Editor’s note: This post was originally published in July 2017 and has been revamped and updated for accuracy and comprehensiveness.
Hackers are individuals or groups of individuals that exploit weaknesses in a system to manipulate data and gain entry. As technology advances, hackers are becoming increasingly sophisticated. As a result, service provider security teams have to continuously improve their security infrastructure to protect their network.
Let’s look at a few ways hackers can gain remote access to a system via backdoor applications.
Using Legitimate Platforms For Command And Control Functions
Backdoors enable hackers to gain command and control (C&C) of the targeted network without being detected and may use legitimate websites or services to launch an attack.
An example of this is to use a web blog URL to decipher the ciphertext and locate any IP addresses of the C&C server list. Read more about how to recognize a website backdoor here. Thereafter, they can alter the IP addresses and remain undetected.
Hackers can also make use of remote access tools (RATs) to gain control of a computer without the user’s knowledge. RATs typically contain malicious code to monitor a computer and steal information by way of key-logging and data capturing. While many RATs are well known, hackers use them in more sophisticated ways and, once a threat is executed, it allows a remote user to run commands on a system.
For example, according to an article by threat analyst Maersk Menringe, a targeted attack on a Taiwanese government agency in 2013 used Dropbox with PlugX RAT to update its C&C settings. Although an outdated incident, the example illustrates that hackers constantly leverage their existing resources with new advances in technology to gain entry into a system.
The ‘Connect-Back’ Approach To Bypass Firewalls
Incoming connections are often protected by firewalls. To get around a block, hackers use a ‘connect-back’ backdoor approach to connect a target system to their C&C server through outgoing connections, as these are rarely blocked by firewalls.
To get around the firewall, attackers direct emails to specific targets within the network with the intention of tricking a user into accessing the email, which then gives them entry. Alternatively, they can attack public IP addresses found on a server to update their C&C systems.
To protect a system from the connect-back method, IT teams should look for and block external out-of-place IP addresses, along with filtering and email scanning. As this may require man-hours to routinely monitor this activity, consider a network abuse handling system, like AbuseHQ, that can detect threats with real-time visibility.
The Connection Availability Abuse Technique
The Connection Availability Abuse technique uses two malware programs.
The first infiltrates the backdoor and evades detection while it downloads the second malware program within the target system.
The second malware program steals information. It’s not uncommon for attackers to connect the first and the second malware program to multiple C&C servers, which makes it easier to evade detection.
Switching between multiple servers helps the attacker ensure that their C&C server’s IP addresses have not been blacklisted, or if firewalls have been installed on a connection.
To get around this and deliver the malware program, attackers are known to build a network connecting utility, or ping, into the backdoor to bypass a service provider’s security and Intruder Detection System.
The Common Service Protocol Approach
One of the most difficult backdoor techniques to detect is the Common Service Protocol, which uses popular email and communication channels, such as Yahoo, Gmail, or instant messaging sites.
This approach mimics legitimate file headers in the message, which makes them extremely difficult to detect. However, these are largely unstable, as changes in web services or a minor error can cause them to collapse.
Protecting against this measure is almost impossible to do manually, however.
Consider a highly reputable anti-malware program, as well as a network handling security solution. You can also advise your customers to avoid opening messages from unknown sources.
While some internet service providers try to protect their systems from network abuse, many struggle to keep up to speed with sophisticated hackers. And backdoors are just some of the common ways hackers infiltrate a network without detection to secure remote access to a computer.
For service providers to keep up with backdoor and C&C techniques, they need a reputable abuse security solution to protect their network. Having an abuse management platform in place like AbuseHQ helps to resolve up to 99% of network abuse incidents. It integrates with your network security to reveal insights that are buried deep within your network’s IP abuse report.
To find out how AbuseHQ can help your security /abuse desk team to track and monitor DNS security threats, request a demo with our team.