0

I've been reading about famous hacking groups targeting law firms, corporations and individuals. They always use remote access backdoors to get into a victim's computer or phone and lock the system with ransomware or steal files and information. This made me wonder if there's a way, no matter how complicated, to close or block these backdoors?

Operating System(s): Any

schroeder
  • 123,438
  • 55
  • 284
  • 319
kit
  • 29
  • 1
  • That's like asking, "is there a way, no matter how complicated, to cure all cancer?" Because "backdoors" are the result of some other vulnerability that has been used to create and maintain the backdoor. There are a near infinite number of vulnerabilities and ways to exploit them. The only one sure way is to turn off the device. – schroeder Sep 18 '20 at 19:26
  • tcpdump to monitor, iptables to block, if possible reseting the whole system. – atheros Sep 18 '20 at 20:27

2 Answers2

2

Short answer: possible, but not doable.

Long answer: not possible.

It's relatively easy to create a backdoor. Anyone with a minimal programming knowledge can search around and create another backdoor. Most of them will be easily detected, but some can evade detection. Add that to the almost unlimited ways to communicate with the command and control servers, and you see how is impossible to detect and block every backdoor.

I once saw a report on the Turla family of malware that used comments on a Britney Spears post to send the C&C server address to the agents. As usually Instagram is not blocked, and Britney looks like a famous person, nobody would suspect it was used as a malware communications channel. And sending data back is easy too: they can use Domain Fronting, DNS-over-TLS, DNS-over-HTTPS requests, even plain DNS queries.

That's why is impossible to a common user to detect backdoors by himself: too many possible infection vectors (Word macros, browser exploits, infected PDF files, phishing), too many C&C communication paths, and too many exfiltration paths too.

Backdoors targeting normal users (any user, not a specific individual) can be detected and stopped by anti-malware, antivirus and firewalls. Most of them are not sophisticated enough to bypass basic defenses. Keeping your defenses up to date is enough to protect you from most of them.

But backdoors aimed at large corporations, governments, high profile law firms and specific individuals are a different kind. They use undocumented features, abuse normal OS components to disguise their actions, mix with expected traffic, and are tested against the target defenses. Their owners research the environment first, and create a specific backdoor to bypass the target defenses. They are not the normal, off-the-shelf malware, and employ a lot of effort to remain hidden for as long as possible.

So it's useless to try? No. Employing strong defenses makes you not be a sitting duck and the lowest hanging fruit, so the attackers will look elsewhere. But if the attackers have plenty of time, skills, and strong financial/political motivation (and external funding), they can break any defense.

ThoriumBR
  • 50,648
  • 13
  • 127
  • 142
  • @schroeder you are right, my answer is too broad, and I will edit it. But OP is talking about those backdoors hitting companies with large cyber security budgets, famous law companies. It is not expected to hit one of these with BackOrifice or SubSeven, nor any off-the-shelf RAT. – ThoriumBR Sep 20 '20 at 17:06
  • Thanks for adding the context. I still might qualify your first statements – schroeder Sep 20 '20 at 21:11
-1

Sure, you observe all traffic to detect anomalous traffic. Whatever is not supposed to be there should be blocked.

Or, if you know what is supposed to be there, you simply block everything that you have not defined (block lists) or only allow what you have defined (allow lists).

Firewalls, IDS, anti-virus, sandboxes, proxies, and many other types of technologies are used to limit or block this type of traffic.

schroeder
  • 123,438
  • 55
  • 284
  • 319
  • 1
    But maybe you should add that the traffic should be monitored from a clean machine/node, I don't think you can trust a firewall installed on the same machine that you suppose to be infected. – reed Sep 18 '20 at 19:53
  • As the user @ThoriumBR pointed our, it's very hard to detect the traffic. Most of them are very silent. And from what I know, communication paths are in the most very natural looking, even in the logs or when being looked by a firewalls. – Mobutu Sese Seko Kuku Ngbendu Sep 19 '20 at 09:32
  • 1
    @MobutuSeseSekoKukuNgbendu of course it is very difficult and nothing is 100% and some techniques are nearly impossible to detect. But if you want to block, this is what you do. Success depends on external factors. – schroeder Sep 19 '20 at 10:06
  • I agree. We may do everything in our power, but that as far as it goes... – Mobutu Sese Seko Kuku Ngbendu Sep 19 '20 at 10:10