Security researcher creates new backdoor inspired by leaked NSA malware

0
125
SMBdoor

×

smbdoor.jpg

A security researcher has created a proof-of-concept backdoor inspired by the NSA malware that leaked online in the spring of 2017.

This new malware is named SMBdoor and is the work of RiskSence security researcher Sean Dillon (@zerosum0x0).

Dillon designed SMBdoor as a Windows kernel driver that once installed on a PC will abuse undocumented APIs in the srvnet.sys process to register itself as a valid handler for SMB (Server Message Block) connections.

The malware is very stealthy, as it doesn’t bind to any local sockets, open ports, or hooks into existing functions, and by doing so avoiding triggering alerts for some antivirus systems.

Its design was inspired by similar behavior that Dillon has seen in DoublePulsar and DarkPulsar, two malware implants designed by the NSA that were leaked online by a nefarious hacking group known as The Shadow Brokers.

Not weaponized

But some users might ask themselves –why did a security researcher create malware, in the first place?

In an interview with ZDNet today, Dillon told us that the SMBdoor code is not weaponized, and that cybercriminals can’t download it from GitHub and infect users in the same way they can download and deploy versions of the NSA’s DoublePulsar out of the box.

“[SMBdoor] comes with practical limitations that make it mostly an academic exploration, but I thought it might be interesting to share, and is possibly something [endpoint detection and response, aka antivirus] products should monitor,” Dillon said.

“There are limitations in the proof-of-concept that an attacker would have to overcome,” he added. “Most importantly, modern Windows attempts to block unsigned kernel code.

“There are also secondary complications the backdoor would have to account for, during the process of loading secondary payloads, in order to use paged memory and not deadlock the system,” Dillon said.

“Both of these issues have several well-known bypasses, but they do become even more difficult when modern mitigations such as Hyper-V Code Integrity are enabled.”

Dillon said that unless an attacker values stealth more than the effort needed to modify SMBdoor, then this experimental malware isn’t very useful to anyone.

Stealthy by design

Dillon’s work on SMBdoor has caught the eye of many security researchers due to its stealthy design and the use of undocumented API functions.

“Like DOUBLEPULSAR, this implant hides in an esoteric area of the system,” Dillon told ZDNet.

“Listening to network traffic over an already-bound port, without touching any sockets, is not well established in current methodologies and is part of an expanding research area.

Related Topics:

Windows

Security TV

Data Management

CXO

Data Centers