10 different ways an attacker can put in backdoors in IT systems

Image of Jonas Lejon
Jonas Lejon

October 2, 2018

Understanding an attacker and the various methods used for attempting to access or modify systems or software, makes it easier for us to protect our systems. We have to be able to build resistance against these methods and also be able to detect incidents at the right time, that can indicate something is about to happen. Therefore I’ve written 10 more or less creative ways to put in back doors. There are of course more ways, but these are a few cases.

1. Simply a programming error?

If you get a developer to set up a back door. It can be so subtle, you might mistake it for a programming error. Occasionally, vulnerabilities are detected in software that could actually be backdoors. The modifications are small and usually, these are done outside of the usual pattern in which the developer works, or the time frame where the code is checked in.

The code below is an example from 2003 where the code got identified inside the Linux kernel:

if ((options == (__WCLONE | __WALL)) && (current-> uid = 0)) retval = -EINVAL;

Can you see what's wrong here?

2. Enter an additional username and password, or key

In the case of Internet of Things, this is common. A rear door that may give permission for troubleshooting so that the manufacturer can access the product afterwards and check. This also allows an attacker to use these privileges. Botnet Mirai used 60 different hard-coded usernames with their respective passwords.

3. Insert a backdoor in real-time while a software is downloaded from the internet

How common is it that you verify files you download from the internet? While not many people do this, the harmful code OnionDuke took advantage of it in the worst possible way. It was installed in at least one place in the Tor's anonymization network, making sure downloaded files automatically received an additional codeclock, as well as the legitimate software that was downloaded.

4. A back door directly in the source tree

Violating software that handles source code is something that also occurs. Or trying to enforce usernames and passwords to popular central locations such as Github. This action is quite similar to item number 10 on this list. But the difference here is that the attacker himself does it against the source tree instead of using an insider.

5. Through the building system. So the backdoor is signed too

It becomes more common for organizations to use building systems such as Jenkins, CircleCI and Bamboo. These building systems can be identified as well as attacked as they are often a key point in a developmental flow. Also, these tools can sign code which can be dangerous in the event where the malicious code also gets signed.

6. Only use components that are found in the system i.e. "living of the land"

This action can be used in conjunction with the other actions in the sense that no new binary code is introduced into the system. This makes it more difficult to conduct outreach activities such as Threat Hunting or antivirus software to detect the malicious code. It may involve using powershell, Windows Script Host (WSH), or Windows Management Instrumentation (WMI).

7. Hide the backdoor in firmware, somewhere incredibly difficult to find

The attacker wants to make it difficult to identify backdoors to the greatest extent. There are more difficult places to search for malicious code such as BIOS, hard disk firmware, graphics card, network adapter or similar places. If it is even possible to detect manipulation at these locations, few security software controls these areas at all.

8. Insert a backdoor into the compiler so all or some of the compiled code gets a back door

This is a very old attack that dates back to 1984 and it’s known as The Ken Thompson Hack. But it was observed as recently as in 2015, where they named it XcodeGhost, due to being identified in Apple's Xcode compiler. All software that was compiled then automatically got a back door, and in the latter case, it was a number of popular iOS software, compiled with the Xcode compiler that contained a backdoor.

9. Insert the back door into the hardware during delivery from the manufacturer

There have been reports of burglaries at UPS and other similar delivery companies where equipment from network providers such as Cisco has been located for a short time period. Nothing had been stolen, but there was suspicion of someone modifying the Cisco routers. These suspicions also coincided with the release of a picture showing, what is said to be NSA employees, unauthorized modifying a cardboard box with the Cisco logo.

10. Affect a standard such as Dual_EC_DRBG

Affecting a standard is not something that is easy, but something that must be preceded by many years of lobbying. However, this was achieved by the NSA when they got Dual_EC_DRBG in both ANSI X9.82 and NIST SP 800-90. Even so, the company RSA entered Dual_EC_DRBG as the random number generator in its crypto library BSAFE. Also an extension named Extended Random was implemented, which would make it even easier to use Dual_EC_DRBG. This add-on was identified in BSAFE's Java implementation through reverse engineering.

Holm Security VMP picture cta