Site icon Sophos News

ExtraPulsar backdoor based on leaked NSA code – what you need to know

A US security researcher has come up with an open-source Windows backdoor that is loosely based on NSA attack code that leaked back in 2017 as part of the the infamous Shadow Brokers breach.

The researcher, who goes by @zerosum0x0 online and Sean Dillon in real life, has dubbed his new malware ExtraPulsar, a nod to the NSA’s tool called DOUBLEPULSAR.

The code itself is intriguingly simple.

Rather than exploiting a vulnerability that wasn’t supposed to be there, it quietly makes use of an undocumented part of Microsoft’s own file server driver SRVNET.SYS.

Most Windows servers, and many Windows laptops, accept file sharing connections – if you run the command net share and you see C$ and ADMIN$ in the list, yours does.

If file sharing is active, you’ll see the the Windows kernel driverSRVNET.SYS loaded – full name Server Network Driver.

The idea is that the Server Network Driver – it’s called that even on non-server versions of Windows – looks after the open network ports and the network traffic that’s part of Windows file sharing.

This traffic-handling driver then hands off incoming packets to one or more additional drivers to deal with remote requests.

For example, the Server Network Driver will usually be accompanied by a “device extension” driver called SRV2.SYS, the Smb 2.0 Server Driver.

SMB is short for Server Message Block, Microsoft’s moniker for its file sharing protocol.

If you’ve enabled the outdated, insecure and now off-by-default SMB 1 – something even Microsoft urges you not to do – you’ll see SRV.SYS as well, listed as plain old Server Driver.

What the researcher figured out is how to persuade the Server Network Driver to load an additional kernel module built from his backdoor code, something that he denoted in his source tree with a diagram described as “slop together a graphic”:

The idea of creating malware that works way is as follows:

The proof-of-concept remote code execution delivery tool in Dillon’s project is just 12 lines of Python programming that sends a single network packet of executable code to port 445 on an infected computer.

Normal SMB packets start with the bytes 0xFF 0x53 0x4D 0x42, which shows up as ■SMB when displayed as text.

The malware recognises its own shellcode payloads because they’re tagged with 0x45 0x78 0x50 0x75, which comes out as ExPu, short for ExtraPulsar.

What to do?

If you’ve seen media stories suggesting that this project could lead to “undetectable malware”, don’t panic.

Good security software can block rogue kernel drivers and their side-effects in many ways:

We’re not convinced that Dillon really needed to release his proof-of-concept malware as a freely downloadable GitHub project…

…but ExtraPulsar can’t be used directly to launch an attack, and it doesn’t represent an “undetectable” threat, whatever you may have heard.

So let’s be charitable and say that Dillon’s code is informative to study if you are interested in cybersecurity.


Exit mobile version