[conspire] (forw) Re: [SB] Linux BPF-usingI malware

Rick Moen rick at linuxmafia.com
Fri May 13 11:30:31 PDT 2022 

----- Forwarded message from Brian C via Sb <sb at mailman.lug.org.uk> -----

Date: Fri, 13 May 2022 23:44:18 +1200
From: Brian C via Sb <sb at mailman.lug.org.uk>
To: Birmingham Linux User Group <sb at mailman.lug.org.uk>
Cc: Brian C <sblug at iopen.co.nz>
Subject: [SB] Linux BPF-usingI malware

Evening all, (Yup, Friday evening here.)

It's currently getting a lot of attention and those of you who run
Internet-exposed Linux machines, but haven't yet heard, might be
interested :

> https://www.bleepingcomputer.com/news/security/bpfdoor-stealthy-linux-malware-bypasses-firewalls-for-remote-access/

Yes, iptables can't block traffic to it.

The major risk is from unprivileged users being able to do BPF-related
things.  Recent kernels have a flag to address that :
> /proc/sys/kernel/unprivileged_bpf_disabled

Recent kernels have it disabled by default.  In AL8 it's set to 1, and
in Fedora 35 it's 2.

It appears that a simple way to detect the malware is the presence of
one or more 'extra' iptables redirect rules.

I doubt that we're vulnerable, but I'm considering writing a script to
compare the set of iptables rules found with the set of rules in the
firewall setup script.  Run quite often by cron, and generating an alert
email if they differ.

Related: On (at least) servers I always disable firewalld, so that
iptables -nvL {-t nat}  shows the complete story.

--Brian




-- 
Birmingham LUG mailing list
Post to Sb at mailman.lug.org.uk
List info and unsubscribe https://mailman.lug.org.uk/mailman/listinfo/sb
Website http://sb.lug.org.uk/

----- End forwarded message -----
----- Forwarded message from Rick Moen via Sb <sb at mailman.lug.org.uk> -----

Date: Fri, 13 May 2022 11:27:35 -0700
From: Rick Moen via Sb <sb at mailman.lug.org.uk>
To: sb at mailman.lug.org.uk
Cc: Rick Moen <rick at linuxmafia.com>
Subject: Re: [SB] Linux BPF-usingI malware
Organization: If you lived here, you'd be $HOME already.

Quoting Brian C via Sb (sb at mailman.lug.org.uk):

> Evening all, (Yup, Friday evening here.)
> 
> It's currently getting a lot of attention and those of you who run
> Internet-exposed Linux machines, but haven't yet heard, might be
> interested :
> 
> > https://www.bleepingcomputer.com/news/security/bpfdoor-stealthy-linux-malware-bypasses-firewalls-for-remote-access/
> 
> Yes, iptables can't block traffic to it.

I used to be surprised at the failure of almost all articles about
"malware" to address -- at all, let alone prominently -- the only 
actually interesting question:  How does the code get executed, and
(if applicable) how does it escalate privilege?

My surprise at this omission has faded over the decades.  (Hypotheses to
explain the silence on that topic include journalists cribbing from 
antimalware/security company press releases:  The latter actively 
prefer that customers not understand security, and simply buy their
products such as "virus scanning" software and related services.)  But,
after all these decades, I'm still disappointed.

Ionut Ilascu / bleepingcomputer.com's article is a case in point:
It simply takes as given that a host has been security-compromised and 
wishes to communicate outwards.  The entire article is about challenges
in preventing a security-compromised host running one specific variety
of unauthorised code ("BPFdoor") from communicating outwards to remote
threat actors (or inwards from them).

Since the 1980s when I was a pimply-faced youth in what we now call IT, 
I've entertained the proposition that the best way to not have to deal
with "malware" is to not run it, full stop.

Let's get to basics:  What is "BPFdoor"?

Survey the "lot of attention" Brian refers to, and you'll learn roughly
nothing.  Metaphorically (and, I might admit, just a little
sarcastically), I would call the process of reading the press coverage a
subtractive process:  At then end, you know a bit _less_ than you did at
the beginning, because you have been mislead.  Headlines:

o  BPFdoor Malware Targets Linux Systems Unnoticed for Five Years
o  BPFDoor Malware Detection: Evasive Surveillance Tool Used to Spy on
   Linux Devices
o  BPFdoor: a New Malware Identified on the Cyber-Threat Scene
o  STEALTHY LINUX IMPLANT BPFDOOR COMPROMISED ORGANIZATIONS GLOBALLY FOR
   YEARS

(Ow, my eyes.)

So, it "targets Linux systems" and "spies on Linux divices".  It
"compromised organisations" and is a "cyber-threat"?

To quote the immortal Douglas Adams, that is a foetid load of dingoes'
kidneys.

BPFdoor is just yet another rootkit, that maintains backdoor access 
for the benefit of the remote criminals.  A "rootkit" is a set of 
tools for criminal invsders to hide their presence by making their files
and processes difficult to find.

A rootkit, by definition, is not an attack tool.  It is a _post-attack_
tool used by invaders after they effect system compromise by other means
entirely.

This one is "stealthy".  *Yawn*

Learn security basics.  Good backups, good, attentive, alert system
administration.  A HIDS (host-based intrusion detection system) might 
be a wise precaution, and maybe a NIDS (network-based intrusion
detection system).

A long time ago, the guy I shave got paid to write
http://web.archive.org/web/20080427075329/http://security.itworld.com/4352/LWD000829hacking/pfindex.html
.  However, I must warn you that the author is Norwegian, and my Tante
Bjorg warned me not to trust _them_.  Lykke til med datasikkerhet.

-- 
Cheers,                        My pid is Inigo Montoya.  You kill -9    
Rick Moen                      my parent process.  Prepare to vi.
rick at linuxmafia.com
McQ!  (4x80)

-- 
Birmingham LUG mailing list
Post to Sb at mailman.lug.org.uk
List info and unsubscribe https://mailman.lug.org.uk/mailman/listinfo/sb
Website http://sb.lug.org.uk/

----- End forwarded message -----

More information about the conspire mailing list