Search: [backdoors]

Fully Countering Trusting Trust through Diverse Double-Compiling - Countering Trojan Horse attacks on Compilers https://dwheeler.com/trusting-trust/

Thu 23 Oct 2025 09:16:01 AM PDT

Here’s information about my work to counter the “Trusting Trust” attack. The “Trusting Trust” attack is an incredibly nasty attack in computer security; up to now it’s been presumed to be the essential uncounterable attack. I’ve worried about it for a long time, essentially since Ken Thompson publicly described it. After all, if there’s a known attack that cannot be effectively countered, should we be using computers at all? Thankfully, I think there is an effective countermeasure, which I have named “Diverse Double-Compiling” (DDC).

This page notes my 2009 PhD dissertation and its preceding 2005 ACSAC paper, a little about citing my work, and detailed data (to duplicate the experiments), It then has sections on countering misconceptions, what about applying this to hardware?, Software patents and application programmer interface (API) copyrights, credit where credit is due, and who’s talking about it?. We then have a section on real-world application of DDC, specifically discussing GNU Mes. It includes a large section on some related material.

hlein/distro-backdoor-scanner https://github.com/hlein/distro-backdoor-scanner

Mon 08 Apr 2024 12:47:46 PM PDT

Tools to scan OS distributions for backdoor indicators.

The toolkit used for the xz-utils backdoor is far too sophisticated to be a first draft. Were there earlier iterations of this, that shared some things in common but were slightly simpler, injected into other projects? Can we detect the style/"fist" of the author elsewhere? Moreso the delivery mechanics than the contents of the extracted+injected malicious .so.

These scripts unpack the source packages for all of a distro repo's current packages, then scan them for content similar to the malware that was added to xz-utils.

Running over the unpacked source trees of ~19k Gentoo packages and ~40k Debian packages gives a manageable amount of results (~hundreds of hits), digestable by a human. So far the only confirmed malicious results are... from the backdoored xz-utils versions.

karcherm/xz-malware https://github.com/karcherm/xz-malware

Tue 02 Apr 2024 08:11:31 AM PDT

Stuff discovered while analyzing the malware hidden in xz-utils 5.6.0 and 5.6.1.

amlweems/xzbot https://github.com/amlweems/xzbot

Mon 01 Apr 2024 01:05:41 PM PDT

Notes, honeypot, and exploit demo for the xz backdoor (CVE-2024-3094).

[oss-security] backdoor in upstream xz/liblzma leading to ssh server compromise https://lwn.net/ml/oss-security/20240329155126.kjjfduxw2yrlxgzm@awork3.anarazel.de/

Mon 01 Apr 2024 10:07:29 AM PDT

Archive of the xz/liblzma backdoor thread, ongoing on oss-security.

BIOS Master Password Generator for Laptops https://bios-pw.org/

Sun 19 Aug 2018 09:07:54 PM PDT

Give it an identifier or serial number for a Compaq, Dell, Fujitsu, HP, Insyde, Phoenix, Sony, or Samsung laptop, and it'll generate a backdoor passcode to get into the system settings.

Github: https://github.com/bacher09/pwgen-for-bios

How to find a backdoor in a hacked WordPress | Nothing to See Here http://ottodestruct.com/blog/2009/hacked-wordpress-backdoors/

Tue 20 Mar 2018 01:45:30 AM PDT

An excellent blog post on how Wordpress backdoors work, how they're hidden, and how they're used.

Links per page

Filters