BPFDoor: Chinese tool almost undetected for FIVE years is second BP...

Advisories

Discover Hacks/Cracks News

BPFDoor: Chinese tool almost undetected for FIVE years is second BPF-based attack uncovered this year

32.Lock Code Circular

Researchers have uncovered a highly-evasive Chinese surveillance tool using the Berkeley Packet Filter (BPF). The malware, dubbed BPFDoor, is present on “thousands” of Linux systems, its controller has gone almost completely unnoticed by endpoint protection vendors despite it being in use for at least five years.

This is the second malware type using BPF in Linux for covert surveillance revealed this year, following Pangu Lab’s discovery of an apparent NSA backdoor, which they named Bvp47 in Feb 2022. Security researcher Kevin Beaumont suggested at the time that BPF (or extended BPF, eBPF) was being used by other threat actors.

Beaumont, who previously worked at Microsoft, warned then of the security implications of bring eBPF to other platforms beyond Linux, including Windows. “I really, really hope Microsoft have threat modelled what will happen to security when they bake eBPF into the base OS,” he said on Twitter. (Microsoft in March 2021 announced a new open source project to make eBPF work on Windows 10 and Windows Server 2016 and later.)

We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.