nav search
Data Center Software Security Transformation DevOps Business Personal Tech Science Emergent Tech Bootnotes BOFH

back to article
Creepy backdoor found in NetSarang server management software

Yup, by all means, don't use Kaspersky in the US government. Mmm-hmm.

Dips.

17
0
Silver badge

"Regretfully, the Build release of our full line of products on July 18, 2017 was unknowingly shipped with a backdoor, which had the potential to be exploited by its creator," NetSarang said in a statement.

A somewhat ambiguous statement that could, should one be uncharitable, not rule out the vendor as the creator. At best their QA is shit. At worst their practices are perhaps patriotic (just not your patriot).

5
3

QA != shit

Perfection is a fool's dream.

They were up against an intelligent attacker not a random zluttz.

Good for holding-up hands and being honest. Give credit where it's due.

Even supposing, like you did, that NetSerang were the actual perps. (Eh. Suddenly switch business model to Kamikaze?) then the issue is out in the open and visible.

"Patriotic"? Your trollisms don't work here mate.

12
5
Silver badge

> a somewhat ambiguous statement

> not rule out the vendor as the creator

If you haven't yet definitively identified the source it is foolish to rule out the possibility that it originated in house. An employee who has been suborned, even one who has been blackmailed - 'here's a picture of your pretty daughter on her way to school. Here's a picture of one of the pretty girls our partner organisation 'makes use of'. You do want to include this code in the next revision don't you?".

It does, of course, militate against current PR 'best' practice not to assume the least unfavourable light until you know for sure exactly what happened, but its not a bad thing.

There's also the small point that if you are actively tracking down the bad guys, it may be a mistake to let them know how close you are getting in case they run before law enforcement catches them.

3
0

Re: not rule out the vendor as the creator

A suborned employee is not (in any real sense) "the vendor". A suborned employee is just a mechanism for how the external attacker places in the code in the product.

"The vendor as creator" was my initial thought on reading the headline - I thought it was a debugging tool that was left in place in the release. However, debugging tools don't tend to conceal their access to C&C servers like this....

3
0
Silver badge
Meh

Re: QA != shit

Perfection is a fool's dream.

They were up against an intelligent attacker not a random zluttz.

I'm not sure their customers want perfection, but something they can rely upon to do what it says on the tin would be nice. And since this particular tin says "Secure UNIX/Linux connectivity solution", I think their customers have the right to be angry.

Since this is hardly the first time that backdoors have been incorporated into products and firmware in the supply chain, it is high time that hardware and software manufacturers took this sort of issue more seriously in their QA processes. And I think those that don't will soon be seeing the consequences on their bottom line.

2
0
Anonymous Coward

What is a DLL? Sounds like a really secure way to build an OS.

5
11
Silver badge

"What is a DLL? Sounds like a really secure way to build an OS."

In Unix and Unix-like OSes the equivalent would be an SO.

You can debate whether this is a more or less secure system than a self-contained fully linked binary. Both have strengths and weaknesses.

2
0
Boffin

What is a DLL? Sounds like a really secure way to build an OS.

well, you have a choice...

1. use a shared file of routines and functions to keep programs smaller by compiling dynamic.

2. make every program larger by including what could be shared code into all of them and compile everything static.

1
0
Gold badge
Unhappy

It does look like the companies development and distribution servers have been compromised

Which is the nightmare scenario for Windows update users.

"Set up a shadow file system in the registry"

WTF?

Would that be even possible in any other main stream OS (that didn't have an everything-and-the-kitchen-sink "database" in it)?

12
3
Silver badge

Re: It does look like the companies development and distribution servers have been compromised

Don't worry, it will soon be in systemd as well.

14
2
Silver badge
Pirate

Re: It does look like the companies development and distribution servers have been compromised

"Set up a shadow file system in the registry"

next:

"Set up a shadow file system in SystemD"

Shudder...

9
1
Silver badge
FAIL

"a virtual file system inside the registry"

Thanks again, Microsoft, for this abomination of an excuse that you included since Windows 95.

The Registry : the gift that keeps on giving (to DRM makers and hackers).

9
2
Silver badge

Re: It does look like the companies development and distribution servers have been compromised

I am sure you could set up a shadow file in MySql

1
1
Silver badge
Facepalm

FTFY

"The fact that malicious groups and entities are utilizing commercial and legitimate software for illicit gain is an ever-growing concern and one that NetSarang, as well as others in the computer software industry, is taking very seriously now."

6
1
Silver badge

Re: FTFY

"NetSarang, as well as others in the computer software industry, is taking very seriously now."

Not so much now, more like once they've been hit.

2
0
Anonymous Coward

IP-Land

If vendors had to buy IP addresses in a set range (non geographic) for specific uses we could more readily asses network traffic for strange activity. Most of these backdoors will be using IP addresses that are not the original vendors so if I install some software that can only connect to IP-Land registered addresses X and Y any attempts to connect to addresses outside that are non standard traffic and should flag up. Critical software is not a browser; it should only ever perform known actions to known destinations.

2
2

Re: IP-Land

That's more or less what your firewalls are for, it's just that most people still assume firewalls are only meant to protect from external threats.

So they still allow, for instance, all servers to connect to any IP in the world using the basic protocols (http/https for instance).

Seems that financial client of Kaspersky was actually doing thing rights, and actually investigated blocked outgoing traffic to the point of hiring Kaspersky to figure out what was causing it.

But in the end your idea is just another approach that would generally not be implemented for the same reasons -- so many people assume traffic originating from their own systems is legitimate by default.

2
0
Silver badge

It is assumed someone managed to hack into NetSarang's operations and silently insert the backdoor

I'm thinking less hacking and more "convincing someone on the inside to implant the code or provide access".

7
1
Silver badge
Big Brother

Someone managed to hack into NetSarang?

"It is assumed someone managed to hack into NetSarang's operations and silently insert the backdoor"

It is assumed is it, without any evidence and just who did the assuming. A more likely scenario is that it was done by the NetSang developers at the behest of the state security apparatus. Or else they got a security audit done by some Israeli cyber threat company with links to the self same state security apparatus.

1
0

Easily detected - monitor for DNS TXT record queries ...

Only mail servers connected to the Internet should be performing regular TXT record lookups. That being said, Mac's do it as well occasionally for whatever reason and those domains can be filtered out.

DNS TXT records are a common way of performing command and control functions or of exfiltrating data via DNS Tunneling.

But you have to be logging all DNS queries and non-aware companies will complain hat it takes too much disk space. 'Cause, you know, it's better to be hacked and not know about it. That way you don't have to notify anyone.

2
0

Re: Easily detected - monitor for DNS TXT record queries ...

Good luck anyway, in any 2000+ employees company, with detecting an 8 hours period DNS lookup, amongst all the shit going to DNS, due to wrong configurations/design of all products/OSes used by everyone ...

Dunno whether TXT loockups are common way, but this is actually quite stealth method of remote activation ...

1
0

Re: Easily detected - monitor for DNS TXT record queries ...

Albeit perhaps not widely known, DNS used for data exfiltration or cloaked communication by malwares is not exactly a new technique but has been used for some time unfortunately, with some high-profile retailers having their point-of-sale machines being targeted by such crapware last year.

Thanks to algorithms and all those new analytics frameworks, there are solutions available today to help, by combining DNS payload and traffic analysis to identify exfiltration attempts. Though you still need to have visibility into your DNS traffic and control your recursive DNS infrastructure.

Not giving names, I'm working for a vendor of such solutions. :-)

0
0
Bronze badge

you can bet this is the last we will hear of this.

0
0

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

The Register - Independent news and views for the tech community. Part of Situation Publishing