows your email address, IP address, etc.

          So no, you are not anonymous. Not really.

          HTH, HAND

    3. JohnG Silver badge

      Re: 85th Main Special Service Center

      In Russia, I think the they are known as "Military Unit 26165" and according to their Rusprofile listing, they are engaged in "military security activities" and "other unspecified activities". The address given is the HQ of the GRU.

      https://www.rusprofile.ru/id/7337085

  2. Anonymous Coward
    Anonymous Coward

    How nice.

    Except that they don't mention the most important thing, how the nastyware gets installed on the server. Yeah, spearfishing sure! I don't know many people who are checking their email on a Linux production server. Let me see if I get this. First they use spearfishing to infect a Windows PC, praying that the hapless user be a Linux admin who then will have to use SCP or something to get the malware on the server where they will have to execute it manually. God damn those Russians, they are so smart.

    I've been reading this for decades now, it is called a rootkit so I don't see anything special about it. Also, it you're running Linux kernel v3 you clearly demonstrate you have no clue about IT.

    Really, nothing new to see here and I don't know why those two TLAs are wasting their resources.

    1. Pascal Monett Silver badge

      Re: How nice.

      I would have liked to know how it gets installed as well. The article says "When deployed on a victim machine" and stops there.

      How does the nasty get deployed ? Phishing ? Targeted email ? USB carried by a sleeper agent ?

      Is this a plot of The Americans ?

      1. vtcodger Silver badge

        Re: How nice.

        I would have liked to know how it gets installed as well.

        Hold on ... Let me check and see what today's party line is. ... Ah, yes ... It's either the Chinese. Or the Democrats. Or the fake news people. Or Iran. One thing is certain. Putin has nothing to do with it.

        Seriously. If I were trying to root a Linux server and couldn't find open ports and externally accessible accounts with no/default/trivial passwords, I'd quite likely go after Windows or smartphone users on the same network with legitimate access, then try every privilege escalation exploit known to man. Keep in mind that Unix security was designed to keep users from screwing up each others' work (which it does quite well), not to provide ironclad protection against sophisticated attackers with massive resources. Someplace out in the garage I have a copy of a BTL paper by (as I recall) Ken Thompson explaining that Unix was not designed to be a perfectly secure system. I looked for a current web link to the paper, but couldn't find one.

      2. jake Silver badge

        Re: How nice.

        "How does the nasty get deployed ? Phishing ? Targeted email ? USB carried by a sleeper agent ?"

        Yes. And any other way the target lets their guard down. Same as any other rootkit.

        Will there be any more questions?

      3. Anonymous Coward
        Anonymous Coward

        Re: How does it get installed?

        Via a webserver running a fingerprintable CMS with unknown/unpatched vulnerabilities, and with known folders which are writable by the webserver (eg, for CMS users to use to upload images for the website) is sadly far too common a way for malware to be able to find its way aboard a server.

    2. jake Silver badge

      Re: How nice.

      "Also, it you're running Linux kernel v3 you clearly demonstrate you have no clue about IT."

      Slackware (14.0 & 14.1 have no EOL at the moment) and Debian (Wheezy) still have maintained 3.x kernels. There is a need for old code on old machines. People with a clue about IT understand the realities of working with an installed base and take steps to see that it is as safe and as secure as practical. Including maintaining old kernels.

      HTH, HAND

    3. Cliffwilliams44

      Re: How nice.

      Targeting IT admins who have not clue is common practice for these baddies.

    4. Anonymous Coward
      Anonymous Coward

      Re: How nice.

      I'm fortunate to be still running 2.6.

  3. HildyJ Silver badge
    Big Brother

    Access vector

    Maybe I'm cynical but when the NSA says "its advice is not meant to protect against the initial access vector" I wonder if it's because the access vector is one of their Linux backdoors.

    1. This post has been deleted by its author

    2. Sanguma Bronze badge

      Re: Access vector

      More than likely.

  4. slimshady76

    Word. This reminds me when Kaspersky eggheads found a Russian intrusion on a server and then an Israeli one, on the same machine...

    1. seven of five Silver badge

      Probably how the NSA found this russian infection in first place, wanted to use the same technique.

  5. Joe Harrison

    Daft story

    Do the government pay you to print this stuff?

    1. amanfromMars 1 Silver badge

      Re: Daft story

      Do the government pay you to print this stuff? .... Joe Harrison

      Wow, is that daft, or is that daft, JH?

    2. _LC_ Silver badge
      Thumb Up

      Re: Daft story

      ++++++++++++++++++++++++++++++

      uv

  6. Alan Mackenzie

    Modules in Linux?

    What are these "high value" targets doing, using a Linux kernel with modules? It's perfectly possible to build Linux without modules (I do). A mechanism like modules is bound to introduce security risks. So why do it?

    1. vtcodger Silver badge

      Re: Modules in Linux?

      "What are these "high value" targets doing, using a Linux kernel with modules?"

      My understanding -- which could be wrong -- is that a unix module is pretty much what we old time MSDOS folks used to call a "loadable device driver". All incorporating it into the kernel accomplishes is to make it a permanently loaded device driver. If it contains malicious/exploitable code before building into the kernel, it'll still contain malicious/exploitable code after incorporation?

      1. Imhotep Silver badge

        Re: Modules in Linux?

        That was my understanding too.

        1. cyberdemon
          Linux

          Re: Modules in Linux?

          Correct, but it is possible to turn off support for loadable modules entirely, if you have compiled everything you will ever need into the kernel executable image in the first place.

