What is a backdoor?
Imagine you’re a burglar casing a house for a potential robbery. You see a “Protected by…” security sign staked in the front lawn and Ring doorbell camera. Being the crafty cat burglar that you are, you hop the fence leading to the back of the house. You see there’s a backdoor, cross your fingers, and try the knob—it’s unlocked. To the casual observer, there are no external signs of a burglary. In fact, there’s no reason you couldn’t rob this house through the same backdoor again, assuming you don’t ransack the place.
Computer backdoors work in much the same way.
In the world of cybersecurity, a backdoor refers to any method by which authorized and unauthorized users are able to get around normal security measures and gain high level user access (aka root access) on a computer system, network, or software application. Once they’re in, cybercriminals can use a backdoor to steal personal and financial data, install additional malware, and hijack devices.
But backdoors aren’t just for bad guys. Backdoors can also be installed by software or hardware makers as a deliberate means of gaining access to their technology after the fact. Backdoors of the non-criminal variety are useful for helping customers who are hopelessly locked out of their devices or for troubleshooting and resolving software issues.
Unlike other cyberthreats that make themselves known to the user (looking at you ransomware), backdoors are known for being discreet. Backdoors exist for a select group of people in the know to gain easy access to a system or application.
As a threat, backdoors aren’t going away anytime soon. According to the Malwarebytes Labs State of Malware report, backdoors were the fourth most common threat detection in 2018 for both consumers and businesses—respective increases of 34 and 173 percent over the previous year.
If you’re concerned about backdoors, you heard about backdoors in the news and want to know what the deal is, or you have a backdoor on your computer and need to get rid of it right now, you’re in the right place. Read on and get ready to learn everything you’ve ever wanted to know about backdoors.
News on backdoors
- Has your WordPress site been backdoored by a skimmer?
- Kimsuky APT continues to target South Korean government using AppleSeed backdoor
- Microsoft Exchange attacks cause panic as criminals go shell collecting
- Backdoors in elastic servers expose private data
- Backdoors are a security vulnerability
- Mac malware combines EmPyre backdoor and XMRig miner
- Mac cryptocurrency ticker app installs backdoors
- Another OSX.Dok dropper found installing new backdoor
How do backdoors work?
Let’s start by figuring out how backdoors end up on your computer to begin with. This can happen in a couple different ways. Either the backdoor comes as a result of malware or by an intentional manufacturing (hardware or software) decision.
Backdoor malware is generally classified as a Trojan. A Trojan is a malicious computer program pretending to be something it’s not for the purposes of delivering malware, stealing data, or opening up a backdoor on your system. Much like the Trojan horse of ancient Greek literature, computer Trojans always contain a nasty surprise.
Trojans are an incredibly versatile instrument within the cybercriminal toolkit. They come under many guises, like an email attachment or file download, and deliver any number of malware threats.
To compound the problem, Trojans sometimes exhibit a worm-like ability to replicate themselves and spread to other systems without any additional commands from the cybercriminals that created them. Take, for example, the Emotet banking Trojan. Emotet got its start in 2014 as an information stealer, spreading across devices and stealing sensitive financial data. Since then Emotet has evolved into a delivery vehicle for other forms of malware. Emotet helped make the Trojan the top threat detection for 2018, according to the State of Malware report.
In one example of backdoor malware, cybercriminals hid malware inside of a free file converter. No surprise—it didn’t convert anything. In fact, the download was designed solely to open up a backdoor on the target system. In another example, cybercriminals hid backdoor malware inside of a tool used for pirating Adobe software applications (let that be a lesson on software piracy). And in one final example, a seemingly legitimate cryptocurrency ticker app called CoinTicker worked as advertised, displaying information about various forms of cryptocurrency and markets, but it also opened a backdoor.
Once cybercriminals have their foot in the door, they might employ what’s known as a rootkit. A rootkit is a package of malware designed to avoid detection and conceal Internet activity (from you and your operating system). Rootkits provide attackers with continued access to infected systems. In essence, the rootkit is the doorstopper that keeps the backdoor open.
