BPFdoor is malware that bypasses firewalls to remotely connect to a Linux shell. It aims to take complete control of the system under attack, passively and listening.
“BPFdoor is a type of malware backdoor“, He comments Rosita Galiander, Head of the Exprivia Observatory on cybersecurity, “which uses the Berkeley Packet Filter (BPF) to function as a backdoor and proceed with the reconnaissance. In particular, BPF is used for the transmission of data packets and the regulation of access, as well as for the analysis of network traffic “.
Linux in the sights of BPFdoor
A to discover BPFdoor were the security researchers of Sandfly Security, according to which the new malware thanks to its backdoor features managed to act secretly against Linux and Solaris systems without being noticed for over five years.
25 Maggio 2022 – 14:30
Cybersecurity 360Summit: new strategies, new threats and new defenses!
“BPFdoor is an ideal malware for carrying out continuous attacks and for industrial espionage”, continues Rosita Galiandro, “since it does not require the opening of ports or firewall rules: in fact, it is immune to them and is able to respond to commands coming from any IP address “.
How malware works
“By leveraging a function of sniffing“, Underlines Rosita Galiandro,“ which operates in the interface at the network level, BPFdoor is not subject to the rules of the firewall and remains in “listening” for packets from the ICMP, UDP and TCP ports. By detecting specific packets, with precise values and, in the case of UDP / TDP, a password, the backdoor is activated by executing one of the supported commands, for example by activating a Reverse Shell“.
“This method of packet filtering lends itself well to stealth operations not only due to the lack of door opening, but also due to the low CPU overhead required to perform the filtering.”
In fact, “attackers exploit various compromised routers as VPN tunnels to run BPFDoor via Virtual Private Servers (VPS). Affected users remain unaware of the attack and its persistence in the system, ”warns our cyber security expert.
BPFdoor has versions for Linux and Solaris SPARC Systems, but could target BSD via port.
The technical analysis of the activity that carries out the backdoor
BPFDoor performs a series of operations as soon as it is running to ensure persistence and pass undisturbed to the control systems. Rosita Galiandro explains which ones:
- becomes memory resident and uses Anti-Forensic and evasion to hide;
- loads a Berkeley Packet Filter (BPF) sniffer which allows it to efficiently control traffic and work with any firewall running locally to see packets;
- upon receiving a special packet, it modifies the local firewall to allow the attacker’s IP address to access resources such as a spawned shell or reconnect to a bind shell;
- operations are hidden with process masking to avoid detection.
Furthermore, the analyst continues, “one detection method involves checking for unusual files in the / dev / shm directory, such as / dev / shm / kdmtmpflush:
- Source: /bin/dash (PID: 20771)
- Chmod directory: /bin/chmod -> /bin/chmod 755 /dev/shm/kdmtmpflush”.
Another technique that is proving to be effective is that of “performing checks based on robust YARA rules that allow to detect attack patterns already found in established BPFDoor installations”.
Finally, concludes Galiandro, here is “a collection of hashes and Indicators of Compromise (IOC):
- MD5: 4574b9a820d22c411d53aa2f1b56b045
- SHA-1: e6fc57807585331b85cc957cb5c4767b9f5faf5b
- SHA-256:
- 07ecb1f2d9ffbd20a46cd36cd06b022db3cc8e45b1ecab62cd11f9ca7a26ab6d
- 144526d30ae747982079d5d340d1ff116a7963aba2e3ed589e7ebc297ba0c1b3
- 1925e3cd8a1b0bba0d297830636cdb9ebf002698c8fa71e0063581204f4e8345
- 4c5cf8f977fc7c368a8e095700a44be36c8332462c0b1e41bff03238b2bf2a2d
- c80bd1c4a796b4d3944a097e96f384c85687daeedcdcf05cc885c8c9b279b09c
- dc8346bf443b7b453f062740d8ae8d8d7ce879672810f4296158f90359dcae3a
- 591198c234416c6ccbcea6967963ca2ca0f17050be7eed1602198308d9127c78
- 599ae527f10ddb4625687748b7d3734ee51673b664f2e5d0346e64f85e185683
- 5b2a079690efb5f4e0944353dd883303ffd6bab4aad1f0c88b49a76ddcb28ee9
- fd1b20ee5bd429046d3c04e9c675c41e9095bea70e0329bd32d7edd17ebaf68a
- f47de978da1dbfc5e0f195745e3368d3ceef034e964817c66ba01396a1953d72
- 5faab159397964e630c4156f8852bcc6ee46df1cdd8be2a8d3f3d8e5980f3bb3
- 76bf736b25d5c9aaf6a84edd4e615796fffc338a893b49c120c0b4941ce37925
- 93f4262fce8c6b4f8e239c35a0679fbbbb722141b95a5f2af53a2bcafe4edd1c
- 96e906128095dead57fdc9ce8688bb889166b67c9a1b8fdb93d7cff7f3836bb9
- 97a546c7d08ad34dfab74c9c8a96986c54768c592a8dae521ddcf612a84fb8cc
- c796fc66b655f6107eacbe78a37f0e8a2926f01fecebd9e68a66f0e261f91276
- f8a5e735d6e79eb587954a371515a82a15883cf2eda9d7db8938b86e714ea27
- fa0defdabd9fd43fe2ef1ec33574ea1af1290bd3d763fdb2bed443f2bd996d73″.
@ALL RIGHTS RESERVED
The post BPFdoor, the malware that can bypass firewalls appeared first on Archyworldys.