https://github.com/password123456/linux-bpfdoor-malware-scanner

Linux BPFDoor Malware Scanner
https://github.com/password123456/linux-bpfdoor-malware-scanner

antivirus bpfdoor bpfdoor-detection file-finder file-scanner hash-scanner linux-malware linux-scanner malware-analysis malware-analyzer malware-scanner python-scanner security-tools

Last synced: 4 months ago
JSON representation

Linux BPFDoor Malware Scanner

• Host: GitHub
• URL: https://github.com/password123456/linux-bpfdoor-malware-scanner
• Owner: password123456
• License: gpl-3.0
• Created: 2025-05-10T12:33:37.000Z (9 months ago)
• Default Branch: main
• Last Pushed: 2025-05-11T05:38:15.000Z (9 months ago)
• Last Synced: 2025-06-17T23:38:08.284Z (8 months ago)
• Topics: antivirus, bpfdoor, bpfdoor-detection, file-finder, file-scanner, hash-scanner, linux-malware, linux-scanner, malware-analysis, malware-analyzer, malware-scanner, python-scanner, security-tools
• Language: Python
• Homepage:
• Size: 65.4 KB
• Stars: 0
• Watchers: 1
• Forks: 0
• Open Issues: 0
• Metadata Files:
  • Readme: README.md
  • License: LICENSE

Awesome Lists containing this project

README

          
# Linux BPFDoor Malware Scanner

![made-with-python][made-with-python]

![Python Versions][pyversion-button]

![Hits][hits-button]

[pyversion-button]: https://img.shields.io/pypi/pyversions/Markdown.svg

[made-with-python]: https://img.shields.io/badge/Made%20with-Python-1f425f.svg

[hits-button]: https://hits.sh/github.com/password123456/linux-bpfdoor-malware-scanner.svg?view=today-total

## Linux BPFDoor Malware Scanner

On April 22, 2025, Cybersecurity breach at SK Telecom exposes millions of South Korean users. The malware used in the attack, "BPFDoor," is a Linux-based backdoor specialized in evasion tactics. This scanner is designed to detect BPFDoor variants discovered in the past 2–3 years, including the specific malwares identified in the SK Telecom Hacking incident.

You can look up the detailed information of each malware hash used in this scanner via VirusTotal. 

Our goal is to help organizations affected by BPFDoor attacks detect potential infections quickly and accurately.

If you find this helpful, please the "star"🌟 to support further improvements.

## Requirements

- Python Version: 3.8.10 or higher

- Dependencies: None – no additional packages required

## Performance

Tested on a single free-tier Oracle Cloud VM instance:

- **Conditions**: Average CPU usage ~20% prior to scanning, scanning all directories with files under 5MB

- **Result**: Scanning approximately 400,000 files took around 15 minutes

- **CPU Usage**: Ranged from 45% to a peak of 120% during scanning

```

Note: Despite the high CPU usage, the system remained stable with no crashes or noticeable side effects.

Please refer to Oracle Cloud’s free-tier VM specifications for context.

```

## Features

- **BPFDoor Malware Detection**: Identifies BPFDoor and other malicious files using a curated set of SHA256 hashes.

- **Parallel File Scanning**: Utilizes `ThreadPoolExecutor` for fast, multi-threaded scanning of directories.

- **Configurable Scanning**:

  - Supports multiple scan modes: `full` (entire filesystem), `normal` (key directories), and `custom` (user-specified paths).

  - Customizable file extensions, excluded directories, and maximum file size (default: 5MB).

- **Hash Validation**: Automatically removes duplicate and invalid SHA256 hashes for reliability.

## Usage

Run the scanner using the `main.py` script with the following command-line options:

```bash

python main.py -mode {full|normal|custom} [paths] [--verbose]

```

### Options

- `-mode`: Specifies the scanning mode:

  - `full`: Scans the entire filesystem (e.g., `/` on Linux). **Warning**: This may take a long time.

  - `normal`: Scans common directories (`/etc`, `/usr`, `/var`, `/home`).

  - `custom`: Scans user-specified directories (requires `paths` argument).

- `paths`: Directory paths to scan (required for `custom` mode, e.g., `/home /opt`).

- `--verbose`: Enables detailed debug messages.

### Examples

1. **Full System Scan**:

   ```bash

   python main.py -mode full

   ```

2. **Normal Scan (Key Directories)**:

   ```bash

   python main.py -mode normal

   ```

3. **Custom Scan (Specific Directories)**:

   ```bash

   python main.py -mode custom /home /opt --verbose

   ```

### Output

- **Console**: Displays real-time scan progress with color-coded status (e.g., red for infected files, green for clean).

