Richard Johnson Robert Yuen Richard Johnson Robert Yuen

Evolution of Stealth Packet Filter Rootkits

Last year, we saw several headlines about newly discovered "nearly impossible to detect" nation state network backdoors. Meanwhile in the past year leaked network backdoors from CIA and NSA have been analyzed and documented for the first time and are using the same techniques employing packet filters for stealthy beaconing. This talk will analyze nation state beaconing tactics and discuss how network filters work, including a deep dive in to Linux networking and the many layers of the Linux kernel where packet monitoring and manipulation can occur. Finally we will look forward into the future of network filter backdoors and how they will work using Linux eBPF. We will discuss low level network hooks available to eBPF and demonstrate a modern implementation of nation state beaconing tactics using eBPF including a cross platform implementation that works on both Linux and Windows.

Read More