Abstract: Vulnerabilities are of course "backdoors." In this
lecture, we focus on how an attacker having obtained access to a
system carefully plants backdoors facilitating future visits. So
called rootkits also provide backdoors. These are discussed in a
- Educational Objectives
- Some Well Known Backdoors
- Backdooring Binary Objects
- Lab Experiment
- Present the backdoors installed once a system is compromised.
- Discovering and disabling backdoors.
The backdoors for most intruders provide two or three main functions.
- Be able to get back into a machine even if the administrator
tries to secure it, e.g., changing all the passwords.
- Be able to get back into the machine with the least amount of
visibility. Most backdoors provide a way to avoid being logged
and many times the machine can appear to have no one online even
while an intruder is using it.
- Be able to get back into the machine with the least amount of
time. Most intruders want to easily get back into the machine
without having to do all the work of exploiting a hole to gain
Vulnerabilities and pre-installed Trojans are of course
"backdoors." In this lecture, we focus on how an attacker having
obtained access to a system carefully plants backdoors facilitating future
visits. So called rootkits also provide backdoors. These are
discussed in a separate lecture.
Some Well Known Backdoors
Below we summarize some of the backdoors that have been in use.
- Login Backdoor:
Install a modified login so that if you typed in the backdoor
password, it would allow you to log in regardless of what the password
really is. Such a backdoor would spawn access before the user
actually logged in and appeared in utmp
and wtmp. To better hide such backdoor passwords from
commands like strings, one can encrypt and hide backdoor password
- Services Backdoor: Almost every network service has at one time or
another been backdoored by an intruder. Backdoored versions
of finger, rsh, rexec, rlogin, ftp,
even inetd, etc., have been floating around forever.
These are programs that are nothing more than a shell connected to a
TCP port with maybe a backdoor password to gain access. These programs
sometimes replace a service like uucp that never gets used or they get
added to the inetd.conf file as a new service.
A normal in.telnetd, does several checks such as the
setting of the environment variable named TERM (for terminal the user
was using). Typically, the terminal setting might be Xterm or VT100.
An intruder could backdoor it so that when the terminal was set to,
say, "letmein", it would spawn a shell without requiring any
- Cron backdoor: Cron on Unix schedules the running of certain
programs according to a configuration file. An intruder could add
a backdoor shell program to run between 1 AM and 2 AM. So, for 1 hour
every night, the intruder could gain access. Intruders have also
looked at legitimate programs that typically run in cronjob and built
backdoors into those programs as well.
- Library backdoors: Almost every UNIX system uses shared
(*.so) libraries. The shared libraries are intended to
reuse many of the same routines thus cutting down on the size of
programs. Some intruders have backdoored routines
like crypt.o and _crypt.o. Programs like
login would use the crypt() routine and if
a backdoor password was used it would spawn a shell. Therefore, even if the
administrator was checking the MD5 of the login program, it was still spawning a
backdoor routine and many administrators were not checking
the libraries as a possible source of backdoors.
Suppose we start doing MD5 checksums of almost everything. Attackers
get around that by backdooring the open() library routine and file
access routines. The backdoor routines were configured to read the
original files, but execute the Trojan backdoors. Therefore, when the
MD5 checksum program was reading these files, the checksums always
looked good. But when the system ran the program, it executed the
Trojan version. Even the trojan library itself, could be hidden from
the MD5 checksums. It is therefore necessary to statically link the
MD5 checksum checker, and be very sure of the loader.
- Kernel backdoors: The same method used for libraries for bypassing
MD5 checksum could be used at the kernel level. Even a statically
linked MD5 program cannot tell the difference.
- File system backdoors: An intruder will want to store their
"loot" on the server waiting for an opportune time to
transport it away. To hide these rather large files from an
administrator, an intruder may patch the files system commands like
"ls", "du", and "fsck" to hide the
existence of certain directories or files. In one case, an intruder
created a section on the hard drive to have a proprietary format that
was designated as "bad" sectors on the hard drive.
- Bootblock backdoors: In the PC world, many viruses hide within the
boot block section and most antivirus software will check to see if
the boot block has been altered. On Unix, surprisingly, it is not
typical to check the boot block, therefore some intruders have placed
backdoors in the boot block area.
- Network traffic backdoors: There are many network backdoor programs
that allow an intruder to set up on a certain port number on a machine
that will allow access without ever going through the normal
services. Because the traffic is going to a non-standard network port,
the administrator can overlook the intruder's traffic. These network
traffic backdoors are typically using TCP, UDP, and ICMP, but it could
be many other kinds of packets.
Administrators can spot a TCP connection and notice the odd behavior,
while UDP shell backdoors lack any connection so netstat would not show an
intruder accessing the machine. Many firewalls have been configured to
allow UDP packets for services like DNS through. Many times,
intruders will place the UDP Shell backdoor on that port and it will be allowed
to by-pass the firewall.
- Encrypted Link: An administrator can set up a sniffer trying to see
the data while a suspicious someone is accessing a shell, but an
intruder can add encryption to the network traffic backdoors and it
becomes almost impossible to determine what is actually being
transmitted between the two machines.
- Syntactic Problems in /etc/passwd: When parsing uid/gid in the
/etc/password file, most login(1) implementations will fail to detect
non-numeric characters in the uid/gid field and the standard atoi(3)
will return 0, giving super user privileges. Example:
On Linux boxes, this will give uid 0 to user rmartin.
Backdooring Binary Objects
The article by [klog] describes object backdooring methods by manipulating
This article is based on [Klaus]. The details regarding wtmp and
services can be found in Garfinkel and Spafford.
- Christopher Klaus, "Backdoors", Usenet news group article, 8/4/97.
- klog, Backdooring Binary Objects, Phrack Magazine,
www.phrack.com Volume 0xa,
Issue 0x38 05.01.2000 0x09[0x10] Recommended Reading.
- Van Hauser, Placing
Backdoors Through Firewalls, April 1998, http://www.itsecurity.com/
papers/p37.htm Required Reading after the Firewalls lecture.
- Yin Zhang, and Vern Paxson, "Detecting Backdoors", Proceedings of the 9th
USENIX Security Symposium, Denver, Colorado, August 2000. Reference
- Simson Garfinkel, Gene Spafford, Chapter 10: Auditing and Logging,
Practical Unix and Internet Security, 3rd edition (2003), O'Reilly &
Associates; ISBN: 0596003234. Required Reading.
Copyright © 2010 •