Built-in or proprietary backdoors are put in place by the hardware and software makers themselves. Unlike backdoor malware, built-in backdoors aren’t necessarily conceived with some criminal purpose in mind. More often than not, built-in backdoors exist as artifacts of the software creation process.
Software developers create these backdoor accounts so they can quickly move in and out of applications as they’re being coded, test their applications, and fix software bugs (i.e. mistakes) without having to create a “real” account. These backdoors aren’t supposed to ship with the final software released to the public, but sometimes they do. It’s not the end of the world, but there’s always the chance a proprietary backdoor will fall into the hands of cybercriminals.
While the majority of built-in backdoors that we know about fall into the former category (i.e. the “whoops, we didn’t mean to put that there” category) members of the Five Eyes intelligence sharing pact (the US, UK, Canada, Australia, and New Zealand) have asked Apple, Facebook, and Google to install backdoors in their technology to aid in evidence gathering during criminal investigations. Though all three companies have declined, all three do provide downstream data to the extent required by law.
The Five Eyes nations have stressed that these backdoors are in the best interest of global security, but there’s a lot of potential for abuse. CBS News found dozens of police officers all over the country used currently available criminal databases to help themselves and their friends harass their exes, creep on women, and harass journalists who took umbrage with their harassing and creeping.
That being said, what if government agencies decided they weren’t going to take no for an answer?
This brings us to the supply chain backdoor. As the name suggests, a supply chain backdoor is inserted surreptitiously into the software or hardware at some point in the supply chain. This could happen as raw materials are shipped from supplier to manufacturer or as the finished product makes its way from manufacturer to consumer.
For example, a government agency could intercept completed routers, servers and miscellaneous networking gear on its way to a customer, then install a backdoor into the firmware. And, by the way, the US National Security Agency (NSA) actually did that, as revealed in the 2013 Edward Snowden global surveillance disclosures.
Supply chain infiltrations could also happen in software. Take open source code, for example. Open source code libraries are free repositories of code, applications, and development tools that any organization can dip into instead of coding everything from scratch. Sounds great, right? Everyone working together for the greater good, sharing the fruits of their labor with each other. For the most part, it is great. Any contribution to the source code is up for scrutiny, but there have been instances where malicious code has made its way to the end user.
To that point, in July of 2018 cryptomining malware was found inside of an app (or “snap,” as they call it in the world of Linux) for Ubuntu and other Linux-based operating systems. Canonical, the developers of Ubuntu admitted, “It’s impossible for a large-scale repository to only accept software after every individual file has been reviewed in detail.”
Are backdoors and exploits the same?
Malwarebytes Labs defines exploits as, “known vulnerabilities in software that can be abused to gain some level of control over the systems running the affected software.” And we know a backdoor works like a secret entrance into your computer. So are backdoors and exploits one in the same?
While backdoors and exploits seem awfully similar at first glance, they are not the same thing.
Exploits are accidental software vulnerabilities used to gain access to your computer and, potentially, deploy some sort of malware. To put it another way, exploits are just software bugs that researchers or cybercriminals have found a way to take advantage of. Backdoors, on the other hand, are deliberately put in place by manufacturers or cybercriminals to get into and out of a system at will.
What can hackers do with a backdoor?
Hackers can use a backdoor to install all manner of malware on your computer.
- Spyware is a type of malware that, once deployed on your system, collects information about you, the sites you visit on the Internet, the things you download, the files you open, usernames, passwords, and anything else of value. A lesser form of spyware called keyloggers specifically track every keystroke and click you make. Companies may use spyware/keyloggers as a legitimate and legal, means of monitoring employees at work.
- Ransomware is a type of malware designed to encrypt your files and lock down your computer. In order to get back those precious photos, documents, etc. (or whatever file type the attackers choose to target) you have to pay the attackers via some form of cryptocurrency, usually Bitcoin.
