Information Security

Defending the digital infrastructure


Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

Reasearch on Coding Backdoors Presents Ugly Picture

Editor's Desk: Backdoor Bedlam

Research ups awareness on backdoors that present attackers with a cheaper means of malware distribution and system access.

Intelligence agencies call it SOUP, but it's hardly comfort food.

Spelled out, it's software of unknown provenance (or pedigree), and it can be any off-the-shelf app made for business, government or the military where source code access or even documentation is unavailable. Generally, it's a dish being served by the global development supply chain and the business of outsourcing applications that are developed inexpensively anywhere--especially India and Asia-Pacific.

For the most part, organizations that outsource are saving plenty, doing more with less and meeting other profit margin-related corporate mandates. But once the software is delivered, is it clean code? Or has an unscrupulous developer--perhaps one working for an unfriendly nation--left a backdoor?

Sounds a little hokey and conspiratorial, but former L0pht hacker and Veracode founder Chris Wysopal urges companies not to ignore the threat. Veracode's business is binary code inspection, and at the annual RSA Conference last month, Wysopal presented research on the types of backdoors discovered in proprietary and open source code developed over the last 10 years.

It ain't pretty.

Backdoors are a cheaper attack method, especially in high-value environments where well-maintained security exists, Wysopal says.

"Due to the way the development supply chain has gone global, we've lost control over where software is written," Wysopal says. "With outsourcing and the linking in of open source libraries, you need to check for backdoors on critical systems."

Not surprisingly, backdoors left in open source software are ferreted out pretty quickly, usually within three months of release, many times within days. Wysopal cautions, however, that if one is shipped in binary form, it could live undiscovered for years. The best example Wysopal found was in Borland InterBase, which was released as open source in 2001. Months later, a hard-coded credential (username "politically," password "correct") was uncovered that had been present for seven years while the popular SQL database was closed source.

These unpleasant surprises are plentiful and take many forms. Crypto backdoors, for instance, are intended weaknesses designed into a cryptographic system. Then there are application backdoors, pieces of code running in legitimate apps, guaranteeing distribution and often inserted by people with legitimate access or by a hacker.

Backdoors are nothing new; most are inserted by developers for support purposes. These special credential backdoors are usually hard-coded and feature a username, password, hash and key. The presence of the key or a statically baked-in hash are tip-offs that something suspicious is afoot.

Then there are backdoors that contain a hidden functionality--invisible parameters in Web apps, for example--that are rendered by a command known only to the developer or hacker who inserted it. Wysopal says these undocumented commands are a huge problem, and some have been found in popular applications such as WordPress or even the servers hosting the popular late-'90s game Quake.

Other backdoors can be sniffed out by watching for unintended network activity. These backdoors exhibit rootkit-like behavior and can be listening on undocumented ports, making unauthorized outbound connections or leaking information over the network. Wysopal says OpenSSH 3.22 and 3.4 were victimized by such a backdoor--an unintended listener that masqueraded as a test case for Blowfish.

Finally, some backdoors manipulate security-critical parameters. The harshest was found in the Linux 2.6 kernel, where a simple two-line change to code enabled remote root access.

Wysopal says the best detection method is a static-code analysis, and with PCI 6.6 becoming mandatory at the end of June, organizations will need to cast a keen eye on what's at the core of their applications.

Backdoors can be dire, but you can take heart in one anecdote: The attacker who wrote the Sub7 backdoor left a backdoor in the backdoor in order to subvert a few of his own kind. As Wysopal appropriately put it: "There's no trust, even among thieves."

Article 13 of 14

Dig Deeper on Secure software development

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.

Get More Information Security

Access to all of our back issues View All