Closing the Door | End of Backdoor Factory
“The time has come," the walrus said, "to talk of many things: Of shoes and ships - and sealing wax - of cabbages and kings”― Lewis Carroll,
I've been thinking about ending Backdoor Factory (BDF), including BDFProxy, support for a couple months. The idea has crept up more and more as my attention is often pulled in more interesting directions.
Writing and maintaining BDF (since 2013) has been fun but it is time to move on to other things. The code will stay up, but I won't be adding anymore features or maintaining any code.
I originally wrote BDF to automate the manual process of file infection with PE files. To show that Anti-Virus (AV) is easy to bypass (it still is) and that file infectors still have a place in offensive use cases. I added ELF and Macho binaries and x86 and 64 bit support, code signing, etc... It was fast. So fast I created BDFProxy which lead me to finding OnionDuke.
BDF was fairly popular, averaging about 1500 unique clones every two weeks for the past couple years just from my git repo. It was added into Kali and other distributions. I have used it in demos at many presentations: two DerbyCon presentations (1, 2), ShmooCon 2015, Black Hat 2015, Infiltrate 2016, Eko Party 2016, REcon Brussels 2016, and DEF CON 25.
It wasn't until July 2015 where an AV finally flagged one of my IAT custom payloads. Since then, more AVs have written their own detections - I know how each one is detecting and how to bypass them. That's how fragile AV signatures are. I could update BDF and add features to bypass their detections, wait another six months to a year for new detections to come out, and bypass again. Rinse and repeat. It's like a bug bounty where only AVs win and I lose my time.
There really is no incentive for me to continue that cycle. At least publicly.
I've considered making a professional version of BDF and that path looks quite dangerous and not very profitable. I think if someone were to do that, the risk of legal entrapment is high. Whereas one could accidentally provide customer support to someone doing illegal things and be caught up in their actions when they are eventually caught by law enforcement. Let's face it, if someone is paying for a cheap file infector (something that is easy to write yourself), they aren't very bright.
It's time to move on to more interesting ideas and harder problems.