NSA and FBI warn that new Linux malware threatens national security

&gt; Also included are rules that network administrators can plug in to the <i>Yara</i> and <i>Snort</i> intrusion detection systems to catch and halt network traffic passing to or from control servers or to flag obfuscated Drovorub files or processes already running on a server.<p>Page 35 <a href="https:&#x2F;&#x2F;media.defense.gov&#x2F;2020&#x2F;Aug&#x2F;13&#x2F;2002476465&#x2F;-1&#x2F;-1&#x2F;0&#x2F;CSA_DROVORUB_RUSSIAN_GRU_MALWARE_AUG_2020.PDF" rel="nofollow">https:&#x2F;&#x2F;media.defense.gov&#x2F;2020&#x2F;Aug&#x2F;13&#x2F;2002476465&#x2F;-1&#x2F;-1&#x2F;0&#x2F;CSA...</a>

Today I learned about Volatility. I&#x27;ve never really looked into forensics before; it&#x27;s interesting that there&#x27;s an entirely separate set of tools for determining the state a system was in when the memory was dumped, defined by analogy with tools like pstree that you&#x27;d ordinarily use to examine a running system. Seems like a bit of cat-and-mouse though; as an attacker with a code running in the kernel, you&#x27;d want to politely excuse yourself from memory images. Admittedly I don&#x27;t understand malware very well; there may be techincal reasons why this is not possible.

Cannot imagine any security aware kernel being left with modules and eBPF support on. Nobody should do that. We disabled kernel modules in the early 90ies already.<p>The OracleLinux kernel with dTrace looks fine though. But Oracle

&gt;Government officials said Drovorub gets its name from strings unintentionally left behind in the code.<p>Imagine being a highly trained topnotch agency and being that stupid ;) ...really happy that something like that never happens at the NSA