quick-and-simple:-bpfdoor-explained

Share news article

Share on facebook
Share on twitter
Share on linkedin
Share on email

Quick and Simple: BPFDoor Explained

BPFDoor isn’t new to the cyberattack game — in fact, it’s gone undetected for years — but PwC researchers discovered the piece of malware in 2021. Subsequently, the cybersecurity community is learning more about the stealthy nature of malware, how it works, and how it can be prevented.

What’s BPFDoor?

BPFDoor is a piece of malware associated with China-based threat actor Red Menshen that has hit mostly Linux operating systems. It’s undetected by firewalls and goes unnoticed by most detection systems — so unnoticed that it’s been a work in progress over the last five years, going through various phases of development and complexity.

How Does It Work?

BPF stands for Berkley Packet Filters, which is appropriate given that the virus exploits packet filters. BPFDoor uses BPF “sniffers” to see all network traffic and find vulnerabilities. Packet filters are programs that analyze “packets” (files, metadata, network traffic) and permit or decline them to pass based on the source and destination IP addresses, protocols, or ports. To put it simply, packet filters work as a firewall of sorts to prevent infected malware from reaching operating systems.

When BPFDoor is in action, it gets in front of firewalls to receive packets, then modifies the local firewall or scripts to allow a threat actor into an operating system. It can function without opening any ports and can receive commands from any IP address on the web. And since IP addresses are what the filters analyze to allow or decline access to packets, BPFDoor could essentially allow any packet to be sent or received. #nofilter

Why Is It Dangerous?

As stated previously, this malware is extremely dangerous because of its stealthy and hidden nature. Once BPFDoor is activated, remote code can be sent through the unfiltered and unblocked passageway. Malicious traffic blends into legitimate traffic, making it difficult for firewalls and security solutions to detect. The BPFDoor also renames itself after infecting a system as an evasion technique.

Systems have been compromised across the US, South Korea, Hong Kong, Turkey, India, Vietnam, and Myanmar, and targets have included telecommunications, government, education, and logistics organizations.

What Can We Do About It?

In order for BPFDoor to launch, the threat actor would need to upload the malicious binary to a server. The best lines of defense are ensuring that virus and malware signatures are up to date to catch any potential indicators and creating rules within environments to help detect the seemingly undetectable.


Found this article interesting? Follow THN on Facebook, Twitter and LinkedIn to read more exclusive content we post.

Related News

Schoolyard Bully Malware Stealing Facebook Credentials on Android

Schoolyard Bully Malware Stealing Facebook Credentials on Android

Mobile security company Zimperium’s zLabs has released a warning about a notorious Android trojan that has stolen around 300,000 credentials…
8 Reasons Why Enterprises Use Java

8 Reasons Why Enterprises Use Java

Java is one of the most well-known programming languages and software platforms that is used on countless devices such as…
360m Alleged WhatsApp Records Shared Freely on Telegram and Dark Web

360m Alleged WhatsApp Records Shared Freely on Telegram and Dark Web

Previously we covered the news of a database containing 487 million up-to-date WhatsApp user records from 84 countries being sold…