Written by: Alex Popa
In the spring of 2017, NSA suffered a major leak that led to the appearance of a series of malware programs. These were exploited by hackers, and the results weren’t surprising in the least. Chaos ensued.
Now, it seems something good might come out of that event after all. Sean Dillon, a security researcher working for RiskSense, created a backdoor on the back of the NSA-leaked malware.
Its name – SMBdoor.
Its purpose – to crack open the vaults of the SMB (Server Message Block) connections by attacking the undocumented APIs run by the srvnet.sys process.
Its form – a Windows kernel driver
The interesting and rather unsettling aspect of SMBdoor is that it’s supremely stealthy. It’s basically an invisible parasite that leeches unto its host without giving off the slightest alarms.
Technically speaking, the malware doesn’t bind to any open ports, local sockets, and it doesn’t hook into any existing functions of the device. This hugely decreases the chances of it being discovered by antivirus solutions.
So, this begs the question…
For researching purposes, certainly.
And, as it turns out, SMBdoor isn’t weaponized at all. In fact, Dillon himself said that “SMBdoor comes with practical limitations that make it mostly an academic exploration, but I thought it might be interesting to share, and is possibly something [endpoint detection and response, aka antivirus] products should monitor”
He reassured the public that the malware isn’t weaponized by any means necessary, and hackers wouldn’t be able to download it from Github. If DoublePulsar, one of the notorious NSA-leaked malware programs, could instantly be weaponized and used for cyber-attacks by anyone, this is certainly not the case with SMBdoor.
The main reason for this is because Dillon’s brainchild is nothing more than a proof-of-concept. It has no active functions at all, other than acting as documenting material.
He states that “There are limitations in the proof-of-concept that an attacker would have to overcome”, and that “modern Windows attempts to block unsigned kernel code”.
These complications would pose quite the problems for any hacker who wants to use the malware in cyber-attacks. Even if there are certain ways to bypass these limitations, Dillon is firm on the fact that the costs outweigh the gains if someone were to try to weaponized SMBdoor.
Even if its stealth capabilities are incredibly useful and would pose clear risks, hackers would usually want their work to be recognized. Notoriety is an incentive that they can’t bear to waste or lose out.
What’s more, Dillon said that even if someone were to remodify its proof-of-concept malware, it still wouldn’t pose that much of a threat because of the modern protection tools such as Hyper-V Code Integrity.
Indeed, its most unfathomable and dangerous aspect is that…
Drawing inspiration from the suite of crippling malware that The Shadow Brokers leaked in 2017, Dillon devised his malware with stealth in mind. After analyzing DoublePulsar and DarkPulsar, he came up with the perfect solution.
He says that “Like DOUBLEPULSAR, this implant hides in an esoteric area of the system”. What this means is anyone’s guess, but from what we can deduce, its hiding place is definitely out of the detection range of many modern antivirus solutions.
By staying there and influencing the behavior of the device, it can safely access and use the undocumented API functions without setting off any alarms. SMBdoor succeeds in what was previously seen as impossible – eavesdropping on network traffic over an already-bound port without interacting with any sockets.
In fact, this idea is still being debated and analyzed for potential functionality by many security researchers around the world. It can be said that the field of study is still in the making, with Dillon’s work acting as a catalyst for further developments.
There are reasons to look on his breakthrough as trustworthy and filled with potential, since Dillon was also the one who ported the EternalChampion, EternalRomance, and EternalSynergy NSA exploits to function on all Windows versions.
The EternalBlue SMB exploit malware is the same one used by the hackers who launched the WannaCry and NotPetya ransomware attacks.
SMBdoor would only be detected in useful time with custom-made codes specifically altered to find traces of its whereabouts. This is the main reason Dillon created it in the first place, to act as an experimenting ground for security researchers around the world.
In other words, as an incentive and direct aid to further the development of more advanced security solutions. Windows systems are vulnerable to plenty of exploits as it is, and Dillon’s work might prove to be fundamental to the mitigation of some of them.
There might come a day when SMBdoor will prove of paramount importance to the prevention of targeted-exploits aimed at Windows users, and this is exactly what Dillon was counting on.
His proof-of-concept malware is available for anyone to consult and learn from. This means that security researchers, as well as hackers, will find it very interesting. It will become a field project for any four-eyed geek with a PC, and a passion for coding.
However, taking all the limitations and problems that a hacker would have to overcome in order to weaponize it, SMBdoor remains nothing else than raw material for field study.
We’ll see what happens next.