‘Trojan Source’ can inject malware into source code undetected

Get a free Techzine subscription!

A new research paper has been published with details about a new technique that can be exploited to inject malware into source code without being detected. Named ‘Trojan Source’ by Cambridge University researchers, the method involves the manipulation of source file encoding so that human viewers and compilers see different logic.

The researchers showed they can logically encode malicious tokens in a different order from the one in which they should be displayed, to target text-encoding standards like Unicode to produce source code.

The method was demonstrated across several coding languages that include Go, Python, Rust, Java, JavaScript, C++, and C.

Mitigation efforts underway

The researchers noted that the method could be deployed to almost any programming language that uses common software compilers like Unicode.

Although going public with this information is potentially cause for alarm, as hackers could use it to target victims, the researchers spent months coordinating a disclosure program to allow suppliers of code repositories, code editors, interpreters, and compilers to make changes that protect from a potential attack of this nature.

Half of those contacted are working on patches or have deployed patches while others have not been so quick in their response.

You should update

One of the first contacts to implement protections is Rust, who announced a new version with protection on Monday.

A bug like this presents hackers with an interesting attack surface. What we have here, on the part of the Cambridge researchers, is a novel way of breaching a system. The proofs-of-concept are not malicious but can, in the hands of a sophisticated attacker or hacker collective, be weaponized and used.

The good news is that the attack flow would be so difficult as to have no hope of maintaining real discretion. However, it is good to be updated to the latest versions of the affected languages.