2.3.2 Back Door Attacks

An attacker must work against the clock because the longer he or she is inside the target system, the greater the likelihood for detection. Because of this, most attacks follow a fairly predictable pattern. One of the first steps is to secure a means of easily re-entering the system should the initial or probing attacks be detected. This is called a backdoor.

There are many forms of backdoors. One of the most common is to configure the system to monitor an unusual port that the attacker can use to enter the system. Firewalls and intrusion detections can be tuned against the port sweeps that are used to detect unused but open ports.

In this case the attacker must use a more powerful technique, such as reverse trafficking. Most network protection systems are set up to monitor incoming traffic. If a transaction originates from inside the computer, the response to that transaction will often allow it to pass through the firewall. This is because the IP packet is identified as a response. To get a packet past a firewall involves little more than asking for it. To take advantage of this, the attacker can either cause the computer to make inquiries that will result in responses from one of the attackers’ own machines (or a machine the attacker has already compromised), or more elegantly, craft an attacking packet to appear as if it were a response.

Accomplishing this kind of attack usually involves use of a Trojan Horse program. One advantage of such an approach is the program can go active based on clocks or calendars, making monitoring the attack tedious.

Back Door Defense

The simplest defense against back door attacks is to install security patches. The Code Red worm, for instance, used reverse trafficking to set up connections between the target computer and the attacker. The security patch for Code Red was available long before the attack had its outbreak.

Other defenses would be to monitor and perhaps block outgoing traffic on unusual ports. There may be some applications that are disturbed by this, but having to make holes through the firewall on a case-by-case basis allows greater security than leaving outbound traffic unchecked.

Another defense is to have a detailed knowledge of the current build of the protected devices’ operating system and applications. Attackers often bury new Trojans under file names that seem like valid system names. They can even swap valid system files for identical files with Trojan code attached. Keeping a record of every program and file specifications such as file length and update records may help to identify suspicious code that may be part of a backdoor attack. Many utilities are available for this task.

One such tool is Easy Desk Registry Watch. Registry Watch records the current state of the registry and system files and allows the user to restore these settings and files should a back door Trojan or any other program install itself without the knowledge of the user.

Lavasoft makes a tool called “Ad-Watch” that is part of its “Ad-Aware” program. While Ad-Watch is meant to help protect the operating system from malware and spyware, it is also useful when the user wishes to be informed anytime a registry value is changed. The user is given the opportunity to allow or disallow potentially malicious changes to the registry, Active X installations, and is also informed anytime a modification is made. This would provide the user some protection against programs that install themselves secretly.

Easy Desk Registry Watch