Biggest, baddest, boldest software backdoors of all time

These 12 historically insidious backdoors will have you wondering what’s in your software -- and who can control it

The boldest software backdoors of all time
Seth Anderson via Flickr

The boldest software backdoors of all time

It’s always tough to ensure the software you’re using is secure, but it’s doubly difficult if the creators of the software -- or some malicious unknown third party -- has surreptitiously planted a back way in.

Here’s a look at 12 of the trickiest, subtlest, and nastiest software backdoors found in the wild yet.

Back Orifice

Back Orifice

Far from being the first backdoor, Back Orifice brought backdoor awareness to a wider audience. Created in 1998 by folks from the Cult of the Dead Cow hacker collective, Back Orifice allowed computers running Microsoft Windows to be controlled remotely over a network (and cleverly played off the name of Microsoft BackOffice Server, a precursor to Windows Small Business Server).

Back Orifice was devised to demonstrate deep-seated security issues in Microsoft Windows 98, and so it sported such features as being able to hide itself from the user -- something that endeared it to a generation of black hat hackers because it could be used as a malicious payload.

The DSL backdoor that wouldn’t die

The DSL backdoor that wouldn’t die

Having a backdoor in your hardware product is bad enough; promising to fix it and then only covering up its existence is even worse. But that’s what happened at the end of 2013 with a number of DSL gateways that used hardware made by Sercomm, all of which sported a manufacturer-added backdoor on port 32764. A patch was later released in April 2014 to fix the problem, but the “fix” only concealed access to the port until a specially crafted packet (a “port knock”) was sent to reveal it. We’re still waiting for a real fix.

The PGP full-disk encryption backdoor

The PGP full-disk encryption backdoor

Here’s one for the “not a backdoor, but a feature” department: PGP Whole Disk Encryption, now marketed by Symantec, allows an arbitrary static password to be added to the boot process for an encrypted volume. (By default the password expires the first time it’s used.) When first unearthed in 2007, PGP replied that other disk-encryption products had similar functionality, although the lack of public documentation for the feature was unnerving. At least now we know it’s in there, but the jury’s still out on whether it should be there to begin with.

Backdoors in pirated copies of commercial WordPress plug-ins

Backdoors in pirated copies of commercial WordPress plug-ins

WordPress may be one of the most popular and powerful blogging and content management systems out there, but its track record on security leaves a lot to be desired. Some of the sneakiest breaches have come by way of pirated copies of premium plug-ins surreptitiously patched to include backdoors, at least one of which was obfuscated so well that expert WordPress users might have trouble detecting it.

Yet another reason to avoid pirated software (as if you needed any more).

The Joomla plug-in backdoor

The Joomla plug-in backdoor

WordPress isn’t the only major CMS that’s experienced backdoor issues with plugins. Joomla installations have been victimized in a similar way -- for instance, via a free plug-in, the code of which was apparently modified after the fact.

Such sneak attacks are generally performed as a means for getting back into a website that’s been hacked because few think twice about checking whether a CMS plug-in was the point of entry of an attack.

The ProFTPD backdoor

The ProFTPD backdoor

ProFTPD, a widely used open source FTP server, nearly had a backdoor planted in it as well. Back in 2010, attackers gained access to the source code hosting server and added code which allowed an attacker to spawn a root shell by sending the command “HELP ACIDBITCHEZ.” Irony abounded in this case: The attackers used a zero-day exploit in ProFTPD itself to break into the site and plant the malicious code!

The Borland Interbase backdoor

The Borland Interbase backdoor

This one’s guaranteed to raise hairs. From 1994 through 2001, Borland (later Inprise) Interbase Versions 4.0 through 6.0 had a hard-coded backdoor -- one put there by Borland’s own engineers. The backdoor could be accessed over a network connection (port 3050), and once a user logged in with it, he could take full control over all Interbase databases. The kicker, and a sign of some strange programmer humor at work, was the credentials that were used to open the backdoor. Username: politically. Password: correct.

The Linux backdoor that wasn’t
Nemo via Pixabay

The Linux backdoor that wasn’t

Back in 2003, someone attempted to insert a subtle backdoor into the source code for the Linux kernel. The code was written to give no outward sign of a backdoor and was added to the Linux source by someone who broke into the server where the code was hosted.

Two lines of code were changed -- something that might have breezed past most eyes. Theoretically, the change could have allowed an attacker to give a specific, flagged process root privileges on a machine. Fortunately, the backdoor was found and yanked when an automatic code audit detected the change. Speculation still abounds about who might have been responsible; perhaps a certain three-letter agency that asked Linus Torvalds to add backdoors to Linux might know.

The tcpdump backdoor
Nevit Dilmen via Wikimedia

The tcpdump backdoor

One year before someone tried to backdoor the Linux kernel, someone tried to sneak a backdoor into a common Linux (and Unix) utility, tcpdump. A less stealthy hack than the Linux one -- the changes were fairly obvious -- it added a command-and-control mechanism to the program that could be activated by traffic over port 1963. As with the Linux backdoor, it was added directly to the source code by an attacker who broke into the server where the code was hosted. As with the Linux backdoor attempt, it was quickly found and rooted out (no pun intended).

The NSA’s TAO hardware backdoors
SPIEGEL ONLINE

The NSA’s TAO hardware backdoors

Never let it be said that the NSA doesn’t have some clever tricks up its sleeve. Recent revelations about its TAO (Tailored Access Operations) program show that one of the NSA’s tricks involves intercepting hardware slated for delivery overseas, adding backdoors to the device’s firmware, and then sending the bugged hardware on its merry way. Aside from network gear, the NSA also apparently planted surveillance software in the firmware for various PCs, and even in PC peripherals like hard drives.

The Windows _NSAKEY backdoor that might have been

The Windows _NSAKEY backdoor that might have been

Speaking of the NSA, in 1999 researchers peered into Windows NT 4 Service Pack 5 and found a variable named _NSAKEY with a 1024-bit public key attached to it. Speculation ran wild that Microsoft was secretly providing the NSA with some kind of backdoor into encrypted data on Windows or into Windows itself. Microsoft denied any such activity, and security expert Bruce Schneier also doubted anything nefarious was going on. But rumors have swirled ever since concerning unpluggable backdoors into Windows.

The dual elliptic curve backdoor
Wikipedia

The dual elliptic curve backdoor

Yet another from the NSA, and perhaps the sneakiest yet: a deliberate, stealthy weakening of a random number generator commonly used in cryptography. Theoretically, messages encrypted with the Dual_EC_DRBG (Dual Elliptic Curve Deterministic Random Bit Generator) standard, ratified by NIST, had a subtle weakness that could allow them to be decrypted by an attacker. Only after Edward Snowden leaked internal NSA memos did it come to light that said agency had manipulated the approval process for the standard to allow the backdoor to remain in the algorithm. Fortunately, plenty of other random number generators exist, and NIST has since withdrawn its recommendations for Dual_EC_DRBG. Small wonder people speculate what else the NSA may have hidden up its (and other peoples’) sleeves.