Security News > 2022 > May > BPFdoor: Stealthy Linux malware bypasses firewalls for remote access

BPFdoor: Stealthy Linux malware bypasses firewalls for remote access
2022-05-12 17:07

A recently discovered backdoor malware called BPFdoor has been stealthily targeting Linux and Solaris systems without being noticed for more than five years.

BPFdoor is a Linux/Unix backdoor that allows threat actors to remotely connect to a Linux shell to gain complete access to a compromised device.

BPFdoor parses only ICMP, UDP, and TCP packets, checking them for a specific data value, and also a password for the latter two types of packets.

What makes BPFDoor stand out is that it can can monitor any port for the magic packet, even if those ports are used by other legitimate services, such as webservers, FTP, or SSH. If the TCP and UDP packets have the right "Magic" data and a correct password, the backdoor springs into action executing a supported command, such as setting up a bind or reverse shell.

Tristan Pourcelot says that while BPFdoor does not use novel or complicated techniques it still managed to stay stealthy for an extended period.

The researchers BleepingComputer talked to about BPFdoor did not attribute the malware to any threat actor.


News URL

https://www.bleepingcomputer.com/news/security/bpfdoor-stealthy-linux-malware-bypasses-firewalls-for-remote-access/

Related vendor

VENDOR LAST 12M #/PRODUCTS LOW MEDIUM HIGH CRITICAL TOTAL VULNS
Linux 11 64 2532 1569 67 4232