A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #17111  by R136a1
 Mon Dec 10, 2012 5:59 pm
Recently we discovered an advanced backdoor sample - VirTool:WinNT/Exforel.A. Unlike traditional backdoor samples, this backdoor is implemented at the NDIS (Network Driver Interface Specification) level.
...
This sample appears to be used for a specific attack targeting a certain organization.
...
https://blogs.technet.com/b/mmpc/archiv ... ected=true
http://www.microsoft.com/security/porta ... /Exforel.A

Can somebody provide a sample of this malware?
 #17112  by rkhunter
 Mon Dec 10, 2012 6:10 pm
VirTool:WinNT/Exforel.A

Fingerprints:

SHA256: 8dafe5f3d0527b66f6857559e3c81872699003e0f2ffda9202a1b5e29db2002e
SHA1: 8692274681e8d10c26ddf2b993f31974b04f5bf0
MD5: 491aec2249ad8e2020f9f9b559ab68a8
File size: 60928 bytes
ntdll.dll
RtlCompareMemory
cmd shell
\registry\machine\system\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\
IPAddress
DhcpIPAddress
SubnetMask
DefaultGateway
TCPIP
\\.\Pipe\x141_stdout
\\.\Pipe\x141_stdout
\\.\Pipe\x141_stdin
\\.\Pipe\x141_stdin
services.exe
services.exe
kerNel32.dll
WinExec
CreateFileA
CloseHandle
CreateProcessA
WaitForSingleObject
WaitNamedPipeA
WriteFile
\DosDevices\
receive start...
\DosDevices\
Right!
Right!
RtlGetVersion
\??\pipe\x141_stdin
\??\pipe\x141_stdout
ExAllocatePoolWithTag
memcpy
memset
KeTickCount
ObReferenceObjectByHandle
PsCreateSystemThread
PsTerminateSystemThread
KeDelayExecutionThread
KeWaitForSingleObject
IoFreeMdl
MmMapLockedPagesSpecifyCache
ZwClose
IofCompleteRequest
KeResetEvent
...
NdisFreeMemory
NdisAllocateBuffer
NdisFreePacket
NdisAllocateMemory
NdisAllocatePacket
NdisCopyFromPacketToPacket
NdisDeregisterProtocol
NdisRegisterProtocol
NdisAllocateBufferPool
NdisAllocatePacketPool
NdisFreeBufferPool
NdisFreePacketPool
NDIS.SYS
Attachments
pass:infected
(32.57 KiB) Downloaded 161 times
 #17119  by rkhunter
 Tue Dec 11, 2012 9:31 am
Interesting rootkit.

Modification code of Ntdll (performs interception of RtlCompareMemory) via working with page table of process directly [make process pages writable].
Image

Injection code in services.exe for executing programs from it context.
Image

Looks for alertable threads in services and targets APC for them [for start injected code].
 #17126  by rkhunter
 Tue Dec 11, 2012 6:17 pm
R136a1 wrote:Thanks for providing information! Would be interesting to know which Server this rootkit contacts respectively for which company this malware was created.
It's something similar to "interesting kernel mode stealer", we investigated before. Deep investigation in process. But seems it not contains code for packet generation like stealer that stolen serial data and sent it to server. But contains something interesting too. As MMPC told main purpose as network driver - traffic rerouting.
 #30996  by EP_X0FF
 Wed Nov 15, 2017 12:36 pm
What looks like Exforel variant.
NDIS_OPEN_BLOCK hooks, payload method table with strings used as id/name.
Attachments
pass: malware
(59.33 KiB) Downloaded 30 times