Rapid7 Vulnerability & Exploit Database

BadMFS Covert File System

Back to Search

BadMFS Covert File System

Severity
6
CVSS
(AV:L/AC:M/Au:S/C:C/I:C/A:N)
Published
09/01/2017
Created
07/25/2018
Added
09/01/2017
Modified
09/01/2017

Description

BadMFS is a CIA developed covert file system which attempts to install itself in non-partitioned space. BadMFS provides an interface for a developer to interact with the covert file system, similar to typical Windows API functionality. BadMFS has been developed such that it can run as a kernel library to a device driver or other kernel thread.

BadMFS is installed as a component of the AngelFire malware framework. AngelFire uses BadMFS to store other related components. All files are obfuscated and encrypted.

Due to being a known component of the AngelFire framework a clean OS reinstall is recommended to remove any potential undetected malware, as removing only BadMFS does not guarantee removal of malware installed using it.

Solution(s)

  • winreg-badmfs

With Rapid7 live dashboards, I have a clear view of all the assets on my network, which ones can be exploited, and what I need to do in order to reduce the risk in my environment in real-time. No other tool gives us that kind of value and insight.

– Scott Cheney, Manager of Information Security, Sierra View Medical Center

;