Extended Berkeley Packet Filter or eBPF, as it is more commonly known, is considered the Swiss Army knife of observability. eBPF is a Linux kernel technology that allows programs to run without having to change the kernel source code and also powers a bunch of cloud native tools like Falco, Inspektor Gadget, Hubble, and Cilium.
A few months ago Joakim Kennedy, a security researcher at Intezer, and the Blackberry Research and Intelligence team discovered a parasitic malware that affects Linux operating systems and uses eBPF to hide malicious network traffic on an infected machine. Here’s what we know so far.
What’s in a Name?
Aptly named Symbiote, this malware needs to infect other running processes to cause any damage on the infected machine. Unlike other forms of malware that typically present themselves as executable files, Symbiote is a shared object library.
Once it has infected the running processes, it provides the malicious actor with rootkit functionality, the ability to harvest credentials, and remote access capabilities to the machine.
How Does Symbiote Malware Work?
The attack technique that Symbiote uses to infect a machine is known as Dynamic Linker Hijacking. In this technique, the malware hijacks the environment variables that the dynamic linker uses to load the shared libraries. This allows for precedence during loading, since libraries specified in environment variables are loaded before system libraries with the same function name.
The malware is then able to hook the libc and libpcap functions, and alter or augment the behavior of the operating system and the applications running on it. This is done by intercepting function calls, messages or events passed between the various components. Hooking also enables it to perform various actions to conceal its presence, like hiding parasitic processes, hiding files deployed with the malware and more.
How Is eBPF Involved?
The Berkeley Packet Filter technology was originally introduced as a means to minimize unwanted network packet copies to the user space via implementation of an in-kernel packet filter within BSD Unix systems. Typically used for network analysis, eBPF provides a performance benefit compared to other mechanisms, since it avoids context switching between the user space and the Linux kernel by having the kernel perform the filtering action directly.
Symbiote leverages eBPF by hijacking the injected packet filtering bytecode. It hooks the libc function setsockopt and then prepends its own bytecode before the eBPF code provided by the application to filter out results that would reveal its activity. The bytecode analyzed as part of the research conducted suggests that it was either handwritten or obtained as a result of patching compiler-generated bytecode.
Who Does Symbiote Affect?
The earliest detection of Symbiote dates back to November and it seems to have been designed to target the financial sector in Latin America. Due to the highly evasive nature of the malware, infections cannot be detected as easily and are likely to fly under the radar.
The research by Kennedy and the Blackberry team also stated that there was insufficient evidence to determine whether the malware is being used for broad-spectrum and highly targeted attacks.
With the rise in technology use across large and valuable corporate networks, the attack vectors are only bound to increase in number. A case in point is the BPFDoor malware discovered in May by researchers at PricewaterhouseCoopers, which uses BPF to listen to incoming and outgoing traffic.
How to Remediate Symbiote
While detection may be difficult, research suggests the usage of network telemetry to spot any anomalies. As a preventive best practice, it also proposes the static linking of security tools such as antivirus software and endpoint detection and response.
Featured image by Boba Jaglicic via Unsplash.