When a site gets compromised, the attackers will often leave some piece of malware behind to allow them access back to the site. Hackers want to leave a door open to retain control of the website and to reinfect it continuously. This type of malware is called a backdoor.Backdoors are types of malware that allow for remote control of a compromised website by bypassing appropriate authentication methods.Even after updating a site, changing its passwords, and doing other post-hack procedures, the backdoor might not be removed. Leaving a backdoor in a website allows it to be accessed unexpectedly.Even though there are backdoors written in all languages, the ones we see the most are done in PHP.
A backdoor is a piece of malware that attackers leave behind to allow them access back into a website. Hackers like to inject code into different locations to increase their chances of retaining control of the website so they can reinfect it continuously.A backdoor is a malware type that negates normal authentication procedures to access a system. As a result, remote access is granted to resources within an application, such as databases and file servers, giving perpetrators the ability to remotely issue system commands and update malware.
A backdoor is a method, often secret, of bypassing normal authentication or encryption in a computer system, a product, or an embedded device (e.g. a home router), or its embodiment, e.g. as part of a cryptosystem, an algorithm, a chipset, or a “homunculus computer” —a tiny computer-within-a-computer (such as that found in Intel’s AMT technology). Backdoors are often used for securing remote access to a computer or obtaining access to plaintext in cryptographic systems. The backdoor may be used to gain access to passwords, delete data on hard drives, or transfer information within the cloud.
A backdoor may take the form of a hidden part of a program, a separate program (e.g. Back Orifice may subvert the system through a rootkit), code in the firmware of the hardware, or parts of an operating system such as Windows.Trojan horses can be used to create vulnerabilities in a device. A Trojan horse may appear to be an entirely legitimate program, but when executed, it triggers an activity that may install a backdoor.Although some are secretly installed, other backdoors are deliberate and widely known. These kinds of backdoors have “legitimate” uses such as providing the manufacturer with a way to restore user passwords.Many systems that store information within the cloud fail to create accurate security measures. If many systems are connected within the cloud, hackers can gain access to all other platforms through the most vulnerable system.Default passwords (or other default credentials) can function as backdoors if they are not changed by the user. Some debugging features can also act as backdoors if they are not removed in the release version.
Backdoor installation is achieved by taking advantage of vulnerable components in a web application. Once installed, detection is difficult as files tend to be highly obfuscated.Webserver backdoors are used for a number of malicious activities, including:
- Data theft
- Website defacing
- Server hijacking
- The launching of distributed denial of service (DDoS) attacks
- Infecting website visitors (watering hole attacks)
- Advanced persistent threat (APT) assaults
Imagine you’re a burglar casing a house for a potential robbery. You see a “Protected by…” security sign staked in the front lawn and Ring doorbell camera. Being the crafty cat burglar that you are, you hop the fence leading to the back of the house. You see there’s a backdoor, cross your fingers, and try the knob—it’s unlocked. To the casual observer, there are no external signs of a burglary. In fact, there’s no reason you couldn’t rob this house through the same backdoor again, assuming you don’t ransack the place.Computer backdoors work in much the same way.In the world of cybersecurity, a backdoor refers to any method by which authorized and unauthorized users are able to get around normal security measures and gain high level user access (aka root access) on a computer system, network, or software application. Once they’re in, cybercriminals can use a backdoor to steal personal and financial data, install additional malware, and hijack devices.But backdoors aren’t just for bad guys. Backdoors can also be installed by software or hardware makers as a deliberate means of gaining access to their technology after the fact. Backdoors of the non-criminal variety are useful for helping customers who are hopelessly locked out of their devices or for troubleshooting and resolving software issues.
Unlike other cyberthreats that make themselves known to the user (looking at you ransomware), backdoors are known for being discreet. Backdoors exist for a select group of people in the know to gain easy access to a system or application.
- In 1993 the NSA developed an encryption chip with a built-in backdoor for use in computers and phones. Supposedly, the chip would keep sensitive communications secure while allowing law enforcement and government agencies to decrypt and listen in on voice and data transmissions when warranted. Hardware backdoors have big advantages over the software kind. Namely, they are harder to remove—you have to rip the hardware out or re-flash the firmware to do so. The chip, however, was derailed over privacy concerns before seeing any kind of adoption.
- In 2005 Sony BMG got into the business of backdoors when they shipped millions of music CDs with a harmful copy protection rootkit. Little did you know, while rocking out to the latest edition of Now That’s What I Call Music! your CD included a rootkit, which would install itself automatically once inserted into your computer. Designed to monitor your listening habits, the Sony BMG rootkit would also stop you from burning CDs and left a gaping vulnerability in your computer that cybercriminals could take advantage of. Sony BMG paid out millions to settle lawsuits related to the rootkit and recalled even more millions of CDs.
