Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cyberwarfare

Inside the Backdoor Techniques Used in Advanced Attacks

Disrupting a network is one thing; maintaining access and controlling computers is another.

Disrupting a network is one thing; maintaining access and controlling computers is another.

That second part requires creating backdoors, which have become vital parts of cyber-attack campaigns. In a new paper, researchers at Trend Micro have outlined some of the techniques backdoors use to enable attackers to connect to their command and control server and maintain control over their targets.

“Our investigations into various targeted attacks have showed that a wide variety of tactics are used by backdoors to carry out their routines, as well as remain undetected by network administrators and security products,” blogged Dove Chiu, threat researcher at Trend Micro. “Over time, these techniques have evolved as more sophisticated defenses become available to network administrators. Initially, all that was needed for an attacker to connect to a compromised machine was an open TCP/IP port. However, as firewalls became more commonplace, other techniques became necessary. Techniques evolved so that it would be clients first connecting to servers, since blocking outbound traffic was, initially, less common.”

“Over time, as the possible defenses have become more sophisticated, so have the techniques in use,” he continued. “For example, publicly available blogs have become command-and-control (C&C) servers of a sort.”

In addition to abusing legitimate platforms, attackers also use legitimate protocols such as those of instant messengers (IMs) and free email services to cover their tracks.

“We have, in fact, seen the protocols of IMs such as Windows Live Messenger and Ajax IM as well as of email services such as Gmail abused by backdoors like BKDR_DESCLOC.A in targeted attacks,” the researchers noted in their paper. “An example of this is Terminator, a backdoor detected as FAKEM, which attempts to emulate the first 32 bytes of common legitimate protocol/file headers to evade detection, albeit unsuccessfully.”

Circumventing firewalls is an important part of business for attackers. Along those lines, the researchers reported, attackers use tactics such as the ‘connect-back’ technique, in which attackers use backdoors to connect infected systems’ to their command and control server via ports that are not blocked. It is also not uncommon for hackers to compromise servers with public IP addresses as C&C servers to hide their tracks, according to the paper.

Another technique used by hackers is custom DNS lookups.

Advertisement. Scroll to continue reading.

“Blacklist implementation in a network environment allows firewalls to block access to C&C server IP addresses,” the paper notes. “Access to C&C server domain names, however, cannot be blocked by firewalls since these do not block traffic until after a DNS lookup is triggered. Blocking queries to the DNS server is thus done instead. To bypass security measures, attackers trigger a custom DNS lookup query to Web services to divert traffic going to the real C&C server IP address.”

“IT administrators need to know every possible means by which their networks can be breached and must then find a way to protect it,” the researchers explained in the paper. “Attackers, on the other hand, only need to find a single weakness to exploit in a target network to succeed. The weakest point—the human factor—makes awareness a critical component of securing networks.”

Written By

Marketing professional with a background in journalism and a focus on IT security.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Cyberwarfare

WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...

Cyberwarfare

Russian espionage group Nomadic Octopus infiltrated a Tajikistani telecoms provider to spy on 18 entities, including government officials and public service infrastructures.

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Cyberwarfare

Several hacker groups have joined in on the Israel-Hamas war that started over the weekend after the militant group launched a major attack.

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Cyberwarfare

The war in Ukraine is the first major conflagration between two technologically advanced powers in the age of cyber. It prompts us to question...

Cybercrime

On the first anniversary of Russia’s invasion of Ukraine, cybersecurity companies summarize the cyber operations they have seen and their impact.

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...