Linux Computer Security Backdoor

Backdoor

A backdoor is a hidden piece of code, script, or a program placed on a system for persistence purposes, so you don’t have to exploit the same system twice. It simply gives you quicker and instant access to the system.

The simplest backdoor attack definition is using any malware/virus/technology to gain unauthorized access to the application/system/network while bypassing all the implemented security measures. Unlike other kinds of viruses/malware, backdoor attack elements reach the core of the targeted application and often drive the aimed resource as a driver or key administrator.

When access to such a deep and crucial level is earned, damage possibilities are endless. Attackers can change the entire or partial infrastructure, make the targeted system work/behave as per their will, and steal crucial data.

The impact of these actions could be highly detrimental. Hence, one is always suggested to remain vigilant about the presence of related threat actors and learn about how to mitigate backdoor attacks.

How It Works:

The working of backdoor attacks depends on the way they enter the system. As observed, the most common ways of using a backdoor are using malware or backdoor-specific software/hardware. A detailed explanation of these two is as quoted below.

Backdoor malware

An imposter piece of technology, this malware pretends to be something else so that actions like data theft, malware installation, and creating a backdoor into the systems can be performed seamlessly.

It is also Called backdoor Trojan for its behavioral similarity with Trojans that permit an attacker to reach the core infrastructure of an application/software/network. To understand it better, you must know how Trojan operates.

A Trojan is a file with malicious content and can be used and can be delivered in the form of an email attachment, downloadable file, cyber threats like malware, and so on. To make things worse, Trojans have worm-like abilities that make them competent to replicate and expand. Without demanding any further efforts, Trojan can spread to other systems as well.

Regardless of guise, each sort of Trojan is harmful and has the potential to cause serious damage to the target.

Built-in or proprietary backdoors

Think of it as a backdoor to be used by property owners in case of an emergency. Such types of backdoors are deployed by software or hardware professionals and do not always have ill intentions. They exist as a component of the software and permits owners/developers to gain instant access to the application/software.

This immediate access helps them to test a code, fix a software bug, and even detect any hidden vulnerability without being involved in the real/authenticated account creation process.

Mostly, they aren’t removed before the final product launch or delivery. At times, they are made secure in order to give instant access to a few users only. But there are incidents where built-in back doors are delivered with the original software by fault or negligence.

Different Kinds of Backdoors: –

Backdoors are of various types and each one has a different line of attack.

Cryptographic backdoors: –

Consider a cryptographic backdoor as a master key useful to unbolt everything hidden behind the encrypted data. Most commonly, data is protected via AES-256 Bit encryption or other algorithms. In this or any other encryption, both the communicating parties are awarded a cryptographic key used to decrypt the data and intercept it.

Cryptographic backdoor breaks into this mechanism and access that crucial cryptographic key and access the secured information before anyone else.

Hardware backdoors: –

Such backdoors use hardware components like chips, CPUs, hard drives, and others to break into a system. Using the modified hardware components, hackers try to gain root-level access to the targeted system. Other than computer-related hardware, many other outside devices like phones, home security systems, thermostats, can also act as a hardware backdoor, if they feature any altered hardware part and are linked with a system.

Most commonly, such backdoors are used for data access, surveillance, and remote access.

Rootkits: –

A bit advanced malware-type, rootkits allow hackers to conceal their activities completely from the targeted OS and force it to grant root-level access. Once that’s granted, hackers can operate the system remotely and perform endless actions like downloading systems, modifying the file, monitoring every activity, and everything else.

What makes rootkits dangerous is their ability to take the form of any used software or computer chips. And the job is done so perfectly that it’s hard to detect them. Multiple types of rootkits exist.

For instance, there is a kernel-mode rootkit that plays with the kernel of the OS. Then, we have a user -rootkit that is deployed in the user-space of the system. Bootloader rootkit is a version of kernel-rootkit and hampers the MBR or Master Boot Record of the system.

Trojans: –

As quoted above, Trojan malware feigns. Such files fake to be verified files so that the aimed system/computer grants them access. Each time software is downloaded, a command “allow insert-program-here to make changes on your device?” displays on the screen.

Usually, Trojan files remain hidden at this stage and once the permission is granted, Trojans are installed on the system and a backdoor is created. Using the back-door hackers/attackers became capable to gain admin-like access to the system and do whatever they want to do.

