Recently we discovered an advanced backdoor sample - VirTool:WinNT/Exforel.A. Unlike traditional backdoor samples, this backdoor is implemented at the NDIS (Network Driver Interface Specification) level.

VirTool:WinNT/Exforel.A implements a simple private TCP/IP stack and hooks NDIS_OPEN_BLOCK for the TCP/IP protocol, as shown in Figure 1.  
 

Hooked functions in NDIS_OPEN_BLOCK
Figure 1: Hooked functions in NDIS_OPEN_BLOCK

 

This means that backdoor-related TCP traffic will be diverted to the private TCP/IP stack and delivered to the backdoor, as illustrated in Figure 2.

The NDIS-level backdoor
Figure 2: The NDIS-level backdoor

 

VirTool:WinNT/Exforel.A implements the following backdoor functionalities:

  • Uploading files
  • Downloading files
  • Executing files
  • Routing TCP/IP packets

The NDIS-level backdoor used by VirTool:WinNT/Exforel.A is much more low-level and stealthy than that used by traditional backdoors – there is no connecting/listening port so it is more difficult to notice. The backdoor traffic is completely invisible to user-mode applications.

This sample appears to be used for a specific attack targeting a certain organization.

 

 

Chung Feng
-MMPC Melbourne