The Latest in IT Security

The “hidden” backdoor – VirTool:WinNT/Exforel.A

10
Dec
2012

Recently we discovered an advanced backdoor sample – VirTool:WinNT/Exforel.A. Unlike traditional backdoor samples, this backdoor is implemented at the NDIS (Network Driver Interface Specification) level.

VirTool:WinNT/Exforel.A implements a simple private TCP/IP stack and hooks NDIS_OPEN_BLOCK for the TCP/IP protocol, as shown in Figure 1.  
 

Hooked functions in NDIS_OPEN_BLOCK
Figure 1: Hooked functions in NDIS_OPEN_BLOCK

This means that backdoor-related TCP traffic will be diverted to the private TCP/IP stack and delivered to the backdoor, as illustrated in Figure 2.

The NDIS-level backdoor
Figure 2: The NDIS-level backdoor

VirTool:WinNT/Exforel.A implements the following backdoor functionalities:

  • Uploading files
  • Downloading files
  • Executing files
  • Routing TCP/IP packets

The NDIS-level backdoor used by VirTool:WinNT/Exforel.A is much more low-level and stealthy than that used by traditional backdoors – there is no connecting/listening port so it is more difficult to notice. The backdoor traffic is completely invisible to user-mode applications.

This sample appears to be used for a specific attack targeting a certain organization.

Chung Feng
-MMPC Melbourne

Leave a reply


Categories

THURSDAY, OCTOBER 18, 2018
WHITE PAPERS

Mission-Critical Broadband – Why Governments Should Partner with Commercial Operators:
Many governments embrace mobile network operator (MNO) networks as ...

ARA at Scale: How to Choose a Solution That Grows With Your Needs:
Application release automation (ARA) tools enable best practices in...

The Multi-Model Database:
Part of the “new normal” where data and cloud applications are ...

Featured

Archives

Latest Comments

Social Networks