Researchers have uncovered a highly-evasive Chinese surveillance tool using the Berkeley Packet Filter (BPF). The malware, dubbed BPFDoor, is present on “thousands” of Linux systems, its controller has gone almost completely unnoticed by endpoint protection vendors despite it being in use for at least five years.
This is the second malware type using BPF in Linux for covert surveillance revealed this year, following Pangu Lab’s discovery of an apparent NSA backdoor, which they named Bvp47 in Feb 2022. Security researcher Kevin Beaumont suggested at the time that BPF (or extended BPF, eBPF) was being used by other threat actors.
Beaumont, who previously worked at Microsoft, warned then of the security implications of bring eBPF to other platforms beyond Linux, including Windows. “I really, really hope Microsoft have threat modelled what will happen to security when they bake eBPF into the base OS,” he said on Twitter. (Microsoft in March 2021 announced a new open source project to make eBPF work on Windows 10 and Windows Server 2016 and later.)