Datenschutz und Datensicherheit - DuD

, Volume 34, Issue 3, pp 149–155 | Cite as

Static detection of application backdoors

Detecting both malicious software behavior and malicious indicators from the static analysis of executable code
  • Chris Wysopal
  • Chris Eng
  • Tyler Shields
Article

Abstract

Backdoors in legitimate software, whether maliciously inserted or carelessly introduced, are a risk that should be detected prior to the affected software or system being deployed. Automated static analysis of executable code can detect many classes of malicious behavior. This paper will cover the techniques that can be employed to detect special credentials, hidden commands, information leakage, rootkit behavior, anti-debugging, and time bombs.

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. [1]
    Thompson, Ken, “Reflections on Trusting Trust”, Communication of the ACM Vol. 27, No. 8, http://www.acm.org/classics/sep95, Sep. 1995.
  2. [2]
    Andrews, Jeremy, “Linux: Kernel ‚Back Door ‘Attempt”, KernelTrap, http://kerneltrap.org/node/1584, Nov. 2003.
  3. [3]
    Poulsen, Kevin, “Borland Interbase backdoor exposed”, The Register, http://www.theregister.co.uk/2001/01/12/borland_interbase_backdoor_exposed, Jan. 2001.
  4. [4]
    Reifer Consultants presentation at Oct 2007 DHS SwA ForumGoogle Scholar
  5. [5]
    Oblivion, Brian, “NetStructure 7110 console backdoor”, Bugtraq mailing list, http://seclists.org/bugtraq/2000/May/0114.html, May 2000.
  6. [6]
    Cerberus Security Team, “Cart32 secret password backdoor”, Neohapsis Archives, http://archives.neohapsis.com/archives/win2ksecadvice/2000-q2/0048.html, Apr. 2000.
  7. [7]
    Tarbatt, Dave, “APC 9606 SmartSlot Web/SNMP Management Card Backdoor”, SecuriTeam Security News, http://www.securiteam.com/securitynews/5MP0E2AC0M.html, Feb. 2004.
  8. [8]
    Lyda, Robert et al, “Using Entropy Analysis to Find Encrypted and Packed Malware”, IEEE Security and Privacy, http://csdl2.computer.org/persagen/DLAbsToc.jsp?resourcePath=/dl/mags/sp/&toc=comp/mags/sp/2007/02/j2toc.xml&DOI=10.1109/MSP.2007.48, Apr. 2007.
  9. [9]
    Carrera, Ero, “Scanning data for entropy anomalies”, nzight blog, http://blog.dkbza.org/2007/05/scanning-data-for-entropyanomalies.html, May 2007.
  10. [10]
    Boren, Ryan, “WordPress source code compromised to enable remote code execution”, LWN.net, http://lwn.net/Articles/224999, Mar. 2007.
  11. [11]
    US-CERT, “CERT Horse in IRC Client for UNIX”, US-CERT Vulnerability Database, http://www.cert.org/advisories/CA-1994-14.html, Oct. 1994.
  12. [12]
    Heise Security News, “Backdoor in Artmedic CMS”, http://www.heise-security.co.uk/news/89835, May 2007.
  13. [13]
    Zielinski, Mark, “ID games Backdoor in quake”, insecure.org, http://insecure.org/sploits/quake.backdoor.html, May 1998.
  14. [14]
    Various, “TCP Wrapper Backdoor Vulnerability”, Security Focus, http://www.securityfocus.com/bid/118/discuss, Jan. 1999.
  15. [15]
    Various, “Latest libpcap & tcpdump sources from tcpdump.org contain a Trojan”, Houston Linux Users Group, http://www.hlug.org/trojan, Nov. 2002.
  16. [16]
    Ercoli, Luca, “Etomite Content Management System security advisory”, http://www.lucaercoli.it/advs/etomite.txt, Jan. 2006.
  17. [17]
    US-CERT, “CERT Horse OpenSSH Distribution”, US-CERT Vulnerability Database, http://www.cert.org/advisories/CA-2002-24.html, Aug. 2002.
  18. [18]
    Song, Dug, “Trojan/backdoor in fragroute 1.2 source distribution”, Virus.Org Mailing List Archive, http://lists.virus.org/bugtraq-0205/msg00276.html, May 2002.
  19. [19]
    Various, “X.Org X Window Server Local Privilege Escalation Vulnerability”, Security Focus, http://www.securityfocus.com/archive/1/archive/1/428183/100/0/threaded, Mar. 2006.
  20. [20]
    Marsh, Kyle, “Win32 Hooks”, Microsoft Developer Network, http://msdn2.microsoft.com/en-us/library/ms997537.aspx, Feb. 1994.
  21. [21]
    Ivanov, Ivo, “API Hooking Revealed”, The Code Project, http://www.codeproject.com/system/hooksys.asp, Dec. 2002.
  22. [22]
    SysSpider, “The Win32 API For Hackers”, http://sysspider.vectorstar.net/papers/api4hackers.txt, unknown date.
  23. [23]
    Butler, James, “VICE — Catch the Hookers”, BlackHat USA 2004, http://www.blackhat.com/presentations/bh-usa-04/bh-us-04-butler/bh-us-04-butler.pdf, Aug. 2004.
  24. [24]
    Kruegel, Christopher et al, “Detecting Kernel-Level RootkitsThrough Binary Analysis”, 20th Annual Computer Security Applications Conference, http://www.cs.ucsb.edu/~wkr/publications/acsac04lkrm.pdf, May 2004.
  25. [25]
    Bioforge, “Hacking the Linux Kernel Network Stack”, Phrack Magazine Issue 61, http://www.phrack.org/issues.html?issue=61&id=13, Aug. 2003.
  26. [26]
    Rutkowska, Joanna, “Linux Kernel Backdoors And Their Detection”, IT Underground 2004, http://invisiblethings.org/papers/ITUnderground2004_Linux_kernel_backdoors.ppt, Oct. 2004.
  27. [27]
  28. [28]
  29. [29]
    Nicolas Falliere, http://www.securityfocus.com/infocus/1893, Sept. 2007
  30. [30]
  31. [31]

Copyright information

© Vieweg+Teubner | GWV Fachverlage GmbH 2010

Authors and Affiliations

  • Chris Wysopal
  • Chris Eng
  • Tyler Shields

There are no affiliations available

Personalised recommendations