Backdoor Attack Examples:

Backdoor attacks are all around us and are happening now and then. The most notorious ones are mentioned next.

In 2017, a Double Pulsar was detected to have backdoor malware. It allowed others to keep an eye on Windows PCs. With its help, threat attackers could install powerful crucial cryptojacker featuring high memory. The purpose was to mine Bitcoin. Hence, a huge chain of crypto-mining botnets was created because of a single cryptojacker.

Dual-EC backdoor attack happened by exploiting the pre-existed vulnerability in this cryptographical protocol. High-level end-users of Dual-EC can decrypt it via a secret key. The adoption of this protocol was promoted by NSA as the agency was able to read and intercept all the communication happening using Dual_EC. This way, millions of people came under the NSA radar automatically.

PoisonTap is a well-known example of backdoor attack. In this, hackers used malware to gain root-level access to any website, including those protected with 2FA. 

WordPress was spotted with multiple backdoors in 2014. These backdoors were WordPress plug-ins featuring an obfuscated JavaScript code. Once such infected plugins were installed on the system, they were used to create a hidden admin account and steal the data.

Borland Interbase featured built-in backdoors in its versions 4.0 to 6.0. The backdoor was hard-coded and created multiple backdoor accounts accessible via networks. Anyone using these backdoor accounts was able to figure out everything stored on the Interbase database. Finally, it was fixed in 2001.

In 2008, all the OS versions, above from 6.2.0, of Juniper Networks, were having backdoors that enabled hackers to gain admin-like access.

C-DATA Optical Line Termination devices were laced with multiple backdoors, as spotted by security researchers. As per them, these backdoors were deployed on purpose by the vendor.

How is Backdoor used by Hackers:

Based upon the technique used, the backdoor can empower hackers greatly and allow them to create worrisome nuisances like:

Spyware:

It is a dangerous malware type as its installation allows a hacker to record and monitor everything you do using the infected computer/device. Be it the website you visit or files you create, the hacker will have access to everything.

Ransomware:

Ransomware is the digital version of a real-world ransom threat and involves complete shut-down of the infected resources like system, server, and network till the asked ransom amount is paid. Generally, the ransom is asked in cryptocurrency to maintain secrecy.

Crypto jacking malware:

What is crypto jacking?

Crypto jacking malware is a malware type targeting cryptocurrency and refers to using other’s systems/networks/internet connections to mine the cryptocurrencies.

How to Prevent Backdoor Attacks:

Prevention is better than cure. Hence, one must be aware of some viable backdoor attack preventive ways, which are stated next.

Make sure the allowed failed login attempts are limited and a firewall is at a place to forbid unlicensed access. 

Have a stringent network monitoring policy in place. Make sure you audit the security solutions, monitor the network and update the technology as per the need of the hour. Network resources should be protected by 2FA protection.

An anti-malware program is useful to keep malicious content at bay. It will automatically detect and eliminate dangers like viruses, malware, Trojans, and so on and keep the system protected. As everything happens automatically, not much effort is required.

Stop accessing unauthorized and unverified websites/content over the internet. Especially, one should take extra precautions while accessing free websites/software. Such places are a hub for viruses and ill-intended content and can cause serious damage to your system.

A good-quality password manager helps to create strong and complex access passwords and manage them. We all know that a robust password is hard to break, and hackers will have a tough time bypassing its protection. But creating and managing such a password for all the websites and resources you use is tough. With the help of a password manager, one can make it happen with ease.

Update your OS and software at-service as updated resources can fight the attack attempts in a better way.

With the help of a firewall, things could be way better than earlier as this piece of technology will keep an eye on all the incoming and outgoing traffic and take immediate action when anything suspicious is noticed.

Preventing backdoor attacks :

Speaking of its threat prevention capabilities, it can keep threats like OWASP Top 10 Threats, account takeover, API abuse, misconfiguration possibilities, and business logic attacks far away from you.

The WAF is designed with such perfection that end-users don’t have to invest huge efforts in its setup and configuration. Only minor DNS settings alterations are required to bring it into action. It’s packed with the most inventive techniques like robust bypass endurance, LibDetection, and RegExps-free operations.

