I looked at the sources for #BPFdoor and ran @SandflySecurity against the binary. We could find this since at least 1.x of our product. Here is a run down of what it is doing.
#BPFdoor uses eBPF to sniff traffic. It can bypass firewall rules to see packets. When it starts it writes to /var/run/haldrund.pid which is obfuscated as hex in the code. It also masquerades its name using a number of pre-defined command line values below:
After #bpfdoor goes resident it deletes itself from disk. The working directory is /dev/shm (Linux ramdisk). A system reboot ensures the area is wiped. You can see also where it masks the cmdline and command portions in /proc. A ps command shows the bogus name.
#BPFdoor intiates anti-forensics by removing the binary afterwards and this shows up as a deleted binary associated with a running process which is always bad news.
The /proc/<PID>/stack area of the #BPFdoor process shows some suspiciously named functions as the sniffer loop is waiting for commands.
Also, a look under /proc/<PID>/fd shows a file descriptor that is actively grabbing packet traffic. We generated an alert on on this and you can see the packet file descriptor in the raw forensic data. stdin,stdout,stderr are redirected.
The process environment is wiped out so there are no traces to review. This is unusual for most processes on Linux and is worth investigating in and of itself.
A closer look at the /proc/<PID>/cmdline and /proc/<PID>/comm forensic traces in the suspicious process below. Again, there are a number of seemingly benign name it will pick at random on startup.
Looking at the code, it has backdoor capability with encryption (RC4). It also mods iptables rules to allow access when needed. The shell also has some anti-forensics measures in place.
The code is looking for a magic packet with a user-defined password on TCP, UDP or ICMP. Once seen then various things can happen such as shell, etc.
I'll have a longer write-up this week after seeing this backdoor. The use of eBPF is not common and the backdoor is minimalist to avoid detection but get the job done. But, it can be found pretty easily if you know how to look. Thank you @GossiTheDog for the thread.
Check out our blog for many more Linux forensics articles. I'll post there about #BPFDoor when I look at it closer:
Realized I made a 1AM typo when doing this. It's BPF, not eBPF. The BPF is a packet filter to efficiently filter for magic packets to operate the backdoor when sniffing inbound traffic.
• • •
Missing some Tweet in this thread? You can try to
force a refresh
Sandfly users (even free users) can enable the following incident response checks to flag processes running as sniffers. It will easily find #BPFdoor. Here's how in this thread:
We have checks for sniffer activity in the incident response modules. They are not run by default as they can be noisy at times, but we do have a tuned version that is not noisy. Select the hosts you want scanned, then in sandfly selection use the filter to find "sniffer".
Then select the ones you want run. I suggest using just the tuned version which will ignore some common false positives.
People are asking me to post hashes about this Linux malware we came across. No. Using hashes for finding Linux malware doesn't work and are easily altered. Look for tactics instead. Here are some tactics to use in this thread.
Can you see the /etc/ld.so.preload file? Can you read it with /bin/cat or see it with the /bin/ls command? If you are being stopped from doing this then you have ld preload malware stopping you.
Can you read the root SSH authorized_keys file? This malware stops you from doing that. Is the file set to immutable as seen with the "lsattr" command? If you didn't set it immutable, then the malware probably did to hang around.
Modified /etc/ld.so.preload to point to a malicious library to intercept system calls. The file was /lib/libcurl.so.2.17.0 and was not known by VirusTotal. The /etc/ld.so.preload file contents was being hidden from system commands. It was marked immutable to make removal harder.
We unmasked the file contents here. You can see the path and creation dates.
You see a weird openssl command running on one of your Linux systems. Here's how to investigate whether it's a bindshell backdoor operating on the box and hiding traffic inside an encrypted tunnel. Thread. #DFIR
The server and client to run the attack. The reverse bindshell causes openssl to connect back to us and is encrypted so network monitoring is blind to what is going on. Need to look at the host to figure it out.
We log into the host after seeing the weird outbound connection and need to investigate. Run ps -aux and lsof -p <PID> to see the process. Throw in netstat for good measure. We see openssl and /bin/sh -i running that look strange.
@SandflySecurity was able to spot this malware very quickly and with multiple serious alerts. Let's have a walk-through about what it was up to and de-cloak it. #DFIR#sandflysecurity
Virus total shows very few results. But we saw many serious compromise tactics in use on this Linux system hit with the malware.
The top and ps commands show some odd things. Top is showing 100% of the CPU in use, but no process claiming responsibility. The ps listing shows nothing unusual. Something is hiding. Let's de-cloak it. #DFIR
Malware will name itself with [brackets] to impersonate a Linux kernel thread. Bracketed names mean no cmd line argument. Kernel threads almost always are in brackets.
Use ps with tree view to find our candidates for investigation:
Any #Linux process that looks like a [kernel thread] should have an empty maps file. If you look at the maps file for a process and it has data in it, it's not a kernel thread:
cat /proc/<PID>/maps
Our suspect below has entries under maps. Bad news.