Exforel Backdoor Implemented at NDIS Level to Be More Stealthy

Microsoft Malware Protection Center researchers have analyzed the threat

By Eduard Kovacs on December 10th, 2012 16:11 GMT

Security researchers from Microsoft’s Malware Protection Center have identified a variant of the Exforel backdoor malware, VirTool:WinNT/Exforel.A, that’s somewhat different from other malicious elements of this kind.

That’s because the backdoor is implemented at the Network Driver Interface Specification (NDIS) level.

Since Exforel.A implements a private TCP/IP stack and hooks NDIS_OPEN_BLOCK for the TCP/IP protocol, the backdoor TCP traffic is diverted to the private TCP/IP stack and then delivered to the backdoor.

This makes this variant of the malware more low-level and stealthy because there is no connecting or listening port. Furthermore, the backdoor traffic is invisible to user-mode applications.

According to experts, this particular version of Exforel – which can download, upload, and execute files, and rout TCP/IP packets – is used in a targeted attack against a particular organization.
Functionality diagram of Exforel malware
   Functionality diagram of Exforel malware
MORE ON THIS TOPIC
LATEST NEWS
HOT RIGHT NOW

Comments