This article can also be found in the Premium Editorial Download "Information Security magazine: Seven questions to ask before committing to SaaS."
Download it now to read this article plus other related content.
Not surprisingly, backdoors left in open source software are ferreted out pretty quickly, usually within three months of release, many times within days. Wysopal cautions, however, that if one is shipped in binary form, it could live undiscovered for years. The best example Wysopal found was in Borland InterBase, which was released as open source in 2001. Months later, a hard-coded credential (username "politically," password "correct") was uncovered that had been present for seven years while the popular SQL database was closed source.
These unpleasant surprises are plentiful and take many forms. Crypto backdoors, for instance, are intended weaknesses designed into a cryptographic system. Then there are application backdoors, pieces of code running in legitimate apps, guaranteeing distribution and often inserted by people with legitimate access or by a hacker.
Backdoors are nothing new; most are inserted by developers for support purposes. These special credential backdoors are usually hard-coded and feature a username, password, hash and key. The presence of the key or a statically baked-in hash are tip-offs that something suspicious is afoot.
Then there are backdoors that contain a hidden functionality--invisible parameters in Web apps, for example--that are rendered by a command known only to the developer or hacker who inserted it. Wysopal says
| these undocumented commands are a huge problem, and some have been found in popular applications such as WordPress or even the servers hosting the popular late-'90s game Quake.
Other backdoors can be sniffed out by watching for unintended network activity. These backdoors exhibit rootkit-like behavior and can be listening on undocumented ports, making unauthorized outbound connections or leaking information over the network. Wysopal says OpenSSH 3.22 and 3.4 were victimized by such a backdoor--an unintended listener that masqueraded as a test case for Blowfish.
Finally, some backdoors manipulate security-critical parameters. The harshest was found in the Linux 2.6 kernel, where a simple two-line change to code enabled remote root access.
Wysopal says the best detection method is a static-code analysis, and with PCI 6.6 becoming mandatory at the end of June, organizations will need to cast a keen eye on what's at the core of their applications.
Backdoors can be dire, but you can take heart in one anecdote: The attacker who wrote the Sub7 backdoor left a backdoor in the backdoor in order to subvert a few of his own kind. As Wysopal appropriately put it: "There's no trust, even among thieves."
This was first published in May 2008