Evolution of Stealth Packet Filter Rootkits
Last year, we saw several headlines about newly discovered "nearly impossible to detect" nation state network backdoors. Meanwhile, in the past year, leaked network backdoors from CIA and NSA have been analyzed and documented for the first time and are using the same techniques employing packet filters for stealthy beaconing. This talk will analyze nation state beaconing tactics and discuss how network filters work, including a deep dive into Linux networking and the many layers of the Linux kernel where packet monitoring and manipulation can occur. Finally, we will look forward into the future of network filter backdoors and how they will work using Linux eBPF. We will discuss low level network hooks available to eBPF and demonstrate a modern implementation of nation state beaconing tactics using eBPF, including a cross platform implementation that works on both Linux and Windows.
About the Presenter: Richard Johnson
Richard Johnson is a computer security specialist with a focus on fuzzing and software vulnerability analysis. Currently owner of FUZZING IO, a research and development company offering professional training and consulting services, Richard offers over 20 years of professional expertise and leadership in the information security industry including past positions as Director of Security Research at Oracle Cloud Infrastructure and Research Lead roles at Trellix, Cisco Talos, and Microsoft. Richard has delivered training and presented annually at top-tier industry conferences for over 15 years at Black Hat, Defcon, RECON, CanSecWest, and many more.