The author of a widely used backdoor Trojan horse program has admitted the application itself contains a backdoor, meaning the malware writer could himself potentially access compromised machines.
On the site distributing the Optix Pro Trojan, malware writer "Sleaze" (or "s13az3") recently said he had secretly embedded a master password into his creation, and warned that the password for older versions of the software had been leaked publicly. "The latest versions of Optix Pro are always safe from this kind of thing," he wrote. "So make sure you update!!!"
Trojans do not propagate themselves as worms do, though worms sometimes carry Trojans as a payload. Instead, the programs install a server on the compromised machine, giving a remote user complete control over the computer. Indeed some Trojans can be used as legitimate remote-access tools, although Optix Pro doesn't fall into this category - it automatically disables some firewall and anti-virus software.
The spread of ready-made Trojans such as Optix allow even relatively unskilled users to create their own networks of hacked PCs, ordinarily accessible only via a password set by the attacker. However, in this case the Trojan, which has been downloaded nearly 270,000 times according to a counter on the site, is also accessible via an encrypted master password built into the software, according to Sleaze.
The Trojan writer defended his actions in a message late last month, arguing he had only included the backdoor for personal insurance. If he ever felt the FBI was investigating him "because Optix Pro became 'too' popular", he intended to release the master password in order to decrease the usage of the tool, Sleaze wrote.
"[Releasing the master password] makes people stop using the product to a certain extent, it reduces the popularity and reduces the heat from the FBI for example," he wrote.
Sleaze attempted to regain the trust of his users in the hacking underworld that versions of Optix Pro later than v1.3 are secure - they too contain a master password, but it is far better protected, Sleaze said.
Some other backdoors, including the popular SubSeven and one called Infector have also included master passwords, according to SecurityFocus editorial director (and former hacker) Kevin Poulsen, who originally reported the backdoor.