BadMFS is a CIA developed covert file system which attempts to install itself in non-partitioned space. BadMFS provides an interface for a developer to interact with the covert file system, similar to typical Windows API functionality. BadMFS has been developed such that it can run as a kernel library to a device driver or other kernel thread.
BadMFS is installed as a component of the AngelFire malware framework. AngelFire uses BadMFS to store other related components. All files are obfuscated and encrypted.
Due to being a known component of the AngelFire framework a clean OS reinstall is recommended to remove any potential undetected malware, as removing only BadMFS does not guarantee removal of malware installed using it.
With Rapid7 live dashboards, I have a clear view of all the assets on my network, which ones can be exploited, and what I need to do in order to reduce the risk in my environment in real-time. No other tool gives us that kind of value and insight.
– Scott Cheney, Manager of Information Security, Sierra View Medical Center