When you hear the term Neapolitan, one of the first things that likely come to your mind is the ice cream flavor. What sets this flavor apart from other ice cream flavors is that instead of being one flavor, it is three separate flavors in one container. This concept well describes Neapolitan backdoor injection.
Table of Contents
Understanding Backdoor Injection
A backdoor is a style of malware that can circumnavigate standard authentication, allowing nefarious individuals access to your system. It makes it possible for them to have continued access to applications, files, databases, etc. This makes it possible for them to issue system commands and update their malware remotely.
Once vulnerable components of a web application have been attacked, and once the malware has been installed, it is difficult to detect it and even harder to completely remove it. This makes possible activities, including:
- Server hijacking
- Website defacing
- Data theft
- Distributed denial of service attacks
- Advanced persistent threat assaults
- Website infection
One of the more common and more successful backdoor installation methods involve using a technique referred to as RFI, or remote file inclusion. This is a method that will identify and attack vulnerabilities within applications. The focus is on applications that dynamically reference external scripts. The goal is to trick the referencing function so that it will download the backdoor Trojan that a remote host sends.
A study by Hosting Canada showed that managed WordPress solutions were much safer compared to shared web hosting. If you aren’t sure about how to secure your small business site using a solution where they manage it for you might be the best option.
How Do They Pick the Target
Hackers do not pick their targets at random. Perpetrators look for sites that have outdated security components or that have unpatched vulnerabilities. This is what enables file injection. Once the scan is complete, they install the backdoor on the underlying server. Once the backdoor is there, the nefarious individual will be able to access it at any time. This is true even if the vulnerability that made it possible to inject the backdoor is later repaired.
Hackers usually complete the infection process in two phases. The goal is to circumvent security rules that are there to prevent the uploading of files over a certain size. The first step would be installing a dropper. The whole purpose of the dropper is a small file that attempts to retrieve a bigger file from a remote location. The dropper is what triggers phase two, which is downloading and then installing the backdoor script on the server.
How Hackers Cover Their Tracks
We are referring to this as Neapolitan backdoor injection because, in the same way, that Neapolitan ice cream has three different flavors, this type of attack hits from many different areas simultaneously. And hackers are good at covering their tracks. One technique that they use successfully is obfuscation. What they do is alter their code to avoid malware scanners detecting it.
There is a simple example that explains how they do this. When used properly, a backdoor will often call the eval function. This makes it possible for PHP code to be executed arbitrarily. There is a lot of legitimate code that has eval. It is also something that attackers commonly use.
How do you get around this? One technique you should know about is concatenation. This is the operation where character strings are joined end to end. For example, with the term “base” “ball” concatenation would produce baseball. So malicious software may include the string “e” . “v” . “al”, which malware detection software would not detect. However, the server interprets it as eval.
Of course, as hackers become more creative in the way they strive to access their victim’s computers or websites, people on the security side of things also become more creative. What is an attacker’s next step if they want to avoid detection? Strive to use multiple variations of the same code. The more diverse they can make the code, the better.
Many hackers will employ multiple variations of backdoors that don’t resemble each other at all. This is a great technique because even if you get rid of 99 backdoors but leave one on a website, the website is still going to get infected.
In addition to having a number of variations, backdoor injections take advantage of a number of different functions. You may be able to find some backdoors by performing a simple integrity check on your site. But if you dig deeper, you are likely to find more backdoor injections. They are like cockroaches. If you find one, you are sure to find others.
How to Find Backdoors
How do you find backdoors if you are a website owner? There is no clear-cut answer to this question. To start with, you need to monitor file integrity. This includes monitoring the core files of your website, especially on WordPress. It’s important to remember that you are not going to catch all of the malicious code on your site with a simple security scan. The attacker’s job is to get around security for as long as they can. All-day, every day, dubious individuals are dedicating their time to creating new malicious code.
A good way to protect yourself is to check your server for recently modified files. An easy command that you could run to do this would be: $ find ./ -type f -mtime -15. This will help you see any files that have been modified in the past two weeks.
Of course, the best thing that you can do is prevent an attacker from injecting the backdoors in the first place. Keep your website up-to-date. Use robust password protection. Keep your website behind a firewall service if you are interested in protecting yourself from attacks.
Have you been a victim of backdoor injection? If so, how did you identify and resolve the threat? Let us know in the comments section below.