          Distributions never do that, because either the kernel would be huge, or it would not work on most systems.

      2. jake Silver badge

        Re: Modules in Linux?

        A module is a bit of code that hooks into the kernel to provide added functionality as needed. It can be hardware drivers, yes. Also support for file systems, extensions to the kernel API, and etc. They can mostly be loaded and unloaded on the fly, so no need for a reboot after some changes to the kernel in a running system (see "modular kernel" vs "static kernel"). Most modern OSes have support for this in one form or another.

        As with most such thingies, there are advantages and disadvantages. I like the flexibility of modules on my working desktop machines, but prefer a static kernel in the servers (for example).

  7. Archtech Silver badge

    "Four words you never want to see together..."

    Well, actually, two words: Linux rootkit.

    Well, actually, one word: rootkit.

    1. seven of five Silver badge
      Joke

      Re: "Four words you never want to see together..."

      Which leaves us with just one more combination to fill: three words you do not want to see together.

      Lemme try:

      "Mother in law"

      1. jake Silver badge

        Re: "Four words you never want to see together..."

        "Paint My House"

      2. Ken Hagan Gold badge

        Re: "Four words you never want to see together..."

        or "son-in-law" if you want balance.

  8. Santa from Exeter
    Linux

    Get Root?

    I haven't read all the document so it might be in there. Do the TLAs say exactly how this thing gains root access to be loading kernel modules and 'executing arbitrary commands'?

    That is, of course, after a clueless luser has downloaded the 'implant', made it executable and run it!

    1. NullNix

      Re: Get Root?

      Not that I can see, which makes this whole thing a panic over nothing. Yes, if you run malicious code as root it *can* persist itself. This is nothing new. Don't run malicious code as root. (And keep your machine as safe as possible from holes that allow unprivileged users or network daemons to escalate to root.)

      (Secure Boot only saves the boot process and firmware, anyway -- it won't save you from things that persist in network card firmware, disk controller firmware etc. Like, oh, the NSA uses, and since they do I'm sure the Russians can deploy that real soon now as well. Again, just don't run it as root and you're safe.)

  9. Blofeld's Cat Silver badge
    Coat

    Fancy Bear Linux rootkit

    Is that their password?

    https://xkcd.com/936/

    1. Diogenes8080

      Re: Fancy Bear Linux rootkit

      Wrong XKCD, comrade!

      Try https://xkcd.com/424/

  10. Potemkine! Silver badge

    Beware of Russia or China

    Always prefer US malware for your devices.

    1. Imhotep Silver badge

      Re: Beware of Russia or China

      Procure locally.

      1. Anonymous Coward
        Anonymous Coward

        Re: Beware of Russia or China

        Redmond, Washington.

  11. sitta_europea

    On page 35 of the report, after pages and pages and pages of stuff about Linux, we have this little, er, gem:

    "Using a keyword list of the terms described in this advisory, a search can be conducted on the strings in the memory capture. Using the Sysinternals® “strings.exe” utility, a file can be created that contains all of the strings in the image:

    Strings.exe –o –n 4 –nobanner mem.img > mem_strings.txt"

    Whats this ".exe" thingy? :o

    1. _LC_ Silver badge

      That's what the "string" command looks like when compiled for Windows. ;-)

    2. Kevin McMurtrie Silver badge

      Which do you trust?

      Maybe Strings.exe is infected too.

      1. jake Silver badge

        Re: Which do you trust?

        Which do I trust? Certainly not an article on Linux security that attempts to make its point using Windows tools owned by Redmond ...

        Also, see ken's old ACM talk "Reflections on Trusting Trust".

    3. jake Silver badge

      More to the point ...

      ... what is this "Sysinternals®" thingie?

      ::eyeballs DDG::

      Oh. So that's what happened to winternals/ntinternals. Poor thing.

  12. Long John Silver
    Pirate

    What nasties do the NSA, FBI, and their chums keep in their lockers?

    It looks like a case of the pot calling the kettle black.

    1. jake Silver badge

      Re: What nasties do the NSA, FBI, and their chums keep in their lockers?

      Doesn't matter what TLA they may or may not have, nor what country they come from. I try to keep them all out of my business equally. What is on my computers is none of their damn business until a Judge legally tells me otherwise. At which point, I'll happily let them bore themselves to death, looking for stuff that isn't there.

      1. Anonymous Coward
        Anonymous Coward

        Re: What nasties do the NSA, FBI, and their chums keep in their lockers?

        "At which point, I'll happily let them bore themselves to death, looking for stuff that isn't there."

        Not to worry - they'll make sure something is there to justify their action. Attribution to Cardinal Richelieu.

  13. jbmoore

    There were those pesky leaks of NSA and CIA exploit frameworks. The latter was the worst in 2017 by Wikileaks. No doubt the Russians have their own frameworks. So, why would the TLAs state the obvious, that hey, you can phish for it, or just use our leaked toolkits.

  14. Anonymous Coward
    Anonymous Coward

    NSA would never be caught dead doing anything like that and then murder someone.

    https://en.wikipedia.org/wiki/Greek_wiretapping_case_2004%E2%80%9305

    TL;DR

    All branches of the Greek government telephones were tapped, by magic software that hides all traces of existing.

  15. William Higinbotham

    Find more information from hospital sector than our own:-)

    https://www.aha.org/other-cybersecurity-reports/2020-08-14-fbi-cybersecurity-advisory-tlp-white-russian-gru-85th-gtsss

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2020