BPFDoor is not new to the game cyber attack – in fact, it went undetected for years – but PwC researchers discovered the malware in 2021. Then, the community network security are learning more about the stealthy nature of malware, how it works, and how it can be prevented.
What is BPFDoor?
BPFDoor is a China-based threat-related malware Red Menshen that has attacked most Linux operating systems. It goes undetected by firewalls and most detection systems go unnoticed – it is so unnoticed that it is a work in progress over the past 5 years, going through many stages of development and complexity. different impurities.
How it works?
BPF stands for Berkley Packet Filters, suitable when viruses exploit packet filters. BPFDoor uses BPF “sniffers” to view socks both network traffic and find vulnerabilities. A packet filter is a program that analyzes “packets” (files, metadata, network traffic) and allows or denies their transfer based on source and destination IP addresses, protocols, or ports. Simply put, packet filters act as a firewall to prevent infected malware from entering the operating system.
When BPFDoor is active, it will stand in front of the firewall to receive packets, then modify the local firewall or scripts to allow the threat agent to penetrate the operating system. It can work without opening any ports and can receive commands from any IP address on the web. And since the IP address is what the filter parses to allow or deny access to packets, BPFDoor can essentially allow any packet to be sent or received. #nofilter
Why is it dangerous?
As said before, this malware is extremely dangerous because of its stealthy and stealthy nature. When BPFDoor is enabled, remote codes can be sent through the unfiltered and unobstructed aisle. Malicious traffic mixes with legitimate traffic, making it difficult for firewalls and security solutions to detect. BPFDoor also changed its name after infecting the system as an evasion technique.
Systems were compromised across the United States, South Korea, Hong Kong, Turkey, India, Vietnam, and Myanmar, and the targets included telecommunications, government, educational, and logistics organizations. .
What can we do about it?
To launch BPFDoor, the threat actor needs to upload a malicious binary file to the server. The best lines of defense are to ensure that virus and malware signatures are updated to catch any potential indicators and create rules in the environment to help detect what appears to be. cannot be detected.