Share this page!

Maybe Scrolly?
Craig H. Rowland Profile picture
Twitter logo
May 8 13 tweets 6 min read
I looked at the sources for #BPFdoor and ran @SandflySecurity against the binary. We could find this since at least 1.x of our product. Here is a run down of what it is doing.
#BPFdoor uses eBPF to sniff traffic. It can bypass firewall rules to see packets. When it starts it writes to /var/run/haldrund.pid which is obfuscated as hex in the code. It also masquerades its name using a number of pre-defined command line values below:
After #bpfdoor goes resident it deletes itself from disk. The working directory is /dev/shm (Linux ramdisk). A system reboot ensures the area is wiped. You can see also where it masks the cmdline and command portions in /proc. A ps command shows the bogus name.
#BPFdoor intiates anti-forensics by removing the binary afterwards and this shows up as a deleted binary associated with a running process which is always bad news.
The /proc/<PID>/stack area of the #BPFdoor process shows some suspiciously named functions as the sniffer loop is waiting for commands.
Also, a look under /proc/<PID>/fd shows a file descriptor that is actively grabbing packet traffic. We generated an alert on on this and you can see the packet file descriptor in the raw forensic data. stdin,stdout,stderr are redirected.
The process environment is wiped out so there are no traces to review. This is unusual for most processes on Linux and is worth investigating in and of itself.
A closer look at the /proc/<PID>/cmdline and /proc/<PID>/comm forensic traces in the suspicious process below. Again, there are a number of seemingly benign name it will pick at random on startup.
Looking at the code, it has backdoor capability with encryption (RC4). It also mods iptables rules to allow access when needed. The shell also has some anti-forensics measures in place.
The code is looking for a magic packet with a user-defined password on TCP, UDP or ICMP. Once seen then various things can happen such as shell, etc.
I'll have a longer write-up this week after seeing this backdoor. The use of eBPF is not common and the backdoor is minimalist to avoid detection but get the job done. But, it can be found pretty easily if you know how to look. Thank you @GossiTheDog for the thread.
Check out our blog for many more Linux forensics articles. I'll post there about #BPFDoor when I look at it closer:

sandflysecurity.com/blog/
Realized I made a 1AM typo when doing this. It's BPF, not eBPF. The BPF is a packet filter to efficiently filter for magic packets to operate the backdoor when sniffing inbound traffic.

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Craig H. Rowland

Craig H. Rowland Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @CraigHRowland

Craig H. Rowland Profile picture
May 9
Sandfly users (even free users) can enable the following incident response checks to flag processes running as sniffers. It will easily find #BPFdoor. Here's how in this thread: Image
We have checks for sniffer activity in the incident response modules. They are not run by default as they can be noisy at times, but we do have a tuned version that is not noisy. Select the hosts you want scanned, then in sandfly selection use the filter to find "sniffer". Image
Then select the ones you want run. I suggest using just the tuned version which will ignore some common false positives. Image
Read 5 tweets
Craig H. Rowland Profile picture
Aug 2, 2021
People are asking me to post hashes about this Linux malware we came across. No. Using hashes for finding Linux malware doesn't work and are easily altered. Look for tactics instead. Here are some tactics to use in this thread.
Can you see the /etc/ld.so.preload file? Can you read it with /bin/cat or see it with the /bin/ls command? If you are being stopped from doing this then you have ld preload malware stopping you.
Can you read the root SSH authorized_keys file? This malware stops you from doing that. Is the file set to immutable as seen with the "lsattr" command? If you didn't set it immutable, then the malware probably did to hang around.
Read 9 tweets
Craig H. Rowland Profile picture
Aug 2, 2021
More on this Linux stealth malware below.
Modified /etc/ld.so.preload to point to a malicious library to intercept system calls. The file was /lib/libcurl.so.2.17.0 and was not known by VirusTotal. The /etc/ld.so.preload file contents was being hidden from system commands. It was marked immutable to make removal harder.
We unmasked the file contents here. You can see the path and creation dates.
Read 7 tweets
Craig H. Rowland Profile picture
Apr 19, 2021
You see a weird openssl command running on one of your Linux systems. Here's how to investigate whether it's a bindshell backdoor operating on the box and hiding traffic inside an encrypted tunnel. Thread. #DFIR
The server and client to run the attack. The reverse bindshell causes openssl to connect back to us and is encrypted so network monitoring is blind to what is going on. Need to look at the host to figure it out.
We log into the host after seeing the weird outbound connection and need to investigate. Run ps -aux and lsof -p <PID> to see the process. Throw in netstat for good measure. We see openssl and /bin/sh -i running that look strange.
Read 12 tweets
Craig H. Rowland Profile picture
Dec 2, 2020
@SandflySecurity was able to spot this malware very quickly and with multiple serious alerts. Let's have a walk-through about what it was up to and de-cloak it. #DFIR #sandflysecurity
Virus total shows very few results. But we saw many serious compromise tactics in use on this Linux system hit with the malware.
The top and ps commands show some odd things. Top is showing 100% of the CPU in use, but no process claiming responsibility. The ps listing shows nothing unusual. Something is hiding. Let's de-cloak it. #DFIR
Read 16 tweets
Craig H. Rowland Profile picture
Feb 25, 2020
You can find #Linux malware masquerading as a kernel thread using this command:

cat /proc/<PID>/maps

I'm going to show you how in this thread.

#DFIR #sandflysecurity Image
Malware will name itself with [brackets] to impersonate a Linux kernel thread. Bracketed names mean no cmd line argument. Kernel threads almost always are in brackets.

Use ps with tree view to find our candidates for investigation:

ps auxwf | grep "\["

#DFIR #sandflysecurity Image
Any #Linux process that looks like a [kernel thread] should have an empty maps file. If you look at the maps file for a process and it has data in it, it's not a kernel thread:

cat /proc/<PID>/maps

Our suspect below has entries under maps. Bad news.

#DFIR #sandflysecurity Image
Read 6 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us on Twitter!

:(