Backdoor Found at NDIS Level

Tuesday, December 11, 2012 @ 02:12 PM gHale


It is one thing to have a piece of malware that can focus on targeted attacks, but it is quite another to have it also be nearly invisible.

That is just what a variant of the Exforel backdoor malware, VirTool:WinNT/Exforel.A, is able to do, said researchers at Microsoft’s Malware Protection Center. That is what makes it different from other malicious elements of this kind because the backdoor opens up at the Network Driver Interface Specification (NDIS) level.

RELATED STORIES
Necurs Malware Growing
Chrome Wards Off BlackHole
BlackHole Exploit Kit Details
Password Stealing Malware Incognito

Since Exforel.A implements a private TCP/IP stack and hooks NDIS_OPEN_BLOCK for the TCP/IP protocol, the backdoor TCP traffic diverts to the private TCP/IP stack and then delivered to the backdoor, researchers said.

This makes this variant of the malware more low-level and stealthy because there is no connecting or listening port. In addition, the backdoor traffic is invisible to user-mode applications.

This version of Exforel – which can download, upload, and execute files, and rout TCP/IP packets – can see use in a targeted attack against a particular organization, the researchers said.



Leave a Reply

You must be logged in to post a comment.