Security researcher creates new backdoor inspired by leaked NSA malware

New experimental backdoor highlights an OS section that antivirus products are not looking at.
Written by Catalin Cimpanu, Contributor

A security researcher has created a proof-of-concept backdoor inspired by the NSA malware that leaked online in the spring of 2017.

This new malware is named SMBdoor and is the work of RiskSense security researcher Sean Dillon (@zerosum0x0).

Dillon designed SMBdoor as a Windows kernel driver that once installed on a PC will abuse undocumented APIs in the srvnet.sys process to register itself as a valid handler for SMB (Server Message Block) connections.

The malware is very stealthy, as it doesn't bind to any local sockets, open ports, or hooks into existing functions, and by doing so avoiding triggering alerts for some antivirus systems.

Its design was inspired by similar behavior that Dillon has seen in DoublePulsar and DarkPulsar, two malware implants designed by the NSA that were leaked online by a nefarious hacking group known as The Shadow Brokers.

Not weaponized

But some users might ask themselves --why did a security researcher create malware, in the first place?

In an interview with ZDNet today, Dillon told us that the SMBdoor code is not weaponized, and that cybercriminals can't download it from GitHub and infect users in the same way they can download and deploy versions of the NSA's DoublePulsar out of the box.

"[SMBdoor] comes with practical limitations that make it mostly an academic exploration, but I thought it might be interesting to share, and is possibly something [endpoint detection and response, aka antivirus] products should monitor," Dillon said.

"There are limitations in the proof-of-concept that an attacker would have to overcome," he added. "Most importantly, modern Windows attempts to block unsigned kernel code.

"There are also secondary complications the backdoor would have to account for, during the process of loading secondary payloads, in order to use paged memory and not deadlock the system," Dillon said.

"Both of these issues have several well-known bypasses, but they do become even more difficult when modern mitigations such as Hyper-V Code Integrity are enabled."

Dillon said that unless an attacker values stealth more than the effort needed to modify SMBdoor, then this experimental malware isn't very useful to anyone.

Stealthy by design

Dillon's work on SMBdoor has caught the eye of many security researchers due to its stealthy design and the use of undocumented API functions.

"Like DOUBLEPULSAR, this implant hides in an esoteric area of the system," Dillon told ZDNet.

"Listening to network traffic over an already-bound port, without touching any sockets, is not well established in current methodologies and is part of an expanding research area.

"While there may be places in the system a generic inline hook can accomplish a similar effect, this method is interesting because it instead hides out with the normal, core functionality of SMB.

"It is an anomaly that requires custom and specific code to detect," Dillon said.

The researcher hopes that his work on SMBdoor will drive security software providers to improve their detections, and in the process, provide better protections to Windows users against SMBdoor, DoublePulsar, and DarkPulsar threats.

Dillon work's on analyzing the leaked NSA malware is well known among his peers. Previously, he ported the EternalChampion, EternalRomance, and EternalSynergy NSA exploits to work on all Windows versions, going back to Windows 2000; he ported the DoublePulsar malware implant to work on Windows-based IoT devices; and also ported the EternalBlue SMB exploit (the one used by the WannaCry and NotPetya ransomware strains) to work on modern versions of Windows 10.

North Korea's history of bold cyber attacks

Related malware and cybercrime coverage:

Editorial standards