Skip to content

Quick & Dirty Drovorub Detection

By all means read the full vulnerability report from the NSA. It has proper forensic analysis techniques and Snort rules.

However, if you just want to check an existing system (cf. p.36) for an extant compromise, you can try:

touch testfile
echo “ASDFZXCV:hf:testfile” > /dev/zero
ls testfile

If the file appears to be missing, then the drovorub kernel module is loaded and hiding the file (its rootkit method).

Now that the report is out, we can expect future infections to use different strings and devices so this check is only good right now. Since they have root and C&C, we might expect an overnight upgrade.

NSA recommends UEFI full secure boot as a remedy, though this is widely unavailable from hosting providers and not currently reliable under GRUB2 until the entire Boothole fiasco is resolved.

Perhaps an initramfs-based sanity check could be developed using a signature list kept on storage with hardware write-protect (real or enforced by hypervisor). Leave other ideas below.