You are not logged in.
- Topics: Active | Unanswered
#1 2022-07-01 21:49:23
- xerxes_
- Member
- Registered: 2018-04-29
- Posts: 843
[SOLVED] Linux infection by eBPF?
There is more and more malware for Linux produced, especially dangerous may be stealth malware, which can be long time undetected. There is recently some using eBPF and other technique to hide themselves. Examples:
https://blogs.blackberry.com/en/2022/06 … nux-threat
https://www.bleepingcomputer.com/news/s … x-systems/
https://www.bleepingcomputer.com/news/s … te-access/
https://www.bleepingcomputer.com/news/s … -backdoor/
This articles are just examples. I couldn't find any information how the systems were infected and this is my question:
Could Linux system be infected just because the exploitation of eBPF and by some "magic" network packets? Or those infections could be just by exploitation of vulnerable services on servers, email with malicious links, attachments, etc. which are obvious attack vectors. How do you think?
Last edited by xerxes_ (2022-07-03 12:33:28)
Offline
#2 2022-07-02 06:38:40
- seth
- Member
- Registered: 2012-09-03
- Posts: 60,805
Re: [SOLVED] Linux infection by eBPF?
The rootkit in the last article listens to magic packages to get into action - it's not installed by sending random packages at your system.
Connected systems are (esp. historically) vulnerable through network stack bugs, see eg. https://en.wikipedia.org/wiki/Ping_of_death but while I'm not saying it's theoretically impossible to exploit kernel bugs to remote-execute-write an elaborate rootkit into your system, that's **highly** unlikely and not what those articles talk about.
The rootkit gets there by traditional means (probably docker/snap/flatpak…) and BPF are used to hook into the system to shadow themselves and manipulate the traffic for evil purposes.
Also those processes will require execution privilegues (incl. obviously by being executed as root)
https://man.archlinux.org/man/core/man- … ities.7.en
https://man.archlinux.org/man/bpf.2.en#NOTES
and eg. https://stackoverflow.com/questions/713 … st-cap-bpf
Offline
#3 2022-07-03 12:33:00
- xerxes_
- Member
- Registered: 2018-04-29
- Posts: 843
Re: [SOLVED] Linux infection by eBPF?
Thanks for your valuable opinion.
Offline