A backdoor is malware that bypasses normal authentication procedures to access a system. As a result, makes remote access to resources within an application, such as databases and file servers, giving attackers the ability to remotely issue system commands and install furter malware.
Backdoor installation for example can be achieved by taking advantage of vulnerable components in a web application. Once installed, detection is difficult as files tend to be highly obfuscated.
The most prevalent backdoor installation method involves remote file inclusion (RFI), an attack method that exploits vulnerabilities within applications that dynamically reference external scripts. In an RFI scenario, the referencing function is tricked into downloading a backdoor trojan from a remote host.
Attackers identify targets using scanners, which locate websites having unpatched or outdated components that enable file injection. A successful scanner then leverages the vulnerability to install the backdoor. Once installed, it can be accessed at any time, even if the vulnerability enabling its initial insertion has since been patched.
Backdoor trojan insertion is often done in a two-step process to bypass security rules preventing the upload of files above a certain size. The first phase involves installation of a dropper—a small file whose sole function is to retrieve a bigger file from a remote location. It initiates the second phase—the downloading and installation of the backdoor script on the server.
Once installed, backdoors are very hard to find as they are almost always masked through the use of alias names and code obfuscation (sometimes even multiple layers of encryption).
Detection is further complicated if applications are built on external frameworks that use third-party plugins; these are sometimes fraught with their own vulnerabilities or built-in backdoors. Scanners that rely on heuristic and signature-based rules might not be able to detect hidden code in such frameworks.
Even if a backdoor is detected, typical mitigation methods (or even a system reinstallation) may remove it from an applicationthe backdoor has a persistent presence in rewritable memory.
If you are interested in finding out more about the IISF, or would like to attend one of our Chapter Meetings as an invited guest, please contact the
Enhance your Cybersecurity knowledge and learn from those at the coalface of information Security in Ireland
Sponsors are featured prominently throughout the IISF.IE website, social media channels as well as enjoying other benefits Read more