July 16, 2014

Knocking on a backdoor: what’s behind the graphic cybersecurity term


“Backdoor” is a very vivid, even graphic term, that well describes the possible consequences of using this type of threat, but it says little (if anything) about the tech behind the term. Which is actually quite peculiar and uneasy to explain. But we will try.




First of all, in computing “backdoor” is rather a method than a certain malicious program. Wording of security bulletins usually make one think that backdoor is a sort of malware: “This Trojan installs backdoor…”, etc., but in essence it is a method of bypassing normal authentication that allows for a hidden illegal remote access to a computer. “Hidden” doesn’t mean “undetectable”, although the attacker would certainly prefer it that way. 

Backdoor history goes back to late 1960s, when, according to Wikipedia, multiuser and networked operating systems became widely adopted. In a paper published in proceedings of 1967 AFIPS Conference the threat was called “trapdoor” and related to the “entry points” in software which allowed for bypassing proper authentication; the name “backdoor” is more widely used today.

There are widely known examples of backdoors becoming a major element of a plot in movies or TV series. In the 1983 film WarGames the creator of WOPR military supercomputer had inserted a hardcoded password (his dead son’s name) which gave the user access to the system, and to undocumented parts of the system (in particular, a video game-like simulation mode and direct interaction with the artificial intelligence).

As mentioned earlier, the TV series “Person of Interest”  features an AI superprogram “Machine”; its creators installed backdoor access for themselves in order to receive information on ordinary people in peril – and that’s the starting point of the show’s entire plot.

“Installing a backdoor” means not installing some malware, but rather altering the targeted software in order to create a means to bypass at least some security and provide a stealthy access to data.




That would sound weird, but actual default passwords to devices and software packages are backdoors on their own, unless changed by the user.

Still, there is malicious software called “backdoor” and “Trojan backdoor”: these are software modules that provide their operators with unsanctioned access to the infected system, possibly in order to exfiltrate information on routine basis, or make them part of a botnet, that would relay massloads of spam or launch DDoS attacks at specific targets.

Backdoors also make it possible to do anything the author wants on the infected computer: send and receive files, launch files or delete them, display messages, delete data, reboot the computer, etc.

Many computer worms from the past (Sobig, Mydoom, and many others) installed backdoors to the infected PCs. Lots of modern Trojans have such components.

Backdoor Trojans are actually the most widespread and dangerous type of Trojans in general.

The primary function of recent large-scale APTs, such as Flame and Miniduke, discovered by Kaspersky Lab, are custom backdoors, allowing to penetrate the targeted system and continuously exfiltrate various data. 

Backdoors generally install some server component on the compromised machine. That server component then opens a certain port or service allowing the attacker to connect to it using the client component of the backdoor software, making the infected box – or some software – remotely controlled without it’s user knowledge.

It’s not about computers alone, however: a simple PHP backdoor script allows to create an administrator account in WordPress; there are numbers of Android Trojans, including those using Tor.

The way to battle them? – A security software, and basic information hygiene. Most of the malware requires at least some degree of cooperation from the end-users, in other words, users are mostly tricked to install it through some simple social engineering, plain deceit or exploiting insufficient attention.