New SMBdoor malware include characteristics of Double Pulsar and DarkPulsar exploit kits

• The malware has been created with a purpose to help academicians in their research.
• The source code of the malware is neither weaponized for cybercrime nor released on GitHub.

Two leaked NSA exploit kits have been used to create a malware named SMBdoor. The malware’s characteristics are similar to that of DoublePulsar and DarkPulsar.

What’s the matter – SMBdoor is the work of Sean Dillon, a security researcher at RiskSense. He designed the malware as a Windows kernel driver, which if installed, could abuse undocumented APIs in the srvnet.sys process. Later, the malware would register itself as a valid handler for SMB (Server Message Block) connections.

What is the purpose – In an interview, Dillon told ZDNet that the malware has been created with a purpose to help academicians in their research.

“[SMBdoor] comes with practical limitations that make it mostly an academic exploration, but I thought it might be interesting to share, and is possibly something [endpoint detection and response, aka antivirus] products should monitor,” Dillon said.

The source code of the malware is neither weaponized for cybercrime nor is released on GitHub. Hence, the cybercriminals cannot infect users the same way as they can do using NSA’s DoublePulsar and DarkPulsar.

“There are also secondary complications the backdoor would have to account for, during the process of loading secondary payloads, in order to use paged memory and not deadlock the system,” Dillon added.

What are the future aspects – Dillion said that SMBdoor cannot be used for a potential malware attack unless the source code is modified.

Researchers hope that Dillon’s work on SMBdoor will help security software provider to improve their detections and prevent any unwanted threats against Windows users.