If you returned home to find a shattered window and a ransacked home, it would be fairly obvious to you that you'd been burglarized. But, if the thief knew about a secret entrance to your home through which he could enter unseen, and he was careful not to disturb anything, you may never even know he was there.
Computer attackers often install backdoor programs for just that purpose. A backdoor is a secret or hidden passage into your computer system allowing the attacker repeated access without your knowledge. The obvious question then is "how did the attacker get the backdoor software installed on my computer in the first place?"
The answer in most cases is through a Trojan of some sort. Just as the Trojan Horse from Greek mythology was an attack disguised as a gift, a Trojan program is malicious code hidden within a seemingly friendly or useful piece of software. Trojans don't run automatically, but are typically designed to trick or lure the user into running an executable program.
The malicious code in the Trojan could be a variety of things, including a backdoor program such as Sub7 or Back Orifice. The backdoor generally installs a server component on the compromised machine. That server component then opens a certain port or service allowing the attacker to connect to it using the client component of the backdoor software. Some backdoor programs will even alert the attacker when a compromised computer is available online.
You can protect your computer from backdoor software through a variety of ways. First, the obvious:
- Never execute any unknown e-mail file attachments.
- Never install pirated or questionable software.
- Never run file attachments received via instant messaging.
- Be very cautious of files downloaded through peer-to-peer (P2P) networking systems such as Kazaa.
- Always keep your antivirus software up to date.
There are a few less obvious, proactive things you can do as well.
There are tools such as BackOfficer Friendly, available free from NFR Security Inc., which will monitor your system and alert you when an attempt is made to install backdoor software. This program is aimed specifically at detecting the Back Orifice back door, but it also detects other suspicious port scans.
If you suspect that a system may already be compromised, you can use utilities such as Vision from Foundstone Inc., a division of McAfee. Vision maps executables to the ports they use, allowing you to identify suspicious applications. Chrootkit is another useful tool. It can help identify system binaries that have been modified by a backdoor, and it runs various tests and checks for signs of a backdoor or other system compromise.
About the author: Tony Bradley is a consultant and writer with a focus on network security, antivirus and incident response. He is the About.com Guide for Internet / Network Security, providing a broad range of information security tips, advice, reviews and information. Tony also contributes frequently to other industry publications. For a complete list of his freelance contributions you can visit Essential Computer Security.
More information from SearchWindowsSecurity.com
This was first published in September 2005