Analyzing Main Types of Backdoor Patterns in Windows PE Files

According to current technology era, there are mainly 3 types of backdoor patterns at the application level.

Hard-Coded Credentials

These backdoors are creating by hard coding credentials like usernames, passwords, logics, secret keys, and IP/URLs are in the source code. Most of the time lazy developers add hard-coded administration/master usernames and passwords like admin, admin@123, etc. to the source code for debugging / troubleshooting and support purposes. After, they pull the application to the production environment without removing these hard-coded backdoors. If a malicious person found this type of backdoor, it will be a huge impact on the system.

Challenges to Identify

1. Developers insert encrypted or encoded (like base64, hex) hard-coded credentials to the variables in source code and decrypt or decode in execution time of application. In this case, it is difficult to detect in a normal ASCII character search.

2. Developers split hard-coded credentials across various locations in source code. In run time will reconstitute them. Also, add unwanted characters to hardcoded credentials in a specific pattern and will neglect it in execution time (Obfuscated Strings).

3.Packing an executable program is a way of compressing executable code, often it is also used to complicate/prevent the reverse engineering process. It may be hard to get strings in packed executable programs. A packer is software that will compress executable files. In a packed .exe file, there
is a portion of code that is not compressed. When running the executable, it will run the uncompressed code which unpacks the rest of the code and runs it. Example: UPX, EXEStealth Packer.

Example code lines for hard-coded Special credentials.

Hard-coded Special credentials

Undocumented Suspicious Network Activity

Undocumented Suspicious/Unintended network activities in an application is another type of backdoor. Making undocumented outbound connections, listing to undocumented ports, sending sensitive information like username, passwords, PIN numbers, transaction details over the specific protocol (like SMTP, FTP) are common scenarios of this type. In this type backdoor type, creators try to hide these network activities from detection from Intrusion Detection Systems (IDS)/Intrusion Prevention Systems (IPS).

Common Scenarios 

1. Backdoors that communicate with undocumented ports (Port Binding)-once this backdoor bound to the port, an attacker can communicate with the system and easy to take control of the system. Mostly this backdoor type gets a bind shell or reverse shell to the attacker from unused/ available ports. 
2. Backdoors reuse ports to listen in a network- Designed to access varying levels of operating system privileges allow attackers to reuse ports already opened from the target machine.

Challenges to Identify

Identifying malicious network activity from legitimate network activity in the application. Below are the example code lines for suspicious network activity which in .exe program. This program connects to the remote host when executing.

Undocumented TCP connection (Author’s work)

Undocumented Hidden Functions

Application may be having thousands of functions in their source code. Developers can insert special hidden commands into this source code, to bypass/break the standard application authentication process.

Also, these hidden functions are capable to send sensitive data to 3rd party. One famous example is command injection through the application. In C++, commonly use system() and exec() for command executions. system() is used to pass the commands that can be executed and exec() used to replace the currently running process with a new process.

Another type is hidden services which are running in the background. For Example: can create background service that detects keystroke of users and send to the creators of backdoor. If suspect application used kernel32.dll, user32.dll, advapi32.dll with unwanted Win32 APIs like SetWindowsHookEx() , CreateRemoteThread(), etc it may be backdoored. In the detection process, must care what are the referencing DLLs in the application. More sophisticated backdoor can alter or intercept operating system function and events (kernel hooking).

Shell commands which embed in the source code can use to backdooring applications. These command codes can be obfuscated or encoded. In execution time they decode and execute. It is easy to hide any payloads or malicious patterns according to this technique. Shellcodes can be present in any location of .exe file. These embedded shellcodes are hard to identify by ASCII string search.

Compiler backdoors are Compiler added one or more backdoors to the application when compiling the application using it. Sometimes, thousands of applications that used this type of Compiler may be infected. The impact is very high and detection probability is very low.

Also, the Metasploit framework can inject backdoor codes into the compiled application. Normally these backdoors give shells to the remote host. Also, it has a facility to create backdoored executables.

Challenges to Identify 

Hard to correctly identify embedded malicious/backdoor patterns which obfuscated in source code. 

Hard to identify suspicious functions, referring DLLs and Windows APIs in an application correctly.

Conclusions

Presence of backdoors is a huge risk because anyone can discover it and use it without being detected. Most of the time backdoors are inserted by developers for their developing purposes and sometimes developers insert backdoors with malicious ideas.

Backdoor detection is depending on the backdoor type. But in the process of identification of backdoors, there will be some level of false-positive rate according to the complexity of the backdoor.

References

1. Veracode Inc. (2020) Static Detection of Application Backdoors [Online] Available from: [20 February 2020].
2. Thomas, S. & Francillon, A. (2020) Backdoors: Definition, Deniability And Detection [Online] Available from: [05 May 2020].
3. SecurityBoulevard. (2019) 7 Most Common Application Backdoors — Security Boulevard [Online] Available from: [20 February 2020].
4. Owasp. (2020) Top Backdoors [Online] Available from: [21 February 2020].
5. Miyani, D., Huang, Z. & Lie, D. (2017) Binpro: A Tool For Binary Source Code Provenance [Online] Available from: [21 February 2020].