General security

Malware spotlight: What are backdoors?

Greg Belding
November 6, 2019 by
Greg Belding

Introduction

Imagine staring down an impregnable fortress or network and determining that there is no conceivable way in without obvious detection. You would probably trade half of the tools in your proverbial toolkit to have a sort of back door into this fortress. Attackers understand this and have developed a specialty type of Trojan for this situation called a backdoor.

This article will give you a detailed explanation and description of backdoor malware, backdoors versus exploits, how backdoors work and some real-world examples of backdoors, as well as recommendations for protection against backdoors.

FREE role-guided training plans

FREE role-guided training plans

Get 12 cybersecurity training plans — one for each of the most common roles requested by employers.

What are backdoors?

What are backdoors, anyway? A backdoor is defined as any method that allows a user, either authorized or unauthorized, to get around security measures and obtain root, or high-level user access on a system, computer or device. There are two different types of backdoors, and those not in cybersecurity may be thinking of the non-malware type.

Many first heard about backdoors in 2013 when whistleblower Edward Snowden uncovered a decades-old initiative by the NSA to force companies producing electronic devices to install backdoors on their products. These backdoors were installed to allow intelligence agencies a way to get around security measures on devices to access the information they contain (especially useful during investigations). This is a considered a physical backdoor and is the non-malware type of backdoor that is normally used for benevolent purposes.

Malware backdoors are usually installed by an attacker and are technically forms of a Trojan, which is a different type of malware altogether, but the common use of backdoors in attack campaigns coupled with their unique capabilities put them in a league of their own.

Backdoors versus exploits

Some may consider backdoors and exploits the same based upon some technical and logistical similarities, but this is simply not true. To shed some light on this quasi-issue, let’s take a look at what exploits are.

Exploits are accidental software vulnerabilities that may allow an attacker access to your system. While this may at first glance seem very similar to backdoors, there is one major difference that carries the day. Exploits are accidental ways into a system, and backdoors are consciously intended to allow secret access to a system.

How do backdoors work?

To understand how backdoors work, you first must understand how the backdoor got onto the compromised system in the first place. As mentioned earlier, backdoors are technically Trojans, and as such, they exhibit the same deceptive traits that Trojans do.

Backdoors may be named something else, with the classic example being named after legitimate software, where the intended installation of this legitimate software installed a backdoor instead. Another classic example is an online file converter, or P2P, that makes you think you are downloading that great song you recently discovered, when in reality, you just downloaded a backdoor. It is safe to say that trickery is the main method of getting a backdoor into a system.

Second, understanding how backdoors work requires you to understand their versatility in the attacker’s toolbox. Since backdoors are Trojans, which are very versatile, they play a role in an attacker whenever needed and sometimes it is just a set up to install further malware. For example, an attacker may install a backdoor just to install a rootkit or other malware at a later time. In practice, backdoors play a strategic role in attack campaigns and work hand-in-hand with the other tools available to the attacker to see the attack through.

Real-world examples of backdoors

Back Orifice

Throwing us back to the days of Windows 98, Back Orifice was a backdoor that allowed attackers to control Windows systems remotely. This was performed by taking advantage of security issues within Microsoft Office and cleverly disguised itself with a name that was a play on Microsoft BackOffice Server, tricking victims into thinking it was legitimate. This is also a good example of how backdoors and exploits are different, where a backdoor could potentially take advantage of an exploit to lodge itself into a system — exploits can be just another means to an end of installing a backdoor.

KeyBoy

KeyBoy is a backdoor that was attached to malicious Microsoft Word documents. Going one step further beyond simply allowing backdoor access to systems that downloaded these malicious documents, KeyBoy automatically loads a malicious DLL file after the document is downloaded. This is a good example of backdoors that offer functionality beyond just being a secret entrance to the system.

Emotet

Beginning as an information stealer, this worm-like Trojan eventually became a full service backdoor and delivery vehicle for other types of malware. Emotet is an example of backdoor capability being built-in to a tool that offers a wide range of functionality. Sometimes backdoor capability is part and parcel of an attack tool, as opposed to a standalone, dedicated backdoor.

Protection against backdoors

Unlike built-in backdoors, you can take measures to protect your system from backdoor malware. Below are some suggestions for backdoor protective measures:

  • Keep your Windows updates current
  • Change passwords regularly with some degree of complexity
  • Choose plug-ins and applications carefully: Backdoor malware has been found in many plug-ins and applications on the web, especially in free ones. Scan the plugin or application with your internet security solution to help determine if a backdoor or other malware is present
  • Use a solid internet security solution
  • Monitor your network activity: Strange spikes could indicate that a backdoor is in use

Conclusion

Backdoors are malware that allow attackers to secretly access a system with elevated user rights. This allows attackers to steal information, install other malware and to otherwise further an attack campaign. This should alarm even the least security-minded, but fear not. By observing conventional, common sense information security measures, it is possible to prevent even the trickiest of backdoors.

What should you learn next?

What should you learn next?

From SOC Analyst to Secure Coder to Security Manager — our team of experts has 12 free training plans to help you hit your goals. Get your free copy now.

 

Sources

  1. Backdoor, Malwarebytes
  2. Types of Malware and How to Defend Against Them, eSecurity Planet
  3. New backdoor malware 'KeyBoy' used in targeted attacks in Asia, researchers say, Network World
  4. The 12 biggest, baddest, boldest software backdoors of all time, InfoWorld
Greg Belding
Greg Belding

Greg is a Veteran IT Professional working in the Healthcare field. He enjoys Information Security, creating Information Defensive Strategy, and writing – both as a Cybersecurity Blogger as well as for fun.