Discover and read the best of Twitter Threads about #BPFdoor
Most recents (2)
Sandfly users (even free users) can enable the following incident response checks to flag processes running as sniffers. It will easily find #BPFdoor. Here's how in this thread: 
We have checks for sniffer activity in the incident response modules. They are not run by default as they can be noisy at times, but we do have a tuned version that is not noisy. Select the hosts you want scanned, then in sandfly selection use the filter to find "sniffer".
Then select the ones you want run. I suggest using just the tuned version which will ignore some common false positives.
I looked at the sources for #BPFdoor and ran @SandflySecurity against the binary. We could find this since at least 1.x of our product. Here is a run down of what it is doing.
#BPFdoor uses eBPF to sniff traffic. It can bypass firewall rules to see packets. When it starts it writes to /var/run/haldrund.pid which is obfuscated as hex in the code. It also masquerades its name using a number of pre-defined command line values below:
After #bpfdoor goes resident it deletes itself from disk. The working directory is /dev/shm (Linux ramdisk). A system reboot ensures the area is wiped. You can see also where it masks the cmdline and command portions in /proc. A ps command shows the bogus name.
