Comments on: Backdoor Detection in the News http://www.veracode.com/blog/2007/07/backdoor-detection-in-the-news/ Application security testing, analysis, and metrics Tue, 15 May 2012 22:16:53 +0000 hourly 1 http://wordpress.org/?v=3.3.1 By: Chris Wysopal http://www.veracode.com/blog/2007/07/backdoor-detection-in-the-news/comment-page-1/#comment-535 Chris Wysopal Fri, 27 Jul 2007 13:17:02 +0000 http://www.veracode.com/blog/?p=54#comment-535 Chris, That is a great point. We cover this type of application backdoor in our paper which will be also released at Black Hat. We will post a link to it here. Of course Veracode's binary static analysis does scan for the "vulnerability" backdoor. We also cover something that Joe Stewart mentions which is application backdoors in system backdoor programs such as SubSeven and Optix Pro. I can't imagine why the author of a remote access trojan wouldn't put in a backdoor. Its just too tempting. Vulnerabilities also work as system backdoors. I have seen cases where IT staff had backdoored machines by installing vulnerable versions of lpd or other services. This is not so smart however as it is likely someone else will take advantage of the vulnerability and then lock you out. Chris, That is a great point. We cover this type of application backdoor in our paper which will be also released at Black Hat. We will post a link to it here. Of course Veracode’s binary static analysis does scan for the “vulnerability” backdoor.

We also cover something that Joe Stewart mentions which is application backdoors in system backdoor programs such as SubSeven and Optix Pro. I can’t imagine why the author of a remote access trojan wouldn’t put in a backdoor. Its just too tempting.

Vulnerabilities also work as system backdoors. I have seen cases where IT staff had backdoored machines by installing vulnerable versions of lpd or other services. This is not so smart however as it is likely someone else will take advantage of the vulnerability and then lock you out.

]]> By: Chris Eng http://www.veracode.com/blog/2007/07/backdoor-detection-in-the-news/comment-page-1/#comment-534 Chris Eng Fri, 27 Jul 2007 05:32:16 +0000 http://www.veracode.com/blog/?p=54#comment-534 @Chris: Good observation. We actually address that category at the end of our talk as well as the accompanying whitepaper. As you point out, it's impossible to quantify how many discovered (and undiscovered) vulnerabilities were placed intentionally. Exploitable stack/heap/integer overflows immediately come to mind, but also consider logic bugs such as a regular expression that has a subtle flaw. Inserting backdoors disguised as coding mistakes also gives the malicious developer a certain degree of plausible deniability. @Chris:

Good observation. We actually address that category at the end of our talk as well as the accompanying whitepaper. As you point out, it’s impossible to quantify how many discovered (and undiscovered) vulnerabilities were placed intentionally. Exploitable stack/heap/integer overflows immediately come to mind, but also consider logic bugs such as a regular expression that has a subtle flaw. Inserting backdoors disguised as coding mistakes also gives the malicious developer a certain degree of plausible deniability.

]]> By: Chris Rohlf http://www.veracode.com/blog/2007/07/backdoor-detection-in-the-news/comment-page-1/#comment-533 Chris Rohlf Fri, 27 Jul 2007 01:32:40 +0000 http://www.veracode.com/blog/?p=54#comment-533 You forgot about one type of application backdoor that is rarely mentioned and hardly ever confirmed. The quietest and (by far) the most overlooked backdoor can be vulnerable code someone intentionally places in their product. Its *a lot* easier to hide then a traditional backdoor and its functionality is only limited to the shellcode that gets executed. And since the author can control the intricate details of the vulnerability, there really is no limit to what you can do. The obscurity level and technical ability needed to exploit it are only bound by how good the author is, it can remain well hidden for years. Joe stewart wrote a nice short article that mentions something like this: http://www.openrce.org/articles/full_view/18 Too bad I cant make it to vegas this year, I would have liked to have seen your talk. Maybe next year. You forgot about one type of application backdoor that is rarely mentioned and hardly ever confirmed. The quietest and (by far) the most overlooked backdoor can be vulnerable code someone intentionally places in their product. Its *a lot* easier to hide then a traditional backdoor and its functionality is only limited to the shellcode that gets executed. And since the author can control the intricate details of the vulnerability, there really is no limit to what you can do. The obscurity level and technical ability needed to exploit it are only bound by how good the author is, it can remain well hidden for years.

Joe stewart wrote a nice short article that mentions something like this:
http://www.openrce.org/articles/full_view/18

Too bad I cant make it to vegas this year, I would have liked to have seen your talk. Maybe next year.

]]>