Bleedingtooth, Russians, and Penguins

Hi Everyone,

This week I have partnered with with a colleague.  Josh Kozak wrote an awesome article.

Check out his LinkedIn profile:

Josh Kozak


Due to the limited desktop use of Linux I always forget that there indeed exists malware for Linux based systems. This coupled with the fact most distributions of Linux have adopted popular security tools like SELinux, FirewallD, UFW or Iptables baked right in for ease of use, it’s easy to feel safe and secure in a Linux environment. However, recently two reports came as a reminder to update kernels and detection rules.  One of course being a widespread Bluetooth vulnerability affecting the BlueZ library and the other being the NSA report detailing the Drovorub malware tool for Linux systems.


 Bleedingtooth was the name given to the Bluetooth vulnerability found by google security engineer Andy Nguyen, who then reported it to Intel. [1] It’s reported that the vulnerability affects BlueZ, which is the official Linux Bluetooth stack. Essentially Bleedingtooth allows an attacked within Bluetooth range to send a malicious l2cap packet to execute code with kernel privileges. While the attacker not only has to be within range but also the device must be set to discoverable within Bluetooth for the attackers to be successful.

Now while that may seem to be a very specific set of circumstances for the vulnerability to be taken advantage of, it’s important to remember that BlueZ is also found on most Linux based IoT devices. This would allow attackers to pick and choose their targets at leisure and through those devices gain access to even greater network bounties. Being IoT devices it would also be a safer bet that they may be missed on a sweep of system/kernel upgrades that occur and could be running kernel versions that are vulnerable.

Intel announced that upgrading your kernel to a version of 5.9 or higher will fix the vulnerability from existing. They also released various patches for kernels in case full kernel upgrades were not viable. 


 I find the NSA report detailing the Drovorub malware far more intriguing however, simply put it’s a full swiss army knife for Linux systems. The most interesting part itself comes from the fact it’s reported to have been created by APT28(military unit 26165 of the Russian General staff Main Intelligence) [2]. Drovorub itself is basically four different executable components: drovorub-server, drovorub-agent, drovorub-client, drovorub-kernel module.

The client gets installed on the targets system by the actor and then can receive commands from the server and offer file transfer to/from the system it’s installed upon. The client also gets packaged with the kernel module which provides a rootkit based stealth ability to hide the client and kernel module themselves. While the server and the agent are typically both installed on infrastructure that the attacker controls themselves. The server keeps a database store using MySQL for registration, authentication and tasking to the agent. The agent receives commands from the server and its purpose is to mainly upload and download files from the client and forward network traffic through port relays. [3]

To defend against the drovorub malware it is recommended to update the Linux kernel version to at least 3.7 or later. There are also rules for both network-based and host-based detection that are available from the report as well. The report also goes into memory analysis to help find any instances of the malware as well.

The fact that these tools are bundled together will make it easier for scripts to be written that could potentially lead to targeting of older production systems that may not be so assured to have working current backups. Also, when you look at where Linux is mostly being used (business/production servers, industrial PLCs and IoT devices) this leads one to think that originally these tools were most likely created for industrial or commercial espionage. Add to the fact that this all works for kernel versions much older than current would lead me to believe there are far more malware tools out there that are just as effective against newer Linux systems as well.

These two reports had me pause and check what I was doing with my Linux system on my laptop. I ran through a list of things from checking my kernel version to how my Bluetooth service launched and ran. I even realized that the install I had performed hadn’t really been configured with a firewall even. So, no matter how secure your castle feels, it’s always a good idea to go out and check for cracks in the foundation.


Popular Posts