Recently we discovered an advanced backdoor sample – VirTool:WinNT/Exforel.A. Unlike traditional backdoor samples, this backdoor is implemented at the NDIS (Network Driver Interface Specification) level.
VirTool:WinNT/Exforel.A implements a simple private TCP/IP stack and hooks NDIS_OPEN_BLOCK for the TCP/IP protocol, as shown in Figure 1.
Figure 1: Hooked functions in NDIS_OPEN_BLOCK
This means that backdoor-related TCP traffic will be diverted to the private TCP/IP stack and delivered to the backdoor, as illustrated in Figure 2.
VirTool:WinNT/Exforel.A implements the following backdoor functionalities:
- Uploading files
- Downloading files
- Executing files
- Routing TCP/IP packets
The NDIS-level backdoor used by VirTool:WinNT/Exforel.A is much more low-level and stealthy than that used by traditional backdoors – there is no connecting/listening port so it is more difficult to notice. The backdoor traffic is completely invisible to user-mode applications.
This sample appears to be used for a specific attack targeting a certain organization.