Select Page

BPFDoor isn’t new to the cyberattack game — in fact, it’s gone undetected for years — but PwC researchers discovered the piece of malware in 2021. Subsequently, the cybersecurity community is learning more about the stealthy nature of malware, how it works, and how it can be prevented.

What’s BPFDoor?

BPFDoor is a piece of malware associated with China-based threat actor Red Menshen that has hit mostly Linux operating systems. It’s undetected by firewalls and goes unnoticed by most detection systems — so unnoticed that it’s been a work in progress over the last five years, going through various phases of development and complexity.

How Does It Work?

BPF stands for Berkley Packet Filters, which is appropriate given that the virus exploits packet filters. BPFDoor uses BPF “sniffers” to see all network traffic and find vulnerabilities. Packet filters are programs that analyse “packets” (files, metadata, network traffic) and permit or decline them to pass based on the source and destination IP addresses, protocols, or ports. To put it simply, packet filters work as a firewall of sorts to prevent infected malware from reaching operating systems.

images from Hacker News