What are backdoors ?


A backdoor is a program or a set of related programs that a hacker installs on the victim computer to allow access to the system at a later time. A backdoor’s goal is to remove the evidence of initial entry from the systems log. But a “nice” backdoor will allow a hacker to retain access to a machine it has penetrated even if the intrusion factor has in the meantime been detected by the system administrator. Resetting passwords, changing disk access permissions or fixing original security holes in the hope of remedying the problem may not help.

A trivial example of a backdoor is default BIOS, router or switch passwords set either by careless manufacturers or security administrators.

A hacker could simply add a new user account with administrator privileges and this would be a sort of backdoor, but far less sophisticated and easy detectable.

Adding a new service is the most common technique to disguise backdoors in the Windows operating system. This requires involving tools such as Srvany.exe and Srvinstw.exe that comes with the Resource Kit utility and also with Netcat.exe [1]. The principle of this operation is that the srvany.exe tool is installed as a service and then permits netcat.exe to run as a service. The latter, in turn, listens on an appropriate port for any connection. Once connected, it will have spawned a remote shell on the server (using cmd.exe) and from this moment onwards, a hacker has free reign.

Just before commencing the installation of a backdoor, a hacker must investigate within the server to find activated services. He could simply add a new service and give it an inconspicuous name, but he would be better off choosing a service that never gets used and that is either activated manually or even completely disabled. It is sufficient to remove it using the Srvinstw.exe utility and again to install a new service with the same name.  By doing so, the hacker considerably reduces possibility that the administrator will detect the backdoor during a later inspection. Whenever an event occurs, the system administrator will focus on looking for something odd in the system, leaving all existing services unchecked. From the hacker point of view, it is essential to hide files deeply in system directories to protect them from being detected by the system administrator. In time, a hacker will think of naming the tools to be planted on the server disk. Netcat.exe and Srvany.exe are utilities that are required to run continuously and will be seen in the task manager. Hackers understand that backdoor utilities must have names that will not attract any undue attention. They use the same approach when choosing an appropriate port for a backdoor. For example, port 5555 does not seem to be backdoored for the reason that it could immediately tip off the system administrator.

The technique presented above is very simple but efficient at the same time. It allows a hacker to get back into the machine with the least amount of visibility within the server logs (we are obviously not speaking about situations where extra software is used to monitor traffic and there is an efficient event logging system installed). Moreover, the backdoored service allows the hacker to use higher privileges – in most cases as a System account. This may cause some problems for an intruder because, notwithstanding the highest permissions, the System account has no power outside the machine. Under this account, disk mapping or adding user accounts is not possible. Instead, passwords can be changed and privileges may be assigned to existing accounts. With a backdoor that has captured the system administrator account, no such restrictions exist. The only problem that remains is related to the change of user password, because a password update is required to restart the related service. An administrator will undoubtedly start noticing log errors, once care for event logging and monitoring is provided. The example given above describes a backdoor that is the most dangerous one from the victim system point of view, because anyone can connect to it and obtain the highest permissions with no authentication required. It may be any scriptkiddie using a portscanning tool against computers randomly selected from the Internet.

Hacker–dedicated Web sites give examples of many tools that serve to install backdoors, with the difference that once a connection is established the intruder must login by entering a predefined password. iCMD [2], Tini [3], RemoteNC [4] or WinShell [5] (are examples of tools resembling Telnet.

WinShell program may be used to install certain simple backdoors

I once saw a very interesting script named CGI-backdoor [6]. I considered this to be interesting because an attacker could execute remote commands on the server via WWW. It was a specifically created totally dynamic .asp site written in VBScript (available also in Perl, PHP, Java and C) that enabled one to execute commands on the server using the default command processor cmd.exe. A hacker can exploit this to configure the reverse WWW script on the victim’s system but can only permitted by default with sufficient privileges to the IUSR_MACHINE account. This script can be used without logging at all, thus no traces are left on the system. Its additional advantage is that it does not listen in on any port but translates between the HTML used in WWW pages and the server that runs interactive websites.

In order to create backdoors, hackers can use commercially available tools such as Remote Administrator [7], or free available TightVNC [8], that apart from a full control over the computer also allow one to operate a remote console.