It’s a fully automated solution able to perform quick passive and black-box scans. As it’s a highly integrated solution, your organization’s cybersecurity professionals can use it with existing arrangements related to DevOps & digital safety. It’s the best solution to ensure that you are well-prepared when it comes to backdoor network attacks.

Backdoor attacks more dangerous than other types of cyber-attacks:-

Backdoor attacks are more dangerous than other types of cyber-attacks because they allow direct access to compromised systems without the need for user interaction. They also provide attackers with capabilities such as remote code execution and privilege escalation, which can enable access to sensitive data and systems.

How to check whether our system has been compromised by a backdoor attack:-

You can test your device for symptoms and symptoms of a backdoor assault via way of means of the usage of protection scanning tools, including vulnerability scanners or malware detection programs.

common indicators of a backdoor attack

Some not unusual signs of a backdoor risk consist of surprising adjustments in information usage, sudden gadget crashes, improved bandwidth or garage use, and common look of recent documents or applications at the gadget.

Some common backdoor attack vectors:-

There are some methods that backdoor threats may be carried out, along with exploiting vulnerabilities withinside the protection system, putting in malicious software program on a system, or the usage of stolen or cracked passwords.

Who affected by a backdoor attack:-

Backdoor threats may be used to goal any business enterprise or character with a pc system. However, they may be particularly risky for companies and those who rely upon pc structures for vital operations, inclusive of businesses, governments, and healthcare companies.

How to protect against backdoors:-

 It is hard to discover and defend yourself in opposition to integrated backdoors. More regularly than not, the producers do not even recognize the backdoor is there. The precise information is that there are things you may do to defend yourself from the opposite types of backdoors.

  • Change your default passwords.
  • Monitor community activity.
  • Choose programs and plugins carefully.
  • Use a terrific cybersecurity solution.

List of known backdoors:-

Back Orifice (1998): Created by hackers from the Cult of the Dead Cow group, Back Orifice was a remote administration tool for Windows computers. It allowed remote control over a network and parodied the name of Microsoft’s BackOffice.

Dual EC DRBG (2013): The Dual EC DRBG (Dual Elliptic Curve Deterministic Random Bit Generator) was revealed in 2013 to potentially have a kleptographic backdoor deliberately inserted by the NSA. The agency also possessed the private key to the backdoor.

WordPress Plug-in Backdoors (2014): Several backdoors were discovered in unlicensed copies of WordPress plug-ins in March 2014. These backdoors were inserted as obfuscated JavaScript code and silently created admin accounts in website databases. Similar schemes were later exposed in Joomla plugins.

Borland Interbase (Versions 4.0 – 6.0): These versions of Borland Interbase had a hard-coded backdoor intentionally placed by the developers. The server code contained a compiled-in backdoor account (username: politically, password: correct) which could be accessed over a network connection, allowing full control over all Interbase databases. The backdoor was detected in 2001, and a patch was released.

Juniper Networks Backdoor (2008): A backdoor was inserted into versions of firmware ScreenOS from 6.2.0r15 to 6.2.0r18 and from 6.3.0r12 to 6.3.0r20 by Juniper Networks in 2008. This backdoor provided any user with administrative access when using a special master password.

C-DATA Optical Line Termination (OLT) Devices: Several backdoors were discovered in C-DATA Optical Line Termination (OLT) devices. Researchers released the findings without notifying C-DATA because they believe the backdoors were intentionally placed by the vendor.

XZ Utils (Versions 5.6.0 and 5.6.1): A backdoor was discovered in March 2024 by software developer Andres Freund in versions 5.6.0 and 5.6.1 of the popular Linux utility XZ Utils. This backdoor gave an attacker who possessed a specific Ed448 private key remote code execution capabilities on affected Linux systems. The issue has been assigned a CVSS score of 10.0, the highest possible score.

Conclusion:

 In conclusion, securing Linux systems against backdoor threats requires proactive measures, including vulnerability management, access controls, encryption, and security monitoring. By implementing these best practices and staying vigilant, users can mitigate the risk of backdoor exploitation and safeguard the integrity and confidentiality of their systems and data.

References:

https://fahmifj.github.io/blog/linux-backdoors-and-where-to-find-them/

Leave a Reply

Your email address will not be published. Required fields are marked *