Embedded Malicious Code

Description

This vulnerability occurs when an application or codebase contains intentionally harmful code inserted by a developer or third party.

Extended Description

Often called a Trojan horse, logic bomb, time bomb, or backdoor, this malicious code is designed to perform a legitimate function while secretly exploiting the system's permissions. The developer who inserts it typically aims to bypass security controls, steal data, or cause damage at a specific future trigger, abusing the trust placed in the application. Detecting these intentional flaws requires scrutinizing code for unexpected behaviors, hidden payloads, or suspicious time-based logic. Managing this risk at scale is difficult; an ASPM platform like Plexicus can help by correlating SAST findings with behavioral anomalies and using AI to prioritize these high-severity, intentional threats across your entire software supply chain.

Common Consequences 1

Scope: ConfidentialityIntegrityAvailability

Impact: Execute Unauthorized Code or Commands

Detection Methods 4

Manual Static Analysis - Binary or BytecodeSOAR Partial

According to SOAR [REF-1479], the following detection techniques may be useful: ``` Cost effective for partial coverage: ``` Binary / Bytecode disassembler - then use manual analysis for vulnerabilities & anomalies Generated Code Inspection

Dynamic Analysis with Manual Results InterpretationSOAR Partial

According to SOAR [REF-1479], the following detection techniques may be useful: ``` Cost effective for partial coverage: ``` Automated Monitored Execution

Manual Static Analysis - Source CodeSOAR Partial

According to SOAR [REF-1479], the following detection techniques may be useful: ``` Cost effective for partial coverage: ``` Manual Source Code Review (not inspections)

Automated Static AnalysisSOAR Partial

According to SOAR [REF-1479], the following detection techniques may be useful: ``` Cost effective for partial coverage: ``` Origin Analysis

Potential Mitigations 1

Phase: Testing

Remove the malicious code and start an effort to ensure that no more malicious code exists. This may require a detailed review of all code, as it is possible to hide a serious attack in only one or two lines of code. These lines may be located almost anywhere in an application and may have been intentionally obfuscated by the attacker.

Demonstrative Examples 1

In the example below, a malicous developer has injected code to send credit card numbers to the developer's own email address.

Code Example:

Bad

Java

java

// Authorize credit card.*

java

Observed Examples 1

CVE-2022-30877A command history tool was shipped with a code-execution backdoor inserted by a malicious party.

References 2

A Taxonomy of Computer Program Security Flaws, with Examples

Carl E. Landwehr, Alan R. Bull, John P. McDermott, and William S. Choi

19-11-1993

https://cwe.mitre.org/documents/sources/ATaxonomyofComputerProgramSecurityFlawswithExamples%5BLandwehr93%5D.pdf(2024-11-17)

ID: REF-1431

State-of-the-Art Resources (SOAR) for Software Vulnerability Detection, Test, and Evaluation

Gregory Larsen, E. Kenneth Hong Fong, David A. Wheeler, and Rama S. Moorthy

07-2014

https://www.ida.org/-/media/feature/publications/s/st/stateoftheart-resources-soar-for-software-vulnerability-detection-test-and-evaluation/p-5061.ashx(2025-09-05)

ID: REF-1479

Modes of Introduction

Implementation

Bundling

Distribution

Installation

Related Attack Patterns

Related Weaknesses

ChildOf:

Hidden Functionality (CWE-912)

Taxonomy Mapping

Landwehr

Notes

TerminologyThe term "Trojan horse" was introduced by Dan Edwards and recorded by James Anderson [18] to characterize a particular computer security threat; it has been redefined many times [4,18-20].