Analysis of an Intrusion: Backdoors

The concept of “Backdoor” has seen many interpretations during the relatively short history of the Internet. Microsoft defines Backdoors as “A hidden entrance to a computer system that can be used to bypass security policies”, and, in essence, that is what they are. A Backdoor allows an attacker to access a remote computer, bypassing authentication and other security measures in place (and may affect any platform). Backdoors are often (and rightly so) linked to Malware, Trojans specifically. But that is only part of the story: obviously a Backdoor is first and foremost a security vulnerability. However, most of the time, its very existence is made possible by other types of unrelated security vulnerabilities which are.

There are various categorizations for Backdoors. Most of them are based on how they work: technology being used, visibility to specialized detection tools, scope, etc. In order to better understand them as complex security vulnerabilities, and prove that security vulnerabilities of various types always play a major role in the existence of Backdoors, we should have a look at a categorization based on the factors that generate the Backdoor condition:

Backdoors created by misconfigurations of critical security aspects in Internet-facing services

Miss-configuration is a widely-spread backdoor generating factor. All Internet-facing services support a range of security measures that regulate access to the service itself, or to the infrastructure behind it. Furthermore, the security mechanisms in place, support various parameters and configurations that enable them to function. If such parameters are not correctly configured, a Backdoor condition may appear. IT admins may unintentionally forget to modify a default setting that regulates anonymous access, or they may intentionally enable it for specific purposes, without thinking about the security implications, and often forgetting to disable it.

Examples:

  • Anonymous FTP vulnerability: This is a configuration choice that enables users to access a FTP server without using credentials. Sometimes, such functionality is required, and IT admins go the extra mile to configure appropriate access rights for anonymous users and a myriad of other settings to make sure that anonymous access does not pose a danger. However in many cases, anonymous FTP access is there because somebody did not modify a default value without realizing the implications. So anyone on the Internet could have access to the website directory listing, including sensitive files containing passwords to backend systems or database connection strings. Such misconfiguration can allow anonymous users to modify content or upload malware.
  • CIFS null session vulnerabilities: similarly to the above example, null sessions may be required for normal network operations, but the level of access needs to be controlled. Otherwise, attackers can gain access to shares, and information about user accounts and the system.
  • Weak /default/blank passwords: weak passwords are prone to dictionary attacks which, if successful, allow access to the resources available to the inappropriately protected accounts. Also, critical network devices or UTM solutions are very often shipped with default credentials for administration and changing the default password is amazingly often overlooked, after the initial configuration is done. Thus, attackers have the opportunity to use the Backdoor as it is, or install a new one, in case passwords are changed often and the initial Backdoor gets closed. Alternatively, they can exploit the default passwords to gain privileged access to the very solutions or network devices deployed to keep them away.

How do network vulnerability scanners help?

Using a combination of port scanning, port probing and crafted requests, network vulnerability scanners detect such vulnerabilities and misconfigurations, and provide extensive information about the risks they pose and what to do to mitigate them. They also detect weak passwords by carrying out a dictionary attack themselves. Such conditions are not detected by antivirus scanners.

Backdoors created by vulnerabilities in the implementation of Internet-facing services

There are many cases where software and hardware vendors release products that have vulnerabilities allowing attackers to execute code remotely. Remote code execution allows attackers to compromise the systems and get access to sensitive data, thus generating the Backdoor in the system. At the very least, such a backdoor would allow the attacker to orchestrate further attacks.

CVE-2013-1493, for example, is a vulnerability in the Java SE update 15 (and earlier) that allows code execution. Attackers successfully exploited this vulnerability to deliver a Java-based malware Backdoor, which allowed them to issue commands and receive response from the affected machine.

Sometimes, vulnerabilities that generate a Backdoor condition may get delivered intentionally, via package updates, as was the case of the VsFTPd Smiley Face Backdoor, which affected vsftp daemon – an otherwise secure implementation of FTP server functionality for Linux-based systems. The Backdoor allowed attackers to access vsftp using a smiley as user name. With open-source software, there is no telling when such case may occur again. Proprietary software is also not immune to backdoors created by such vulnerabilities.

How do network vulnerability scanners help?

Network vulnerability scanners detect the vulnerabilities that potentially generate Backdoor conditions, allowing IT admins to take actions and remove them, before it is too late. Antivirus software does not detect such vulnerabilities, but may detect any Backdoor payload delivered when exploiting them.

Backdoors via malware

Whenever the attackers cannot find Backdoors in the target systems, they will try to create them themselves, in the form of small software programs that actually open and listen to a port, waiting for incoming instructions and granting access to system resources. It is not difficult to develop this functionality, however it may be more difficult to get the package installed on a target machine, and it is surely more difficult to hide it from specialized detection tools. When it comes to delivering the payload, attackers rely on social engineering, web vulnerabilities or network vulnerabilities to make it possible.

A good example is the Blaster Worm TFTP Backdoor – which was a famous Backdoor affecting Windows OS up to version 2003 affecting the trivial ftp service. Backdoor.Wirenet.2 is a more recent variant, affecting Mac users.

How do network vulnerability scanners help?

Network vulnerability scanners help in two ways with malware-based Backdoors: First, they detect the vulnerabilities that make the malware delivery possible and help IT admins remove an important prerequisite. Secondly, network vulnerability scanners detect the open ports used by Backdoors to allow access to the compromised machine. Thus, IT admins can adjust firewall configuration appropriately, and eventually they can trigger antivirus scanning to detect the malware. Antiviruses usually detect Backdoors, but there are cases where the attackers put effort into hiding them, and they manage to elude detection, at least for a while. In the meantime, they can freely use the backdoor created.

Irrespective of the factor that generates the Backdoor condition, network and web vulnerability scanners work together with antivirus software to provide the best level of protection. Network and web vulnerability scanners detect most Backdoors out there by identifying their prerequisites and by catching them in action when listening to open ports.

Leave a Reply

Your email address will not be published.


*