SMBdoor backdoor PoC: inspired by the NSA

SMBdoor: A security researcher created a new backdoor inspired by NSA's malicious software leaked in the spring of 2017.

The new malware is called SMBdoor and is the work of researcher Sean Dillon of RiskSence (@zerosum0x0).

SMBdoor

Dillon designed SMBdoor as a Windows kernel , which once installed on a computer, captures APIs that are not registered in the srvnet.sys process to register as a valid process for Server Message Block (SMB) connections.

The malware is unbelievable as it does not connect to local sockets, open ports and does not rely on existing , thereby avoiding triggering alerts from anti-virus systems.

Η σχεδίασή του ήταν εμπνευσμένη από μια παρόμοια συμπεριφορά που παρατήρησε ο Dillon στα DoublePulsar και DarkPulsar, δύο εμφυτεύματα κακόβουλου λογισμικού σχεδιασμένα από την NSA που διέρρευσαν στο διαδίκτυο από την hacking The Shadow Brokers.

However, some users may be wondering (and rightly so): Why did a security researcher create malware?

Dillon told ZDNet that the SMBdoor code is not armed and that cybercriminals can not download it from GitHub to infect users in the same way they can download and develop versions of the NSA DoublePulsar.

Let us also mention that each PoC that is circulated by researchers is recorded and analyzed by security companies and security software providers as well as by PoC software developers /

"SMBdoor comes with practical limitations that make it mostly academic research, but I thought it would be interesting to share it."

There are restrictions on PoC that an intruder must overcome, ”he added. "The most important limitation is that modern Windows tries to block the core code without a valid digital signature.

___________________

iGuRu.gr The Best Technology Site in Greecefgns

every publication, directly to your inbox

Join the 2.100 registrants.

Written by giorgos

George still wonders what he's doing here ...

Leave a reply

Your email address is not published. Required fields are mentioned with *

Your message will not be published if:
1. Contains insulting, defamatory, racist, offensive or inappropriate comments.
2. Causes harm to minors.
3. It interferes with the privacy and individual and social rights of other users.
4. Advertises products or services or websites.
5. Contains personal information (address, phone, etc.).