Linux BPFDoor Malware Scanner

Linux BPFDoor Malware Scanner

On April 22, 2025, Cybersecurity breach at SK Telecom exposes millions of South Korean users. The malware used in the attack, "BPFDoor," is a Linux-based backdoor specialized in evasion tactics. This scanner is designed to detect BPFDoor variants discovered in the past 2–3 years, including the specific malwares identified in the SK Telecom Hacking incident.

You can look up the detailed information of each malware hash used in this scanner via VirusTotal.

Our goal is to help organizations affected by BPFDoor attacks detect potential infections quickly and accurately.

If you find this helpful, please the "star"🌟 to support further improvements.

Requirements

• Python Version: 3.8.10 or higher
• Dependencies: None – no additional packages required

Performance

Tested on a single free-tier Oracle Cloud VM instance:

• Conditions: Average CPU usage ~20% prior to scanning, scanning all directories with files under 5MB
• Result: Scanning approximately 400,000 files took around 15 minutes
• CPU Usage: Ranged from 45% to a peak of 120% during scanning

Note: Despite the high CPU usage, the system remained stable with no crashes or noticeable side effects.
Please refer to Oracle Cloud’s free-tier VM specifications for context.

Features

• BPFDoor Malware Detection: Identifies BPFDoor and other malicious files using a curated set of SHA256 hashes.
• Parallel File Scanning: Utilizes ThreadPoolExecutor for fast, multi-threaded scanning of directories.
• Configurable Scanning:
  • Supports multiple scan modes: full (entire filesystem), normal (key directories), and custom (user-specified paths).
  • Customizable file extensions, excluded directories, and maximum file size (default: 5MB).
• Hash Validation: Automatically removes duplicate and invalid SHA256 hashes for reliability.

Usage

Run the scanner using the main.py script with the following command-line options:

python main.py -mode {full|normal|custom} [paths] [--verbose]

Options

• -mode: Specifies the scanning mode:
  • full: Scans the entire filesystem (e.g., / on Linux). Warning: This may take a long time.
  • normal: Scans common directories (/etc, /usr, /var, /home).
  • custom: Scans user-specified directories (requires paths argument).
• paths: Directory paths to scan (required for custom mode, e.g., /home /opt).
• --verbose: Enables detailed debug messages.

Examples

1. Full System Scan:

   python main.py -mode full

2. Normal Scan (Key Directories):

   python main.py -mode normal

3. Custom Scan (Specific Directories):

   python main.py -mode custom /home /opt --verbose

Output

• Console: Displays real-time scan progress with color-coded status (e.g., red for infected files, green for clean).
• Log File: Saves results to a file named YYYYMMDD_malscan.log in the script's directory. Example log entry:

  datetime="2025-05-10 12:34:56",scan_id="123e4567-e89b-12d3-a456-426614174000",hostname="buddy2",ip="10.10.100.78",mac="02:00:17:00:8e:03",arch="x86_64",os="Ubuntu 22.04.4 LTS",infected_file="/path/to/file",sha256="c7f693f7f85b01a8c0e561bd369845f40bff423b0743c7aa0f4c323d9133b5d4",created_at="2025-01-01 10:00:00",modified_at="2025-01-02 12:00:00"
  

Configuration

Customize the scanner by modifying the following settings in main.py:

• SCAN_EXTENSIONS: List of file extensions to scan (e.g., ['.exe', '.dll']). Empty list scans all files.
• EXCLUDE_DIRS: Directories to skip (e.g., ['/proc', '/sys']).
• MAX_FILE_SIZE: Maximum file size to scan (e.g., '2MB').
• CHUNK_SIZE_MULTIPLIER: Number of files per thread (default: 100).

Example:

SCAN_EXTENSIONS = ['.exe', '.dll']
EXCLUDE_DIRS = ['/proc', '/sys', '/dev']
MAX_FILE_SIZE = '2MB'
CHUNK_SIZE_MULTIPLIER = 100

Preview

# python3 main.py -mode normal

▌║█║▌│║▌│║▌║▌█║ Linux BPFDoor Malware Scanner ▌│║▌║▌│║║▌█║▌║█

[-] By https://github.com/password123456 / 1.0.7.prod20250510
[-] 2025-05-10 21:54:18

[*] O.K Here We go!
[*] buddy2 / 10.10.100.78 / Ubuntu 22.04.4 LTS
[*] Scanning paths: /bin, /sbin, /usr/bin, /usr/sbin, /lib, /usr/lib, /etc, /lib64, /tmp, /var, /dev/shm, /opt, /home


Scanning: /bin

[00:00:00.085] (1 scanned / 0 Infected) (Clean) /usr/bin/debconf-communicate
[00:00:00.086] (2 scanned / 0 Infected) (Clean) /usr/bin/fakeroot-sysv
[00:00:00.087] (3 scanned / 0 Infected) (Clean) /usr/bin/apport-unpack
[00:00:00.087] (4 scanned / 0 Infected) (Clean) /usr/bin/soelim
[!] Skipping /usr/bin/x86_64-linux-gnu-ld.gold: File Size Exceed
[00:00:00.088] (5 scanned / 0 Infected) (Clean) /usr/bin/debconf-escape
[00:00:00.090] (6 scanned / 0 Infected) (Clean) /usr/sbin/xtables-legacy-multi
[00:00:00.090] (7 scanned / 0 Infected) (Clean) /usr/bin/zipsplit
[00:00:00.091] (8 scanned / 0 Infected) (Clean) /usr/bin/nc.openbsd
[00:00:00.092] (9 scanned / 0 Infected) (Clean) /usr/bin/ntfsdecrypt
[00:00:00.093] (10 scanned / 0 Infected) (Clean) /usr/bin/md5sum
[00:00:00.094] (11 scanned / 0 Infected) (Clean) /usr/bin/zstdless
[00:00:00.095] (12 scanned / 0 Infected) (Clean) /usr/bin/factor
[00:00:00.097] (13 scanned / 0 Infected) (Clean) /usr/bin/apt-config
[00:00:00.098] (14 scanned / 0 Infected) (Clean) /usr/bin/nano
[00:00:00.099] (15 scanned / 0 Infected) (Clean) /usr/bin/pstree
[00:00:00.099] (16 scanned / 0 Infected) (Clean) /usr/bin/yes
[00:00:00.100] (17 scanned / 0 Infected) (Clean) /usr/bin/sudoreplay
[00:00:00.101] (18 scanned / 0 Infected) (Clean) /usr/bin/zgrep
[00:00:00.101] (19 scanned / 0 Infected) (Clean) /usr/bin/zcmp
[00:00:00.103] (20 scanned / 0 Infected) (Clean) /usr/bin/ipcs
[00:00:00.103] (21 scanned / 0 Infected) (Clean) /usr/bin/locale
...
...
[Summary]
[-] Total files found: 1112
[-] Scanned: 1085, Infected: 0
 Scan Completed!
- No infected files found. Happy happy :)