BPFdoor, the malware that can bypass firewalls

BPFdoor is malware that bypasses firewalls to remotely connect to a Linux shell. It aims to take complete control of the system under attack, passively and listening.

“BPFdoor is a type of malware backdoor“, He comments Rosita Galiander, Head of the Exprivia Observatory on cybersecurity, “which uses the Berkeley Packet Filter (BPF) to function as a backdoor and proceed with the reconnaissance. In particular, BPF is used for the transmission of data packets and the regulation of access, as well as for the analysis of network traffic “.

Linux in the sights of BPFdoor

A to discover BPFdoor were the security researchers of Sandfly Security, according to which the new malware thanks to its backdoor features managed to act secretly against Linux and Solaris systems without being noticed for over five years.

25 Maggio 2022 – 14:30

Cybersecurity 360Summit: new strategies, new threats and new defenses!

“BPFdoor is an ideal malware for carrying out continuous attacks and for industrial espionage”, continues Rosita Galiandro, “since it does not require the opening of ports or firewall rules: in fact, it is immune to them and is able to respond to commands coming from any IP address “.

How malware works

“By leveraging a function of sniffing“, Underlines Rosita Galiandro,“ which operates in the interface at the network level, BPFdoor is not subject to the rules of the firewall and remains in “listening” for packets from the ICMP, UDP and TCP ports. By detecting specific packets, with precise values ​​and, in the case of UDP / TDP, a password, the backdoor is activated by executing one of the supported commands, for example by activating a Reverse Shell“.

“This method of packet filtering lends itself well to stealth operations not only due to the lack of door opening, but also due to the low CPU overhead required to perform the filtering.”

In fact, “attackers exploit various compromised routers as VPN tunnels to run BPFDoor via Virtual Private Servers (VPS). Affected users remain unaware of the attack and its persistence in the system, ”warns our cyber security expert.

BPFdoor has versions for Linux and Solaris SPARC Systems, but could target BSD via port.

The technical analysis of the activity that carries out the backdoor

BPFDoor performs a series of operations as soon as it is running to ensure persistence and pass undisturbed to the control systems. Rosita Galiandro explains which ones:

  1. becomes memory resident and uses Anti-Forensic and evasion to hide;
  2. loads a Berkeley Packet Filter (BPF) sniffer which allows it to efficiently control traffic and work with any firewall running locally to see packets;
  3. upon receiving a special packet, it modifies the local firewall to allow the attacker’s IP address to access resources such as a spawned shell or reconnect to a bind shell;
  4. operations are hidden with process masking to avoid detection.

Furthermore, the analyst continues, “one detection method involves checking for unusual files in the / dev / shm directory, such as / dev / shm / kdmtmpflush:

  • Source: /bin/dash (PID: 20771)
  • Chmod directory: /bin/chmod -> /bin/chmod 755 /dev/shm/kdmtmpflush”.

Another technique that is proving to be effective is that of “performing checks based on robust YARA rules that allow to detect attack patterns already found in established BPFDoor installations”.

Finally, concludes Galiandro, here is “a collection of hashes and Indicators of Compromise (IOC):

  • MD5: 4574b9a820d22c411d53aa2f1b56b045
  • SHA-1: e6fc57807585331b85cc957cb5c4767b9f5faf5b
  • SHA-256:
  1. 07ecb1f2d9ffbd20a46cd36cd06b022db3cc8e45b1ecab62cd11f9ca7a26ab6d
  2. 144526d30ae747982079d5d340d1ff116a7963aba2e3ed589e7ebc297ba0c1b3
  3. 1925e3cd8a1b0bba0d297830636cdb9ebf002698c8fa71e0063581204f4e8345
  4. 4c5cf8f977fc7c368a8e095700a44be36c8332462c0b1e41bff03238b2bf2a2d
  5. c80bd1c4a796b4d3944a097e96f384c85687daeedcdcf05cc885c8c9b279b09c
  6. dc8346bf443b7b453f062740d8ae8d8d7ce879672810f4296158f90359dcae3a
  7. 591198c234416c6ccbcea6967963ca2ca0f17050be7eed1602198308d9127c78
  8. 599ae527f10ddb4625687748b7d3734ee51673b664f2e5d0346e64f85e185683
  9. 5b2a079690efb5f4e0944353dd883303ffd6bab4aad1f0c88b49a76ddcb28ee9
  10. fd1b20ee5bd429046d3c04e9c675c41e9095bea70e0329bd32d7edd17ebaf68a
  11. f47de978da1dbfc5e0f195745e3368d3ceef034e964817c66ba01396a1953d72
  12. 5faab159397964e630c4156f8852bcc6ee46df1cdd8be2a8d3f3d8e5980f3bb3
  13. 76bf736b25d5c9aaf6a84edd4e615796fffc338a893b49c120c0b4941ce37925
  14. 93f4262fce8c6b4f8e239c35a0679fbbbb722141b95a5f2af53a2bcafe4edd1c
  15. 96e906128095dead57fdc9ce8688bb889166b67c9a1b8fdb93d7cff7f3836bb9
  16. 97a546c7d08ad34dfab74c9c8a96986c54768c592a8dae521ddcf612a84fb8cc
  17. c796fc66b655f6107eacbe78a37f0e8a2926f01fecebd9e68a66f0e261f91276
  18. f8a5e735d6e79eb587954a371515a82a15883cf2eda9d7db8938b86e714ea27
  19. fa0defdabd9fd43fe2ef1ec33574ea1af1290bd3d763fdb2bed443f2bd996d73″.


The post BPFdoor, the malware that can bypass firewalls appeared first on Archyworldys.

Source link

Leave a Comment