BPFDoor: Detection & Removal

TL;DR

BPFDoor is a stealthy rootkit that hijacks kernel functions using eBPF programs. This guide explains how to identify potential infection points and remove the malicious code. It focuses on practical steps for system administrators and security professionals.

1. Understanding BPFDoor

BPFDoor operates by replacing legitimate kernel function calls with its own, allowing it to intercept and manipulate system activity at a very low level. It’s difficult to detect using traditional methods because the malicious code resides within the kernel itself.

2. Identifying Potential Infection Points

1. Check for Unusual eBPF Programs: Use tools like bpftool to list all loaded eBPF programs.

   sudo bpftool prog list

   Look for programs with unknown or suspicious names, especially those not associated with known system utilities.

2. Examine Kernel Modules: BPFDoor often loads a kernel module to manage its eBPF programs. List loaded modules:

   lsmod

   Investigate any unfamiliar modules using modinfo . Pay attention to the description and author.

3. Review System Logs: Search for events related to eBPF loading or kernel module activity in system logs (e.g., /var/log/syslog, /var/log/kern.log). Look for errors or warnings that might indicate malicious behavior.
4. Network Traffic Analysis: BPFDoor may establish covert communication channels. Monitor network traffic for unusual connections or patterns using tools like Wireshark or tcpdump.
5. File Integrity Monitoring (FIM): Implement FIM to detect changes to critical system files and kernel modules. Tools like AIDE or Tripwire can help identify unauthorized modifications.

3. Removing BPFDoor

Removing BPFDoor requires careful steps to avoid damaging the system. The following assumes you’ve identified the malicious eBPF program and kernel module.

1. Unload the Kernel Module: Use rmmod to unload the malicious kernel module.

   sudo rmmod 

   If this fails, you may need to reboot into a recovery environment or use a live CD/USB.

2. Detach the eBPF Program: Use bpftool prog detach to remove the malicious eBPF program from its attachment point (e.g., kprobes, tracepoints).

   sudo bpftool prog detach id 

   You’ll need to know the program ID, which you can find using bpftool prog list.

3. Delete the eBPF Program File: Locate and delete the file containing the malicious eBPF program. The location will vary depending on how BPFDoor was installed.

   sudo rm /path/to/malicious_program.o

4. Verify Removal: Repeat steps 2 and 3 to ensure that the malicious module and eBPF program are no longer present.
5. Rootkit Scan: Run a rootkit scanner (e.g., rkhunter, chkrootkit) to detect any remaining traces of the infection.

   sudo rkhunter --checkall

6. System Restore/Re-image: If you suspect that BPFDoor has deeply compromised the system, consider restoring from a known good backup or re-imaging the machine. This is the most reliable way to ensure complete removal.

4. Containment & Prevention

• Keep Systems Updated: Regularly update your kernel and other software packages to patch vulnerabilities that BPFDoor might exploit.
• Restrict eBPF Program Loading: Implement security policies to control which users or processes can load eBPF programs. Consider using tools like SELinux or AppArmor to enforce these restrictions.
• Monitor Kernel Activity: Continuously monitor kernel activity for suspicious behavior, such as unexpected function calls or modifications to critical system files.
• Network Segmentation: Segment your network to limit the spread of potential infections.
• Regular Backups: Maintain regular backups of your systems so you can quickly restore them in case of a compromise.