Backdoors let attackers control unprotected computers from just about any network, including public, home, and office systems. Taking advantage of a backdoor’s techniques—the actions backdoors are designed to perform—allow attackers to silently command computers to do things like snooping into online conversations, opening infected sites, and copying passwords.
For IT managers, discovering backdoors in their systems might mean that attackers have already started gathering critical information about their network. It might also mean that the attackers are well on their way to the third stage of the targeted attack process, establishing command-and-control communication. If this continues, these attackers will eventually steal information that they can sell or use for their own malicious purposes.
Trend Micro researchers looked into the way attackers use backdoors to command and control their target networks. So far, our researchers noted that attackers commonly take advantage of these eight backdoor techniques:
1. Backdoors communicate with ports.
If a network doesn’t have a firewall, it’s a lot easier for attackers to program a backdoor to communicate with a computer port. This is called port binding. Once the backdoor is bound to a port, attackers can freely communicate with the computer, making it easy to control.
2. Backdoors bypass firewalls.
If a network does have a firewall, attackers can use the connect back technique. They can modify a backdoor to check for available and unprotected ports to communicate with. This helps the backdoor bypass security solutions like firewalls and anti-malware. Once the backdoor finds a free port, attackers can connect it to their command-and-control (C&C) server.
3. Backdoors check for available connections and transfer files.
Oftentimes, attackers also use backdoors to check for available connections to bypass intrusion detection systems (IDS). Once they find one, attackers can use the backdoors to temporarily connect to the system and execute other malicious activities, like transferring files.
4. Backdoors connect to C&Cs via social media sites.
In this case, attackers can use backdoors to take advantage of legitimate social media sites. They program backdoors to connect to blog pages or online storage services that host C&C information.
5. Backdoors connect targets to attackers via common web services.
Backdoors are known to report information from inside a target network to attackers. They can do this by sending messages through common service protocols often used by popular web services like Gmail, Windows Live Messenger, or AJAX IM.
6. Backdoors can change protocols.
To avoid detection, backdoors can be programmed to modify the protocols they use to connect to C&C servers. For example, our researchers found a PlugX variant using the UDP protocol instead of the more commonly used TCP protocol.
7. Backdoors use custom DNS lookup to bypass detection.
One way for attackers to bypass blacklisting measures is by using a backdoor to trigger a custom DNS lookup from external web services. This technique diverts the traffic to the real C&C IP.
8. Backdoors reuse ports to listen in a network.
Backdoors designed to access varying levels of operating system privileges allow attackers to reuse ports already opened from the target machine.
Given all these backdoor techniques in the attackers’ pockets, IT administrators need to watch out for potential vulnerabilities in their network. As such, they’re expected to be equipped with both the solutions and expertise to monitor the network and detect malicious activity.