- **Log File**: Saves results to a file named `YYYYMMDD_malscan.log` in the script's directory. Example log entry:

  ```

  datetime="2025-05-10 12:34:56",scan_id="123e4567-e89b-12d3-a456-426614174000",hostname="buddy2",ip="10.10.100.78",mac="02:00:17:00:8e:03",arch="x86_64",os="Ubuntu 22.04.4 LTS",infected_file="/path/to/file",sha256="c7f693f7f85b01a8c0e561bd369845f40bff423b0743c7aa0f4c323d9133b5d4",created_at="2025-01-01 10:00:00",modified_at="2025-01-02 12:00:00"

  ```

## Configuration

Customize the scanner by modifying the following settings in `main.py`:

- **SCAN_EXTENSIONS**: List of file extensions to scan (e.g., `['.exe', '.dll']`). Empty list scans all files.

- **EXCLUDE_DIRS**: Directories to skip (e.g., `['/proc', '/sys']`).

- **MAX_FILE_SIZE**: Maximum file size to scan (e.g., `'2MB'`).

- **CHUNK_SIZE_MULTIPLIER**: Number of files per thread (default: 100).

Example:

```python

SCAN_EXTENSIONS = ['.exe', '.dll']

EXCLUDE_DIRS = ['/proc', '/sys', '/dev']

MAX_FILE_SIZE = '2MB'

CHUNK_SIZE_MULTIPLIER = 100

```

## Preview

```python

# python3 main.py -mode normal

▌║█║▌│║▌│║▌║▌█║ Linux BPFDoor Malware Scanner ▌│║▌║▌│║║▌█║▌║█

[-] By https://github.com/password123456 / 1.0.7.prod20250510

[-] 2025-05-10 21:54:18

[*] O.K Here We go!

[*] buddy2 / 10.10.100.78 / Ubuntu 22.04.4 LTS

[*] Scanning paths: /bin, /sbin, /usr/bin, /usr/sbin, /lib, /usr/lib, /etc, /lib64, /tmp, /var, /dev/shm, /opt, /home

Scanning: /bin

[00:00:00.085] (1 scanned / 0 Infected) (Clean) /usr/bin/debconf-communicate

[00:00:00.086] (2 scanned / 0 Infected) (Clean) /usr/bin/fakeroot-sysv

[00:00:00.087] (3 scanned / 0 Infected) (Clean) /usr/bin/apport-unpack

[00:00:00.087] (4 scanned / 0 Infected) (Clean) /usr/bin/soelim

[!] Skipping /usr/bin/x86_64-linux-gnu-ld.gold: File Size Exceed

[00:00:00.088] (5 scanned / 0 Infected) (Clean) /usr/bin/debconf-escape

[00:00:00.090] (6 scanned / 0 Infected) (Clean) /usr/sbin/xtables-legacy-multi

[00:00:00.090] (7 scanned / 0 Infected) (Clean) /usr/bin/zipsplit

[00:00:00.091] (8 scanned / 0 Infected) (Clean) /usr/bin/nc.openbsd

[00:00:00.092] (9 scanned / 0 Infected) (Clean) /usr/bin/ntfsdecrypt

[00:00:00.093] (10 scanned / 0 Infected) (Clean) /usr/bin/md5sum

[00:00:00.094] (11 scanned / 0 Infected) (Clean) /usr/bin/zstdless

[00:00:00.095] (12 scanned / 0 Infected) (Clean) /usr/bin/factor

[00:00:00.097] (13 scanned / 0 Infected) (Clean) /usr/bin/apt-config

[00:00:00.098] (14 scanned / 0 Infected) (Clean) /usr/bin/nano

[00:00:00.099] (15 scanned / 0 Infected) (Clean) /usr/bin/pstree

[00:00:00.099] (16 scanned / 0 Infected) (Clean) /usr/bin/yes

[00:00:00.100] (17 scanned / 0 Infected) (Clean) /usr/bin/sudoreplay

[00:00:00.101] (18 scanned / 0 Infected) (Clean) /usr/bin/zgrep

[00:00:00.101] (19 scanned / 0 Infected) (Clean) /usr/bin/zcmp

[00:00:00.103] (20 scanned / 0 Infected) (Clean) /usr/bin/ipcs

[00:00:00.103] (21 scanned / 0 Infected) (Clean) /usr/bin/locale

...

...

[Summary]

[-] Total files found: 1112

[-] Scanned: 1085, Infected: 0

 Scan Completed!

- No infected files found. Happy happy :)

```