VirTool:WinNT/Exforel.A

Forum for analysis and discussion about malware.

VirTool:WinNT/Exforel.A

Postby R136a1 » Mon Dec 10, 2012 5:59 pm

Recently we discovered an advanced backdoor sample - VirTool:WinNT/Exforel.A. Unlike traditional backdoor samples, this backdoor is implemented at the NDIS (Network Driver Interface Specification) level.
...
This sample appears to be used for a specific attack targeting a certain organization.
...


https://blogs.technet.com/b/mmpc/archiv ... ected=true
http://www.microsoft.com/security/porta ... /Exforel.A

Can somebody provide a sample of this malware?
User avatar
R136a1
 
Posts: 215
Joined: Wed Jul 13, 2011 4:30 pm
Location: Germany
Reputation point: 136

Re: VirTool:WinNT/Exforel.A

Postby rkhunter » Mon Dec 10, 2012 6:10 pm

VirTool:WinNT/Exforel.A

Fingerprints:

SHA256: 8dafe5f3d0527b66f6857559e3c81872699003e0f2ffda9202a1b5e29db2002e
SHA1: 8692274681e8d10c26ddf2b993f31974b04f5bf0
MD5: 491aec2249ad8e2020f9f9b559ab68a8
File size: 60928 bytes

ntdll.dll
RtlCompareMemory
cmd shell
\registry\machine\system\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\
IPAddress
DhcpIPAddress
SubnetMask
DefaultGateway
TCPIP
\\.\Pipe\x141_stdout
\\.\Pipe\x141_stdout
\\.\Pipe\x141_stdin
\\.\Pipe\x141_stdin
services.exe
services.exe
kerNel32.dll
WinExec
CreateFileA
CloseHandle
CreateProcessA
WaitForSingleObject
WaitNamedPipeA
WriteFile
\DosDevices\
receive start...
\DosDevices\
Right!
Right!
RtlGetVersion
\??\pipe\x141_stdin
\??\pipe\x141_stdout
ExAllocatePoolWithTag
memcpy
memset
KeTickCount
ObReferenceObjectByHandle
PsCreateSystemThread
PsTerminateSystemThread
KeDelayExecutionThread
KeWaitForSingleObject
IoFreeMdl
MmMapLockedPagesSpecifyCache
ZwClose
IofCompleteRequest
KeResetEvent
...
NdisFreeMemory
NdisAllocateBuffer
NdisFreePacket
NdisAllocateMemory
NdisAllocatePacket
NdisCopyFromPacketToPacket
NdisDeregisterProtocol
NdisRegisterProtocol
NdisAllocateBufferPool
NdisAllocatePacketPool
NdisFreeBufferPool
NdisFreePacketPool
NDIS.SYS
You do not have the required permissions to view the files attached to this post.
User avatar
rkhunter
 
Posts: 1145
Joined: Mon Mar 15, 2010 12:51 pm
Location: Russian Federation
Reputation point: 147

Re: VirTool:WinNT/Exforel.A

Postby rkhunter » Tue Dec 11, 2012 9:31 am

Interesting rootkit.

Modification code of Ntdll (performs interception of RtlCompareMemory) via working with page table of process directly [make process pages writable].
Image

Injection code in services.exe for executing programs from it context.
Image

Looks for alertable threads in services and targets APC for them [for start injected code].
User avatar
rkhunter
 
Posts: 1145
Joined: Mon Mar 15, 2010 12:51 pm
Location: Russian Federation
Reputation point: 147

Re: VirTool:WinNT/Exforel.A

Postby R136a1 » Tue Dec 11, 2012 6:06 pm

Thanks for providing information! Would be interesting to know which Server this rootkit contacts respectively for which company this malware was created.
User avatar
R136a1
 
Posts: 215
Joined: Wed Jul 13, 2011 4:30 pm
Location: Germany
Reputation point: 136

Re: VirTool:WinNT/Exforel.A

Postby rkhunter » Tue Dec 11, 2012 6:17 pm

R136a1 wrote:Thanks for providing information! Would be interesting to know which Server this rootkit contacts respectively for which company this malware was created.

It's something similar to "interesting kernel mode stealer", we investigated before. Deep investigation in process. But seems it not contains code for packet generation like stealer that stolen serial data and sent it to server. But contains something interesting too. As MMPC told main purpose as network driver - traffic rerouting.
User avatar
rkhunter
 
Posts: 1145
Joined: Mon Mar 15, 2010 12:51 pm
Location: Russian Federation
Reputation point: 147


Return to Malware

Who is online

Users browsing this forum: No registered users and 9 guests