To accomplish his goal, a hacker must install a backdoor that is not easily detectable. This is his primary task. Hackers use a variety of methods for this purpose, placing their tools at the deepest level of compromised systems and renaming files so as not to arouse suspicions. With a backdoor, such hacker can virtually have full and undetected access to your application for long time. It is critical to understand the ways backdoor can be installed and to take required preventive steps.What is a Backdoor?
A backdoor in a computer system (or cryptosystem or algorithm) is a method of bypassing normal authentication, securing remote access to a computer, obtaining access to plain text, and so on, while attempting to remain undetected, the backdoor may take the form of an installed program, or could be a modification to an existing program or hardware device. It hides in the computer, scans existing loopholes, opens corresponding ports, as well as modifies system registration files.
Backdoor will not duplicate or actively spread itself. It will only open a certain port through which a remote computer in the network can control the infected computer. Generally the backdoor will not influence normal communication of the network, so firewalls or IDS can hardly detect its existence.
Is my Network Infected with a Backdoor?
According to statistics, most of the backdoors work under port 31337, 31335, 27444, 27665, 20034, 9704, 6063, 5999, 5910, 5432, 2049, 1433, 444, and 137-139. So whether there is communication
through these ports in the network determines whether the network is infected with a backdoor.
How to Detect a BackDoor on a Tool?
1. Right click it, if you got winrar installed and if you see “open with winrar“, then this means it was binded with winrar, so it is definitely a backdoored.
2. Open it with a resource editor such as Resource Hacker/Restorator/Pe Explorer and check the rcdata section. If theres 1 & 2 entries in it then its binded
3. Open it with a hex editor. At the start of a PE header there is always this line “This program cannot be run in DOS mode“. Search for it, if it exists more then once then it might be binded.
It depends on the specific app, for example its not unusual for binders/crypters to have the stub file attached in the resources. Also search for .exe and inspect the results, a binded file drops the files to a temp folder before executing them, so if you find something like this:
%.t.e.m.p.%..x.x…e.x.e or file1.exe/file2.exe
then its definitely binded.4. Run it in Sandboxie. When a file is rand in sandboxie its isolated (cant access your files/registry). First click the sandboxie tray icon to open up its Window, then right click the file and click “run with sandboxie”. If you see another process name in the sandboxie Window then its probably backdoored (this doesn’t include sandboxie rpcss/dcom launch processes, those are legit and needed for some programs). That’s not all, the file may drop another when one of the buttons in the program GUI is clicked or after you close it, so click all the buttons and close it just to make sure. If you do see other processes then immediately click file -> terminate all processes from the sandboxie menu. If a file refuses to run in sandboxie or its suppose to be a program and it runs without GUI then it would probably be best to delete it.
These steps describe a dynamic process for establishing a “defense in depth” security posture that not only protects you from current threats, but also allows you to detect and protect your applications from future threats.