Abstract
Backdoors in legitimate software, whether maliciously inserted or carelessly introduced, are a risk that should be detected prior to the affected software or system being deployed. Automated static analysis of executable code can detect many classes of malicious behavior. This paper will cover the techniques that can be employed to detect special credentials, hidden commands, information leakage, rootkit behavior, anti-debugging, and time bombs.
Similar content being viewed by others
References
Thompson, Ken, “Reflections on Trusting Trust”, Communication of the ACM Vol. 27, No. 8, http://www.acm.org/classics/sep95, Sep. 1995.
Andrews, Jeremy, “Linux: Kernel ‚Back Door ‘Attempt”, KernelTrap, http://kerneltrap.org/node/1584, Nov. 2003.
Poulsen, Kevin, “Borland Interbase backdoor exposed”, The Register, http://www.theregister.co.uk/2001/01/12/borland_interbase_backdoor_exposed, Jan. 2001.
Reifer Consultants presentation at Oct 2007 DHS SwA Forum
Oblivion, Brian, “NetStructure 7110 console backdoor”, Bugtraq mailing list, http://seclists.org/bugtraq/2000/May/0114.html, May 2000.
Cerberus Security Team, “Cart32 secret password backdoor”, Neohapsis Archives, http://archives.neohapsis.com/archives/win2ksecadvice/2000-q2/0048.html, Apr. 2000.
Tarbatt, Dave, “APC 9606 SmartSlot Web/SNMP Management Card Backdoor”, SecuriTeam Security News, http://www.securiteam.com/securitynews/5MP0E2AC0M.html, Feb. 2004.
Lyda, Robert et al, “Using Entropy Analysis to Find Encrypted and Packed Malware”, IEEE Security and Privacy, http://csdl2.computer.org/persagen/DLAbsToc.jsp?resourcePath=/dl/mags/sp/&toc=comp/mags/sp/2007/02/j2toc.xml&DOI=10.1109/MSP.2007.48, Apr. 2007.
Carrera, Ero, “Scanning data for entropy anomalies”, nzight blog, http://blog.dkbza.org/2007/05/scanning-data-for-entropyanomalies.html, May 2007.
Boren, Ryan, “WordPress source code compromised to enable remote code execution”, LWN.net, http://lwn.net/Articles/224999, Mar. 2007.
US-CERT, “CERT Horse in IRC Client for UNIX”, US-CERT Vulnerability Database, http://www.cert.org/advisories/CA-1994-14.html, Oct. 1994.
Heise Security News, “Backdoor in Artmedic CMS”, http://www.heise-security.co.uk/news/89835, May 2007.
Zielinski, Mark, “ID games Backdoor in quake”, insecure.org, http://insecure.org/sploits/quake.backdoor.html, May 1998.
Various, “TCP Wrapper Backdoor Vulnerability”, Security Focus, http://www.securityfocus.com/bid/118/discuss, Jan. 1999.
Various, “Latest libpcap & tcpdump sources from tcpdump.org contain a Trojan”, Houston Linux Users Group, http://www.hlug.org/trojan, Nov. 2002.
Ercoli, Luca, “Etomite Content Management System security advisory”, http://www.lucaercoli.it/advs/etomite.txt, Jan. 2006.
US-CERT, “CERT Horse OpenSSH Distribution”, US-CERT Vulnerability Database, http://www.cert.org/advisories/CA-2002-24.html, Aug. 2002.
Song, Dug, “Trojan/backdoor in fragroute 1.2 source distribution”, Virus.Org Mailing List Archive, http://lists.virus.org/bugtraq-0205/msg00276.html, May 2002.
Various, “X.Org X Window Server Local Privilege Escalation Vulnerability”, Security Focus, http://www.securityfocus.com/archive/1/archive/1/428183/100/0/threaded, Mar. 2006.
Marsh, Kyle, “Win32 Hooks”, Microsoft Developer Network, http://msdn2.microsoft.com/en-us/library/ms997537.aspx, Feb. 1994.
Ivanov, Ivo, “API Hooking Revealed”, The Code Project, http://www.codeproject.com/system/hooksys.asp, Dec. 2002.
SysSpider, “The Win32 API For Hackers”, http://sysspider.vectorstar.net/papers/api4hackers.txt, unknown date.
Butler, James, “VICE — Catch the Hookers”, BlackHat USA 2004, http://www.blackhat.com/presentations/bh-usa-04/bh-us-04-butler/bh-us-04-butler.pdf, Aug. 2004.
Kruegel, Christopher et al, “Detecting Kernel-Level RootkitsThrough Binary Analysis”, 20th Annual Computer Security Applications Conference, http://www.cs.ucsb.edu/~wkr/publications/acsac04lkrm.pdf, May 2004.
Bioforge, “Hacking the Linux Kernel Network Stack”, Phrack Magazine Issue 61, http://www.phrack.org/issues.html?issue=61&id=13, Aug. 2003.
Rutkowska, Joanna, “Linux Kernel Backdoors And Their Detection”, IT Underground 2004, http://invisiblethings.org/papers/ITUnderground2004_Linux_kernel_backdoors.ppt, Oct. 2004.
Danny Quist and Val Smith, http://www.offensivecomputing.net/files/active/0/vm.pdf
Josh Jackson, http://www.codeproject.com/KB/security/AntiReverseEngineering.aspx, Nov. 2008
Nicolas Falliere, http://www.securityfocus.com/infocus/1893, Sept. 2007
Michael N. Gagnon et al, http://ieeexplore.ieee.org/Xplore/login.jsp?url=/iel5/8013/4218538/04218560.pdf?temp=x, June 2007
Nicolas Brulez, http://www.codebreakers-journal.com/downloads/cbj/2005/CBJ_2_1_2005_Brulez_Anti_Reverse_Engineering_Uncovered.pdf, March 2005
Additional information
Chris Wysopal CTO and Co-Founder of Veracode. He is vulnerability researcher and the author of „The Art of Software Security Testing“
Chris Eng Senior Director of Research at Veracode. He is responsible for integrating security expertise and prioritize the security feature set of Veracode’s service offerings.
Tyler Shields Senior Researcher for the Veracode Research Team whose responsibilities include understanding and ex-amining security and attack methods for integration into the Veracode products.
Rights and permissions
About this article
Cite this article
Wysopal, C., Eng, C. & Shields, T. Static detection of application backdoors. DuD 34, 149–155 (2010). https://doi.org/10.1007/s11623-010-0024-4
Published:
Issue Date:
DOI: https://doi.org/10.1007/s11623-010-0024-4