New Linux malware that can bypass firewalls: BPFdoor

The virus, recently discovered and reported by Sandfly Security researchers, has gone unnoticed for over five years as it is backdoor-type malware. By its nature , the BPFdoor Malware allows you to remotely connect to a Linux shell , obtaining full access to the compromised device without alerting the firewall. It also doesn't need to open doors, making it perfect for industrial espionage.

linux BPFdoor firewall malware

The Linux BPFdoor Malware

Being backdoor, the new malware is able to listen to one or more ports from different hosts , which allows attackers to remotely send commands to the compromised network. It uses a Berkeley Packet Filter sniffer which operates at the network interface layer and is able to see all traffic by sending packets to any destination. Because it works at such a low level, BPFdoor malware, which plagues both Linux and Solaris, does not abide by firewall rules.

This new threat operates through an attacker who uses a "magic" keyword to control the actions of the targeted system . BPFdoor scans only ICMP, UDP and TCP packets, checking for the presence of a specific data value and password for the latter two types of packets.

Linux firewall BPFdoor malware

What sets it apart is the fact that it can monitor any port for the magic packet, even if those ports are being used for other services. If the TCP and UDP packets contain the right “magic” data and a correct password, the backdoor kicks in by executing a bind or reverse shell.
ICMP packets do not require passwords, which allows you to scan the Internet for running BPFdoor systems using the ping function.

For now, BPFdoor has infected networks of organizations in various geographic areas, such as the United States, South Korea, Hong Kong, Turkey, India, Vietnam, and Myanmar.

How it works: How Linux malware bypasses firewalls

As already outlined, the attack scheme is as simple as it is effective. First of all, the attacker on duty sends an activation packet with the “magic” number to each door. The system sees the packet before the firewall can reject it and opens a shell on a high TCP port. It then reconfigures the firewall to redirect packets from the attacker to the shell port; network traffic thus appears to go to a legitimate port but is actually redirected to the shell.

As Craig Rowland of Sandfly Security notes, malware employs clever evasion techniques.
Once established in the system memory, it carries out anti-forensics actions by deleting the environment processes. Then it loads a sniffer (the BPF in fact) that allows it to work in front of any local firewall running to see the packets; thanks to this it modifies the “iptables” rules when it receives a relevant one, to allow the attacker to communicate through the local firewall.
Once this is done, it hides the binary with a name similar to that of a common Linux system element, and changes the date of the binary (so-called timestomping) to October 30, 2008, before deleting it.
Finally it renames and executes itself with the name / dev / shm / kdmtmpflush.

Linux BPFdoor firewall malware

Rowland explains the timestomping assuming that the attacker wants to protect the track in case of a possible elimination. Or it could be used to hide malware from searching for new files on the system.

When the infected host receives a special BPFdoor packet, the malware generates a new instance and modifies the local iptables rules to perform the redirection discussed above.
This is why changing firewall rules is important: it allows attackers to communicate with the backdoor through traffic that firewalls cannot report as suspicious.

Origin of the BPFdoor

Although there is no evidence, PricewaterhouseCoopers (PwC) researchers say they found BPFdoor during an incident response intervention.

PwC attributed the intrusion to a China-based actor, who took the name of Red Menshen (formerly Red Dev 18) and used BPFdoor on telecom providers across the Middle East and Asia, as well as entities in the government, education and logistics sectors.

Investigations revealed that Red Menshen used custom variants of the Mangzamel backdoor and the Gh0st remote access tool (RAT). This coupled with open-source tools such as Mimikatz (to extract credentials) and the Metasploit penetration test suite, for Windows systems.

The article New Linux Malware Able To Bypass Firewalls: BPFdoor was written at: Tech CuE | Close-up Engineering .