How attackers install backdoors and what to do about it

How did that backdoor get there? If you've ever had this thought, there are a couple things you should know, according to Tony Bradley. In this article, he looks at how backdoors are installed, how to keep them from being installed and how to track them down.

If you returned home to find a shattered window and a ransacked home, it would be fairly obvious to you that you'd

been burglarized. But, if the thief knew about a secret entrance to your home through which he could enter unseen, and he was careful not to disturb anything, you may never even know he was there.

Computer attackers often install backdoor programs for just that purpose. A backdoor is a secret or hidden passage into your computer system allowing the attacker repeated access without your knowledge. The obvious question then is "how did the attacker get the backdoor software installed on my computer in the first place?"

The answer in most cases is through a Trojan of some sort. Just as the Trojan Horse from Greek mythology was an attack disguised as a gift, a Trojan program is malicious code hidden within a seemingly friendly or useful piece of software. Trojans don't run automatically, but are typically designed to trick or lure the user into running an executable program.

The malicious code in the Trojan could be a variety of things, including a backdoor program such as Sub7 or Back Orifice. The backdoor generally installs a server component on the compromised machine. That server component then opens a certain port or service allowing the attacker to connect to it using the client component of the backdoor software. Some backdoor programs will even alert the attacker when a compromised computer is available online.

You can protect your computer from backdoor software through a variety of ways. First, the obvious:

  1. Never execute any unknown e-mail file attachments.
  2. Never install pirated or questionable software.
  3. Never run file attachments received via instant messaging.
  4. Be very cautious of files downloaded through peer-to-peer (P2P) networking systems such as Kazaa.
  5. Always keep your antivirus software up to date.

There are a few less obvious, proactive things you can do as well.

There are tools such as BackOfficer Friendly, available free from NFR Security Inc., which will monitor your system and alert you when an attempt is made to install backdoor software. This program is aimed specifically at detecting the Back Orifice back door, but it also detects other suspicious port scans.

If you suspect that a system may already be compromised, you can use utilities such as Vision from Foundstone Inc., a division of McAfee. Vision maps executables to the ports they use, allowing you to identify suspicious applications. Chrootkit is another useful tool. It can help identify system binaries that have been modified by a backdoor, and it runs various tests and checks for signs of a backdoor or other system compromise.

About the author:
Tony Bradley is a consultant and writer with a focus on network security, antivirus and incident response. He is the About.com Guide for Internet / Network Security, providing a broad range of information security tips, advice, reviews and information. Tony also contributes frequently to other industry publications. For a complete list of his freelance contributions you can visit Essential Computer Security.

Next Steps

Tip: Get your network hacked in 10 easy steps

Tip: Intrusion detection resources

Learning Center: Google hacking

This was first published in September 2005

Dig deeper on Network intrusion detection and prevention and malware removal

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

SearchVirtualDesktop

SearchWindowsServer

SearchExchange

Close