Anatomy of suspected top-tier decade-hidden NSA backdoor

Bvp47 of yore said to have used BPF to conceal comms in network traffic

Pangu Lab has identified what it claims is a sophisticated backdoor that was used by the NSA to subvert highly targeted Linux systems around the world for more than a decade.

The China-based computer-security outfit says it first spotted the backdoor code, or advanced persistent threat (APT), in 2013 when conducting a forensic investigation on a host in "a key domestic department" – presumably a Chinese company or government agency.

To us it seems whoever created the code would compromise or infect a selected Linux system and then install the backdoor on it. This backdoor, which Pangu has now described, would do its best to hide from administrators and users, and covertly communicate over networks with the outside world.

Those looking into the suspect code concluded it used TCP SYN packets to set up a covert communication channel. They determined it was a complex APT backdoor but lacked the attacker's asymmetric encrypted private key to awaken the code's remote control capabilities. Team Pangu called it Bvp47 because "Bvp" is the most common string in the sample code and the numerical value 0x47 is used in the encryption algorithm.

Following the publication in 2016 and 2017 of espionage tools used by Equation Group – widely believed to be associated with the US National Security Agency – Pangu Lab identified a private key in the released files that could be used to remotely trigger Bvp47.

In its technical analysis [PDF], Pangu Labs says, "The implementation of Bvp47 includes complex code, segment encryption and decryption, Linux multi-version platform adaptation, rich rootkit anti-tracking techniques, and most importantly, it integrates advanced BPF engine used in advanced covert channels, as well as cumbersome communication encryption and decryption process."

The code conducts tests of its environment and deletes itself if it doesn't like what it sees. It alters kernel devmem restrictions to allow a process in user mode to read and write kernel address space. And it hooks system functions to hide its own processes, files, network activity, and self-deletion behavior.

Bvp47 is said to have been active for more than ten years, starting around 2007. It's described as a full *nix platform, and its SYNKnock covert comms capability is believed to be linked to the Cisco platform, Solaris, AIX, SUN, and Windows.

Pangu Lab claims Bvp47 was deployed against more than 287 targets in 45 countries, including China, Germany, Japan, India, and Russia.

Without any evident sense of irony for a company operating behind China's Great Firewall, Pangu Lab has chosen to refer to several Bvp47 incidents as "Operation Telescreen."

"Telescreen is a device imagined by British writer George Orwell in his novel '1984,'" the company explains in its blog post. "It can be used to remotely monitor the person or organization deploying the telescreen, and the 'thought police' can arbitrarily monitor the information and behavior of any telescreen."

The Register asked the National Security Agency to comment. As you might expect, we've not heard back. ®


Speaking of BPF – the Berkeley Packet Filter – Microsoft has just blogged about getting Linux-based eBPF programs to run with eBPF for Windows.

Other stories you might like

Biting the hand that feeds IT © 1998–2022