- In 2014 several Netgear and Linksys routers were found to have built-in backdoors. SerComm, the third-party manufacturer that put the routers together, denied putting the backdoors in their hardware on purpose. But when the patch SerComm released ended up hiding the backdoor instead of fixing it, it became clear the company was up to no good. Exactly what SerComm was trying to accomplish with the backdoor remains unclear.
How do backdoors work?
Let’s start by figuring out how backdoors end up on your computer to begin with. This can happen in a couple different ways. Either the backdoor comes as a result of malware or by an intentional manufacturing (hardware or software) decision.Backdoor malware is generally classified as a Trojan. A Trojan is a malicious computer program pretending to be something it’s not for the purposes of delivering malware, stealing data, or opening up a backdoor on your system. Much like the Trojan horse of ancient Greek literature, computer Trojans always contain a nasty surprise.
Trojans are an incredibly versatile instrument within the cybercriminal toolkit. They come under many guises, like an email attachment or file download, and deliver any number of malware threats. To compound the problem, Trojans sometimes exhibit a worm-like ability to replicate themselves and spread to other systems without any additional commands from the cybercriminals that created them. Take, for example, the Emotet banking Trojan. Emotet got its start in 2014 as an information stealer, spreading across devices and stealing sensitive financial data. Since then Emotet has evolved into a delivery vehicle for other forms of malware. Emotet helped make the Trojan the top threat detection for 2018, according to the State of Malware report.
Are backdoors and exploits the same?
Malwarebytes Labs defines exploits as, “known vulnerabilities in software that can be abused to gain some level of control over the systems running the affected software.” And we know a backdoor works like a secret entrance into your computer. So are backdoors and exploits one and the same?
While backdoors and exploits seem awfully similar at first glance, they are not the same thing.
Exploits are accidental software vulnerabilities used to gain access to your computer and, potentially, deploy some sort of malware. To put it another way, exploits are just software bugs that researchers or cybercriminals have found a way to take advantage of. Backdoors, on the other hand, are deliberately put in place by manufacturers or cybercriminals to get into and out of a system at will.
“Exploits are accidental software vulnerabilities used to gain access to your computer and, potentially, deploy some sort of malware…. Backdoors, on the other hand, are deliberately put in place by manufacturers or cybercriminals to get into and out of a system at will.”
What can hackers do with a backdoor?
Hackers can use a backdoor to install all manner of malware on your computer.
- Spyware is a type of malware that, once deployed on your system, collects information about you, the sites you visit on the Internet, the things you download, the files you open, usernames, passwords, and anything else of value. A lesser form of spyware called keyloggers specifically track every keystroke and click you make. Companies may use spyware/keyloggers as legitimate and legal, means of monitoring employees at work.
- Ransomware is a type of malware designed to encrypt your files and lock down your computer. In order to get back those precious photos, documents, etc. (or whatever file type the attackers choose to target) you have to pay the attackers via some form of cryptocurrency, usually Bitcoin.
- Use your computer in a DDoS attack. Using the backdoor to get super user access on your system, cybercriminals can take command of your computer remotely, enlisting it in a network of hacked computers, aka a botnet. With this zombie computer botnet, criminals can then overwhelm a website or network with traffic from the botnet in what’s known as a distributed denial-of-service attack (DDoS). The flood of traffic prevents the website or network from responding to legitimate requests, effectively taking the site out of service.
- Cryptojacking malware is designed to use your system’s resources to mine cryptocurrency. In short, every time someone exchanges cryptocurrency the transaction is recorded on an encrypted virtual ledger known as the blockchain. Cryptomining is the process of validating these online transactions in exchange for more cryptocurrency and it takes an enormous amount of computing power. Instead of buying the expensive hardware required for crypto mining, criminals have found that they can simply enlist hacked computers in a botnet that works the same as expensive crypto mining farms.
How to Avoid Website Backdoors
- Backdoors can be very hard to find and even harder to get rid of. To begin, it is highly advisable that you monitor your logs constantly for unexpected behavior.
- In order to prevent the website from getting infected in the first place, we highly recommend implementing security measures like file integrity monitoring and a Website Application Firewall (WAF).
- If you suspect that your website is infected with a backdoor, we have an experienced website security team that can clean up your website. If you are looking for a DIY solution, we have written a guide explaining How to Clean a Hacked Website.