A report released today dives deep into technical aspects of a Linux backdoor now tracked as Bvp47 that is linked to the Equation Group, the advanced persistent threat actor tied to the U.S. National Security Agency.
Nice thing about this backdoor is that it hooks into kernel functions so that its processes, file and network connections are never reported by kernel to userland tools making it invisible for the administrator.
It’s a rootkit. A massive nightmare to diagnose and even harder to fix (or, at least to make sure that all traces of it is gone from your system). The reason for this is that it violates the OS’s “root of trust”, so now everything is untrustworthy.
Things like this is also why I think we should be moving to microkernels. Not to say that rootkits are impossible with those, but the attack surface is much smaller because the vast majority of traditional kernel things, like drivers, would be running in userland. It would also be much harder to compromise the whole system because most things are in userland, and also hard to keep the attack hidden from the IT staff.
Nice thing about this backdoor is that it hooks into kernel functions so that its processes, file and network connections are never reported by kernel to userland tools making it invisible for the administrator.
It’s a rootkit. A massive nightmare to diagnose and even harder to fix (or, at least to make sure that all traces of it is gone from your system). The reason for this is that it violates the OS’s “root of trust”, so now everything is untrustworthy.
Things like this is also why I think we should be moving to microkernels. Not to say that rootkits are impossible with those, but the attack surface is much smaller because the vast majority of traditional kernel things, like drivers, would be running in userland. It would also be much harder to compromise the whole system because most things are in userland, and also hard to keep the attack hidden from the IT staff.