Question about malware's ability to hide its network connections

[NRGLine4Sec]

Hi @gustavo-iniguez-goya

Would OpenSnitch be able to detect the network connections of this malware despite its use of eBPF to hide its network activity ?
Symbiote: A New, Nearly-Impossible-to-Detect Linux Threat

[gustavo-iniguez-goya]

If we can detect those connections I'd say yes. We rely on the kernel's Netfilter framework, so if the malware doesn't bypass Netfilter then we'd be able to detect those connections. It'd involve enabling [x] Debug invalid connections

Symbiote also has functionality to hide network activity on the infected machine. It uses three different methods to accomplish this.

The first method involves hooking fopen and fopen64. If the calling application tries to open /proc/net/tcp, (...)

That method would hide connections from showing with netstat or lsof for example, and any other application that reads those files (/proc/net/{tcp,udp,udplite,etc}). We only parse those files as last resort to find the inode of a connection.

The second method Symbiote uses to hide its network activity is by hijacking any injected packet filtering bytecode (...)
First, it hooks the libc function setsockopt. If the function is called with the option SO_ATTACH_FILTER, which is used to perform packet filtering on a socket, it prepends its own bytecode before the eBPF code provided by the calling application.

We don't use SocketFilter bpf progs, instead we hook kprobes. And we only use them to get the PID of the process that initiated the connection, no for taking decisions.

That said, I don't know if SO_ATTACH_FILTER and BPF_PROG_ATTACH (gobpf ) will follow the same path to ebpf's VM. In any case, since the malware intercepts SO_ATTACH_FILTER and gobpf uses BPF_PROG_ATTACH , maybe we wouldn't be affected on this case.

/* Socket filtering */
#define SO_ATTACH_FILTER        26
(...)

#define SO_ATTACH_BPF           50

enum bpf_prog_type {
    BPF_PROG_TYPE_UNSPEC,
    BPF_PROG_TYPE_SOCKET_FILTER,
    BPF_PROG_TYPE_KPROBE,

In the case that we were affected, we wouldn't be able to get the PID of the app that initiated the connection (then we'd try to get it via netlink, then via /proc/net/*). If everything fails, the connection would be : 1) discarded applying the default action configured or 2) we'd prompt the user to allow/deny it.

The third method Symbiote uses to hide its network traffic is to hook libpcap functions.

We don't use libpcap to inspect network traffic 🎉

[gustavo-iniguez-goya]

That said, there're othe malwares that hijack netlink connections [0], or that trojanize the iptables binary [1] [2]. That's why I didn't rely on nft to add the nftables rules.

If Intezer says that it's "nearly-impossible-to-detect" I'd surprised if we detected it :) unless the post is a clickbait.

[0]
[1] https://www.crowdstrike.com/blog/an-analysis-of-lightbasin-telecommunications-attacks/
[2] https://cujo.com/the-sysrv-botnet-and-how-it-evolved/

[NRGLine4Sec]

Thank you @gustavo-iniguez-goya for this very detailed explanation 🙂

[NRGLine4Sec]

Just to mention here a new method to exfiltrate data with TCP retransmissions technique to duplicate a packet :

The original document : TripleCross/ebpf_offensive_rootkit_tfg.pdf at master · h3xduck/TripleCross

[gustavo-iniguez-goya]

👍 another one using the same technique which is easier to use, and scariest at the same time: https://github.com/aojea/netkat

[NRGLine4Sec]

Thanks for the link @gustavo-iniguez-goya :)
I will look carefully at this tool.

[gustavo-iniguez-goya]

@NRGLine4Sec A test detonating a miner: #743

[NRGLine4Sec]

However, this malware does not seem very advanced :)

[gustavo-iniguez-goya]

yeah. Hopefully most of the attack vectors usually rely on downloading additional binaries from remote servers , like this one from just this week.