- Use your computer in a DDoS attack. Using the backdoor to get super user access on your system, cybercriminals can take command of your computer remotely, enlisting it in a network of hacked computers, aka a botnet. With this zombie computer botnet, criminals can then overwhelm a website or network with traffic from the botnet in what’s known as a distributed denial of service attack (DDoS). The flood of traffic prevents the website or network from responding to legitimate requests, effectively taking the site out of service.
- Cryptojacking malware is designed to use your system’s resources to mine cryptocurrency. In short, every time someone exchanges cryptocurrency the transaction is recorded on an encrypted virtual ledger known as the blockchain. Cryptomining is the process of validating these online transactions in exchange for more cryptocurrency and it takes an enormous amount of computing power. Instead of buying the expensive hardware required for cryptomining, criminals have found that they can simply enlist hacked computers in a botnet that works the same as expensive cryptomining farms.
What is the history of backdoors?
Here’s a look back at some of the most (in)famous backdoors, both real and fictional since the dawn of computers.
One could argue backdoors entered the public consciousness in the 1983 science fiction film WarGames, starring Matthew Broderick (in what feels like a test run for Ferris Bueller). Broderick as mischievous teenage hacker David Lightman uses a built-in backdoor to gain access to a military supercomputer designed to run nuclear war simulations. Unbeknownst to Lightman, the schizophrenic computer can’t tell reality from simulation. And also some genius decided to give the computer access to the entire United States nuclear arsenal. Hilarity ensues as the computer threatens to blow up the entire world.
In 1993 the NSA developed an encryption chip with a built-in backdoor for use in computers and phones. Supposedly, the chip would keep sensitive communications secure while allowing law enforcement and government agencies to decrypt and listen in on voice and data transmissions when warranted. Hardware backdoors have big advantages over the software kind. Namely, they are harder to remove—you have to rip the hardware out or re-flash the firmware to do so. The chip, however, was derailed over privacy concerns before seeing any kind of adoption.
In 2005 Sony BMG got into the business of backdoors when they shipped millions of music CDs with a harmful copy protection rootkit. Little did you know, while rocking out to the latest edition of Now That’s What I Call Music! your CD included a rootkit, which would install itself automatically once inserted into your computer.
Designed to monitor your listening habits, the Sony BMG rootkit would also stop you from burning CDs and left a gaping vulnerability in your computer that cybercriminals could take advantage of. Sony BMG paid out millions to settle lawsuits related to the rootkit and recalled even more millions of CDs.
In 2014 several Netgear and Linksys routers were found to have built-in backdoors. SerComm, the third-party manufacturer that put the routers together, denied putting the backdoors in their hardware on purpose. But when the patch SerComm released ended up hiding the backdoor instead of fixing it, it became clear the company was up to no good. Exactly what SerComm was trying to accomplish with the backdoor remains unclear.
That same year software developers working on a spinoff of Google’s Android operating system (called Replicant) discovered a backdoor on Samsung mobile devices, including Samsung’s Galaxy series of phones. The backdoor allegedly allowed Samsung or anyone else who knew about it remote access to all of the files stored on affected devices. In response to the discovery, Samsung referred to the backdoor as a “feature” that posed “no security risk.”
The other famous phone maker, Apple, refuses to include backdoors in its products, despite repeated requests from the FBI and US Department of Justice to do so. Pressure mounted following the 2015 San Bernardino terrorist attacks in which the FBI recovered an iPhone owned by one of the shooters. Instead of compromising the security of their iOS devices, Apple doubled down on privacy and made their iPhones and iPads even harder to crack. The FBI eventually withdrew their request when they were able to hack the older, less secure iPhone with the help of a mysterious third party.
Plugins containing malicious hidden code for WordPress, Joomla, Drupal and other content management systems are an ongoing problem. In 2017 security researchers uncovered an SEO scam that affected more than 300,000 WordPress websites. The scam centered around a WordPress CAPTCHA plugin called Simply WordPress. Once installed, Simply WordPress opened up a backdoor, allowing admin access to the affected websites. From there, the hacker responsible embedded hidden links to his sketchy payday loan website (other websites linking back to your website is great for SEO).
