AUGUST 15, 2014
Your regular source of security updates from TrendLabsSM
In This Issue

Security Spotlight
The Two Sides of the Bitcoin

Security for Home Users
A Homeowner’s Guide to “Smart Living”

Security for Business
The Role of Backdoors in Targeted Attacks



Security for Business

The Role of Backdoors in Targeted Attacks

Various capabilities allow backdoors to play an important role in targeted attacks. They allow attackers to evade detection while gaining command and control of target networks.”



Backdoors are applications that open up computers to remote access. Unprotected networked computers, including public, home, and office systems, can give attackers opportunities to issue silent commands to infected computers, allowing them to spy on online conversations, access infected sites, and steal passwords.

These capabilities allow backdoors to play an important role in targeted attacks. They allow attackers to evade detection while gaining command and control of target networks.

We recently studied the following backdoor techniques attackers commonly use in targeted attacks:

  • Communicating with open ports: A network that isn’t protected by a firewall is vulnerable to backdoors that communicate via open computer ports in a technique called “port binding.” This allows attackers to easily communicate with or, worse, control an infected computer.

  • Bypassing firewalls: The connect-back technique can also be used on networks not protected by firewalls. Backdoors can check for unprotected ports while evading security solutions. Free ports allow attackers access from a command-and-control (C&C) server to vulnerable computers.

  • Checking available connections and transferring files: Backdoors can ride on available connections to bypass intrusion detection systems (IDSs). They can temporarily access computers to execute malicious activities like unwarranted file transfers.

  • Hosting C&C server information on legitimate sites: Attackers sometimes use legitimate sites to store C&C information. Backdoors are configured to access these sites, often blog pages, to get the data they need to access C&C servers.

  • Abusing Web services: Backdoors can report inside information to attackers by sending messages through common Web service protocols.

  • Changing protocols: Backdoors can be programmed to modify protocols so they can access C&C servers while evading detection.

  • Using custom Domain Name System (DNS) lookups: Backdoors that trigger custom DNS lookups from external Web services allow attackers to bypass blacklisting measures.

  • Reusing ports to listen in: Modifying OS privileges allow attackers to reuse already-open ports to communicate with target computers.

Threat actors always know useful strategies to exfiltrate information. Understanding their techniques can help IT administrators thwart their attempts.

Copyright ©2014 Trend Micro Incorporated. All rights reserved. Trend Micro and the Trend Micro t-ball logo are trademarks or registered trademarks of Trend Micro Incorporated. All other company and/or product names may be trademarks or registered trademarks of their respective owners. The information contained in this document is subject to change without prior notice.

www.trendmicro.com

  CONNECT WITH US ON: