CertiGuide to Security+  9  Chapter 1:  General Security Concepts (Domain 1.0; 30%)       9  1.4  Attacks            9  1.4.2  Backdoors

How Do Backdoors Get Onto a System? 1 1.4.3  Spoofing

Most modern anti-virus software will quickly pick up backdoor software, however, very new Trojans or rootkits can be easily missed. In this instance, detection becomes much harder. (One lesson to take from this is that you should keep your anti-virus signature file as up-to-date as possible, to maximize the number of backdoors it can detect.)

Even if you’re anti-virus software doesn’t identify a particular backdoor, analysis of network traffic and processor/memory utilization will usually yield some clues.

Once a computer has had a backdoor installed, it generally cannot be considered safe to use until it has been wiped and rebuilt from scratch. Take the machine off the network immediately (but do not power down, as that may remove evidence) and perform your forensic investigations. Once you have finished, power the machine down, boot from a write-protected “clean” floppy disk and remove all data & partitions from the system. Then reboot using your operating system install floppies or CD, and reinstall the operating system from scratch.

Backdoors are also one of the best reasons for ensuring your firewall rules are correctly configured. Someone installing a backdoor which listens for network connections can often set it up to listen on any unused TCP/IP port. Stick to the “Deny by default” methodology and ensure that your firewall prevents all but the minimum requirement of traffic to pass through it. Yes, this means denying access even to ports on which you “know” you are not running services – just in case someone else decides to start a bogus one up on one of those ports. If, an attacker configures their Trojan to listen for incoming connections on port 31337 and your firewall only allows traffic to pass on port 80, you’re making it much harder for them to gain further access into your network.

Before leaving rootkits, the title "Exploiting Software: How to Break Code" (Addison-Wesley/Pearson Higher Education, February 2004) does mention one scary thought. "It turns out that on the motherboard of a typical PC there are many megabytes of unused EPROMM memory sitting around," he explained. "And if you rewrite interrupt tables properly, you can place malicious code on the motherboard that will never go away way down there. I found working on that fascinating and downright scary. If you get rooted by somebody who's really serious about it, they could hide the rootkit so low that, unless you replace the motherboard, you're owned forever.⁷¹"

How Do Backdoors Get Onto a System? 1 1.4.3  Spoofing