Backdoors and Trojans in Applications

Paladion
By Paladion

December 15, 2004

Backdoor is a secret or unauthorized channel for accessing computer system. In an attack scenario, hackers install backdoors on a machine, once compromised, to access it in an easier manner at later times

Backdoor is a secret or unauthorized channel for accessing computer system. In an attack scenario, hackers install backdoors on a machine, once compromised, to access it in an easier manner at later times

Application Backdoors

With the growing use of e-commerce, web applications have become target of choice for attackers. With a backdoor, such attacker can virtually have full and undetected access to your application for long time. It is critical to understand the ways backdoor can be installed and to take required preventive steps.

Essentially there can be three vulnerabilities that can introduce the backdoor in an application:

Buffer overflow attacks: These kind of attacks involves sending overly long input streams to the attacked server, causing the server to overflow parts of the memory and either crash the system or execute the attackers arbitrary code as if it was part of the servers code. The attackers code can inject a backdoor code as well as set the return address of a function within the server code to point to the backdoor. When the function returns, the backdoor is successfully installed.

Cross Site Scripting: Cross site scripting (also known as XSS) occurs when a web application gathers malicious data from a user usually in the form of hyperlink. This hyperlink can contain a backdoor within it. After the data is collected by the web application, it creates an output page for the user containing the backdoor that was originally sent to it, but in a manner to make it appear as valid content from the website. Attacker can later on connect remotely to the backdoor bypassing any authentication mechanisms of the application.

Remote Administration / Troubleshooting: Administrators and sometimes developers directly connect to the application for troubleshooting but after finishing the job they might either forget to stop the related service or while fixing an instant problem in the application they may introduce insecure code; in both the cases attackers get an easy way to inject a backdoor which they later on use for information theft.

Some useful preventive steps:

  • Develop documented secure practices for remote administration of server or for troubleshooting the application.
  • Ideally, development and production environment should be kept separate with no access to production for any programming changes.
  • Training of developers on secure coding in order to avoid attacks like buffer overflow and XSS.
  • Test all applications and any modification to application for security risks before rolling into production environment.
  • Routinely Audit for user accounts, configuration files and system files for the changes if any and ensure such changes have been authorized.
  • Purge all the logs after fixing a problem in the application.

These steps describe a dynamic process for establishing a "defense in depth" security posture that not only protects you from current threats, but also allows you to detect and protect your applications from future threats.


Tags: Technical

About

Paladion