Kelly Choos 
Pangu Lab has identified what it claims is a sophisticated backdoor that has been used by the NSA to subvert highly targeted Linux systems around the world for over a decade.
The China-based IT security team says it first spotted the backdoor code, or Advanced Persistent Threat (APT), in 2013 during a forensic investigation of a host in “a key national department”. – presumably a Chinese company or government agency.
It appears to us that whoever created the code would compromise or infect a selected Linux system and then install the backdoor there. This backdoor, which Pangu has now described, would do its best to hide from administrators and users, and secretly communicate over networks with the outside world.
Those who examined the suspicious code concluded that it used TCP SYN packets to set up a secret communication channel. They determined that it was a complex APT backdoor, but lacked the attacker’s asymmetric encrypted private key to wake up the code’s remote control capabilities. The Pangu team called it Bvp47 because “Bvp” is the most common string in the example code and the numeric value 0x47 is used in the encryption algorithm.
Following the release in 2016 and 2017 of spying tools used by Equation Group – widely believed to be associated with the US National Security Agency – Pangu Lab identified a private key in the released files that could be used to trigger Bvp47 remotely.
In his technical analysis [PDF]Pangu Labs states, “The Bvp47 implementation includes complex code, segment encryption and decryption, Linux multi-version platform adaptation, rich anti-rootkit tracking techniques, and most importantly , it also incorporates the advanced BPF engine used in advanced secret channels. as a tedious process of encrypting and decrypting communications. »
The code tests its environment and kills itself if it doesn’t like what it sees. It modifies the core devmem restrictions to allow a user-mode process to read and write to kernel address space. And it hooks system functions to hide its own processes, files, network activity, and self-deleting behavior.
Bvp47 was reportedly active for over ten years, starting around 2007. It is described as a complete *nix platform, and its SYNKnock secret communication capability is said to be related to the Cisco, Solaris, AIX, SUN and Windows platform. .
Pangu Lab claims that Bvp47 has been deployed against over 287 targets in 45 countries, including China, Germany, Japan, India and Russia.
Without any obvious irony for a company operating behind China’s Great Firewall, Pangu Lab has chosen to label several Bvp47 incidents as “Operation Telescreen”.
“Telescreen is a device dreamed up by British writer George Orwell in his novel ‘1984’,” the company explains in its blog post. “It can be used to remotely monitor the person or organization deploying the telescreen, and the ‘thought police’ can arbitrarily monitor the information and behavior of any telescreen.”
The register asked the National Security Agency for comment. As you can imagine, we have not had an answer. ®
Boot note
Speaking of BPF – the Berkeley Packet Filter – Microsoft just blogged about running Linux-based eBPF programs with eBPF for Windows.