2017 also bore witness to the destructive NotPetya ransomware. The apparent patient zero in this case was a backdoor Trojan disguised as a software update for a Ukrainian accounting app called MeDoc. When questioned, MeDoc denied being the source for NotPetya. The real question—why would someone choose a wildly suspect Ukrainian accounting app called MeDoc?
In a 2018 news story that sounds like the setup for a straight-to-video, B-movie thriller, Bloomberg Businessweek reported state sponsored Chinese spies had infiltrated server manufacturer Supermicro. The spies allegedly installed spy chips with hardware backdoors on server components destined for dozens of American tech companies and US government organizations—most notably Amazon, Apple, and the CIA.
Once installed in a data center, the spy chips were said to communicate back with Chinese command and control (C&C) servers, giving Chinese operatives unrestricted access to data on the network. Amazon, Apple, and various US government officials have all refuted the claims made in the Bloomberg story. Supermicro, in their defense, called the story “virtually impossible,” and no other news organization has picked it up.
Finally, as an example of a situation where a company wishes they had a backdoor, Canadian cryptocurrency exchange QuadrigaCX made news in early 2019 when the company founder died abruptly while vacationing in India, taking the password to everything with him. QuadrigaCX claims all $190 million in client cryptocurrency holdings are irretrievably locked away in “cold storage,” where they will sit for decades and eventually be worth zillions of dollars—or nothing, depending on how cryptocurrency goes.
How can I protect against backdoors?
Good news bad news. The bad news is that it’s difficult to identify and protect yourself against built-in backdoors. More often than not, the manufacturers don’t even know the backdoor is there. The good news is that there are things you can do to protect yourself from the other kinds of backdoors.
Change your default passwords. The hardworking people in your company’s IT department never intended for your actual password to be “guest” or “12345.” If you leave that default password in place, you’ve unwittingly created a backdoor. Change it as soon as possible and enable multi-factor authentication (MFA) while you’re at it. Yes, keeping track of a unique password for every application can be daunting. A Malwarebytes Labs report on data privacy found that 29 percent of respondents used the same password across numerous apps and devices. Not bad, but there’s still room for improvement.
Monitor network activity. Any weird data spikes could mean someone is using a backdoor on your system. To stop this, use firewalls to track inbound and outbound activity from the various applications installed on your computer.
Choose applications and plugins carefully. As we’ve covered, cybercriminals like to hide backdoors inside of seemingly benign free apps and plugins. The best defense here is to make sure whatever apps and plugins you choose come from a reputable source.
Android and Chromebook users should stick with apps from the Google Play store, while Mac and iOS users should stick to Apple’s App Store. Bonus related tech tip—when a newly installed app asks for permission to access data or functions on your device, think twice. Suspect apps have been known to make it through Google and Apple’s respective app vetting processes.
Referring back to the data privacy study, most respondents did well to track app permissions, but 26 percent said, “I don’t know.” Take some time, possibly right now, to review app permissions on your devices (Malwarebytes for Android will do this for you). As for WordPress plugins and the like. Check user ratings and reviews and avoid installing anything with a less than stellar score.
Use a good cybersecurity solution. Any good anti-malware solution should be able to stop cybercriminals from deploying the Trojans and rootkits used to open up those pesky backdoors. Malwarebytes, for example, has cybersecurity solutions for Windows, Mac, and Chromebook. Not to mention Malwarebytes for Android and Malwarebytes for iOS, so you can stay protected on all your devices. Business users—we’ve got you covered too. Check out all of Malwarebytes business solutions.
And if your interest in backdoors goes beyond what you’ve read here, be sure to read and subscribe to the Malwarebytes Labs blog. There you’ll find all the latest news on backdoors and everything else that matters in the world of cybersecurity.