back to article Creepy backdoor found in NetSarang server management software

Researchers at Kaspersky Lab have found a well-hidden backdoor in NetSang's server management software. The secret access route, dubbed Shadowpad by its discoverers, lurks in the nssock2.dll library within NetSarang's Xmanager and Xshell software suites. It pings out every eight hours to a command-and-control server with the …

  1. DryBones

    Yup, by all means, don't use Kaspersky in the US government. Mmm-hmm.

    Dips.

  2. Anonymous Coward
    Anonymous Coward

    "Regretfully, the Build release of our full line of products on July 18, 2017 was unknowingly shipped with a backdoor, which had the potential to be exploited by its creator," NetSarang said in a statement.

    A somewhat ambiguous statement that could, should one be uncharitable, not rule out the vendor as the creator. At best their QA is shit. At worst their practices are perhaps patriotic (just not your patriot).

    1. Peter Prof Fox

      QA != shit

      Perfection is a fool's dream.

      They were up against an intelligent attacker not a random zluttz.

      Good for holding-up hands and being honest. Give credit where it's due.

      Even supposing, like you did, that NetSerang were the actual perps. (Eh. Suddenly switch business model to Kamikaze?) then the issue is out in the open and visible.

      "Patriotic"? Your trollisms don't work here mate.

      1. Anonymous Coward
        Meh

        Re: QA != shit

        Perfection is a fool's dream.

        They were up against an intelligent attacker not a random zluttz.

        I'm not sure their customers want perfection, but something they can rely upon to do what it says on the tin would be nice. And since this particular tin says "Secure UNIX/Linux connectivity solution", I think their customers have the right to be angry.

        Since this is hardly the first time that backdoors have been incorporated into products and firmware in the supply chain, it is high time that hardware and software manufacturers took this sort of issue more seriously in their QA processes. And I think those that don't will soon be seeing the consequences on their bottom line.

    2. JimC

      > a somewhat ambiguous statement

      > not rule out the vendor as the creator

      If you haven't yet definitively identified the source it is foolish to rule out the possibility that it originated in house. An employee who has been suborned, even one who has been blackmailed - 'here's a picture of your pretty daughter on her way to school. Here's a picture of one of the pretty girls our partner organisation 'makes use of'. You do want to include this code in the next revision don't you?".

      It does, of course, militate against current PR 'best' practice not to assume the least unfavourable light until you know for sure exactly what happened, but its not a bad thing.

      There's also the small point that if you are actively tracking down the bad guys, it may be a mistake to let them know how close you are getting in case they run before law enforcement catches them.

      1. MJB7

        Re: not rule out the vendor as the creator

        A suborned employee is not (in any real sense) "the vendor". A suborned employee is just a mechanism for how the external attacker places in the code in the product.

        "The vendor as creator" was my initial thought on reading the headline - I thought it was a debugging tool that was left in place in the release. However, debugging tools don't tend to conceal their access to C&C servers like this....

  3. Anonymous Coward
    Anonymous Coward

    What is a DLL? Sounds like a really secure way to build an OS.

    1. Doctor Syntax Silver badge

      "What is a DLL? Sounds like a really secure way to build an OS."

      In Unix and Unix-like OSes the equivalent would be an SO.

      You can debate whether this is a more or less secure system than a self-contained fully linked binary. Both have strengths and weaknesses.

    2. waldo kitty
      Boffin

      What is a DLL? Sounds like a really secure way to build an OS.

      well, you have a choice...

      1. use a shared file of routines and functions to keep programs smaller by compiling dynamic.

      2. make every program larger by including what could be shared code into all of them and compile everything static.

  4. John Smith 19 Gold badge
    Unhappy

    It does look like the companies development and distribution servers have been compromised

    Which is the nightmare scenario for Windows update users.

    "Set up a shadow file system in the registry"

    WTF?

    Would that be even possible in any other main stream OS (that didn't have an everything-and-the-kitchen-sink "database" in it)?

    1. Paul Crawford Silver badge

      Re: It does look like the companies development and distribution servers have been compromised

      Don't worry, it will soon be in systemd as well.

