BPFdoor: Stealthy Linux malware bypasses firewalls for remote access

BPFdoor is a Linux/Unix backdoor that enables threat actors to remotely connect to a compromised Linux shell, granting them full access to the targeted device. Unlike traditional malware, BPFdoor does not require open ports, bypasses firewalls, and accepts commands from any IP address, making it highly effective for corporate espionage and persistent attacks.

Key Features of BPFdoor

• Passive Backdoor: BPFdoor listens on multiple ports for incoming packets from one or more hosts, allowing attackers to send commands remotely.
• Berkeley Packet Filter (BPF) Sniffer: Operating at the network layer interface, BPFdoor can monitor all network traffic and send packets to any destination, ignoring firewall rules.
• Cross-Platform Compatibility: It supports Linux and Solaris SPARC systems and could be ported to BSD.
• Packet Parsing: The malware scans ICMP, UDP, and TCP packets, checking for specific data values and passwords for TCP and UDP packets. ICMP packets do not require a password, enabling analysts to scan for BPFdoor implants using ping.

Unique Capabilities

BPFdoor’s ability to monitor any port—even those used by legitimate services like web servers, FTP, or SSH—sets it apart. If TCP or UDP packets contain the correct “magic” data and password, the backdoor activates and executes commands, such as establishing a bind or reverse shell.

Global Impact

Analysts have detected BPFdoor activity on networks in countries including the U.S., South Korea, Hong Kong, Turkey, India, Vietnam, and Myanmar. Surprisingly, 11 Speedtest servers were also found to be infected, despite running on closed-source software.

Anti-Evasion Tactics

BPFdoor employs several advanced techniques to evade detection:

• Resides in system memory and attempts anti-forensics actions, wiping the process environment (partially successful).
• Deploys a BPF sniffer to bypass local firewalls and inspect packets.
• Modifies iptables rules to allow communication through local firewalls.
• Masquerades its binary under names resembling legitimate Linux system daemons.
• Renames itself to /dev/shm/kdmtmpflush and timestomps its binary to October 30, 2008, before deletion.

Technical Insights

BPFdoor includes several hardcoded names matching command strings in packets, such as:

• justtryit, justrobot, justforfun: Establish bind shells on ports 42391–42491.
• socket, sockettcp: Create reverse shells to specified IP addresses.

Later versions replaced command keywords with MD5 hashes, enhancing evasion and reducing detection likelihood. Despite improved detection rates, the malware remained virtually invisible for extended periods.

Regular Updates by Threat Actors

The BPFdoor implant has been updated consistently, with each release featuring new names for commands, processes, or files. This iterative development further complicates detection and mitigation.