SMBdoor: A security researcher created a new backdoor inspired by NSA's malicious software leaked in the spring of 2017.
The new malware is called SMBdoor and is the work of researcher Sean Dillon better safetyof RiskSence (@zerosum0x0).
Dillon designed SMBdoor as a Windows kernel driver that, once installed on a computer, captures unregistered APIs in the srvnet.sys process to register as a valid process for connections SMB (Server Message Block).
Malicious software is unbelievable as it does not connect to local slots, open ports, and does not fit into existing features, thus avoiding the activation of virus protection alerts.
Its design was inspired by a similar behavior that Dillon observed in DoublePulsar and DarkPulsar, two NSA-designed malware implants that leaked to Internet from hacking team The Shadow Brokers.
However, some users may be wondering (and rightly so): Why did a security researcher create malware?
Dillon told ZDNet that the SMBdoor code is not armed and that cybercriminals can not download it from GitHub to infect users in the same way they can download and develop versions of the NSA DoublePulsar.
Let's also mention that every PoC released by researchers, is recorded and analyzed by security and security software providers, but also by the software/operating development companies involved in the PoC.
"SMBdoor comes with practical limitations that make it mostly academic research, but I thought it would be interesting to share it."
There are restrictions on PoC that an intruder must overcome, ”he added. "The most important limitation is that modern Windows tries to block the core code without a valid digital signature.
___________________
- Windows Sandbox enable in Windows 10 Home
- Ubuntu 18.10 upgrade to Ubuntu 19.04 Disco Dingo
- Bloatware; automatic removal from Windows 10
- Windows 10 May 2019 Update delay the upgrade