    2. hplasm
      Pirate

      Re: It does look like the companies development and distribution servers have been compromised

      "Set up a shadow file system in the registry"

      next:

      "Set up a shadow file system in SystemD"

      Shudder...

    3. Pascal Monett Silver badge
      FAIL

      "a virtual file system inside the registry"

      Thanks again, Microsoft, for this abomination of an excuse that you included since Windows 95.

      The Registry : the gift that keeps on giving (to DRM makers and hackers).

    4. itzman

      Re: It does look like the companies development and distribution servers have been compromised

      I am sure you could set up a shadow file in MySql

  5. lglethal Silver badge
    Facepalm

    FTFY

    "The fact that malicious groups and entities are utilizing commercial and legitimate software for illicit gain is an ever-growing concern and one that NetSarang, as well as others in the computer software industry, is taking very seriously now."

    1. Doctor Syntax Silver badge

      Re: FTFY

      "NetSarang, as well as others in the computer software industry, is taking very seriously now."

      Not so much now, more like once they've been hit.

  6. Anonymous Coward
    Anonymous Coward

    IP-Land

    If vendors had to buy IP addresses in a set range (non geographic) for specific uses we could more readily asses network traffic for strange activity. Most of these backdoors will be using IP addresses that are not the original vendors so if I install some software that can only connect to IP-Land registered addresses X and Y any attempts to connect to addresses outside that are non standard traffic and should flag up. Critical software is not a browser; it should only ever perform known actions to known destinations.

    1. Pascal

      Re: IP-Land

      That's more or less what your firewalls are for, it's just that most people still assume firewalls are only meant to protect from external threats.

      So they still allow, for instance, all servers to connect to any IP in the world using the basic protocols (http/https for instance).

      Seems that financial client of Kaspersky was actually doing thing rights, and actually investigated blocked outgoing traffic to the point of hiring Kaspersky to figure out what was causing it.

      But in the end your idea is just another approach that would generally not be implemented for the same reasons -- so many people assume traffic originating from their own systems is legitimate by default.

  7. imanidiot Silver badge

    It is assumed someone managed to hack into NetSarang's operations and silently insert the backdoor

    I'm thinking less hacking and more "convincing someone on the inside to implant the code or provide access".

  8. Anonymous Coward
    Big Brother

    Someone managed to hack into NetSarang?

    "It is assumed someone managed to hack into NetSarang's operations and silently insert the backdoor"

    It is assumed is it, without any evidence and just who did the assuming. A more likely scenario is that it was done by the NetSang developers at the behest of the state security apparatus. Or else they got a security audit done by some Israeli cyber threat company with links to the self same state security apparatus.

  9. Amos1

    Easily detected - monitor for DNS TXT record queries ...

    Only mail servers connected to the Internet should be performing regular TXT record lookups. That being said, Mac's do it as well occasionally for whatever reason and those domains can be filtered out.

    DNS TXT records are a common way of performing command and control functions or of exfiltrating data via DNS Tunneling.

    But you have to be logging all DNS queries and non-aware companies will complain hat it takes too much disk space. 'Cause, you know, it's better to be hacked and not know about it. That way you don't have to notify anyone.

    1. regadpellagru

      Re: Easily detected - monitor for DNS TXT record queries ...

      Good luck anyway, in any 2000+ employees company, with detecting an 8 hours period DNS lookup, amongst all the shit going to DNS, due to wrong configurations/design of all products/OSes used by everyone ...

      Dunno whether TXT loockups are common way, but this is actually quite stealth method of remote activation ...

      1. efish

        Re: Easily detected - monitor for DNS TXT record queries ...

        Albeit perhaps not widely known, DNS used for data exfiltration or cloaked communication by malwares is not exactly a new technique but has been used for some time unfortunately, with some high-profile retailers having their point-of-sale machines being targeted by such crapware last year.

        Thanks to algorithms and all those new analytics frameworks, there are solutions available today to help, by combining DNS payload and traffic analysis to identify exfiltration attempts. Though you still need to have visibility into your DNS traffic and control your recursive DNS infrastructure.

        Not giving names, I'm working for a vendor of such solutions. :-)

  10. razorfishsl

    you can bet this is the last we will hear of this.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like