A Backdoor or not a Backdoor?

25 Sep 2000
Virus News

Why are some of the remote administration programs being called "backdoors"?

As you know, one of the most frequently occurring malicious programs is a "Trojan horse." Just like their ancient namesake, "Trojan horses" intrude into PCs under the disguise of a harmless program, attracting users by their unique functionality. Until recently, few people could resist opening a file promising to considerably improve processor capacity without any additional expense for equipment modernisation. There is no need to point out that more often than not, "Trojan horses" were hidden under the guise of these programs, and rather than providing "to good to be true" benefits, were acting maliciously.

However, the situation has now completely changed, since even a novice user is unlikely to be deceived, because everyone has heard about the phenomenon of "Trojan horses." The spectrum of effects from "Trojan horses'" is extremely wide, and their classification may seem to some people as complicated as the periodic table of the elements. The most frequently occurring and most dangerous of malicious programs belong to a group of utilities that enable unauthorised remote administration, so-called backdoors.

As described above, a backdoor intrudes into a PC and imperceptibly opens it to remote administration. This creates the opportunity for a third party to fully control an infected computer: to create, copy, read, delete any files or directories; to track a user's work; to act illegally on the user's behalf; to control bank accounts and so on. The spectrum of what can be achieved is limited only by the imagination of the "Trojan horse" writer.

It is possible to detect an installed backdoor by the use of an anti-virus scanner or through the installation of a firewall that controls the use of the computer's ports.

The main problem is how to determine whether a remote administration program is legitimate or whether it is a backdoor. What is the difference between the infamous "Trojan horse" "Back Orifice" (BO) and the well-known utility "pcAnywhere"? Upon first glance, both of the programs appear to use the same principles to provide remote administration. Why then do anti-viruses utilities define only one of them as a malicious program? The answer is simple: it is not the functionality that is the determinative factor, but rather the installation order and how visible and obvious its presence is in the system.

Let's consider the problem from this point of view: The installation of a full-function utility for remote administration is performed by the appearance of several interactive windows, by a licensed agreement, and by a graphic accompaniment to the process. A backdoor, however, installs itself quietly and invisibly. After the installation file starts, no message appears on the screen that would directly inform the user of the installation. On the contrary, often some signs designed to confuse are displayed to distract the user's attention.

While working on an infected PC, a backdoor does not give any sign of its presence. It is invisible on the taskbar, in the system tray and, in many cases, even on the active process list.

This means remote access can be gained and actions performed to the computers, which remain absolutely imperceptible to users. Legitimate administrators always provide some signals that inform the user of their activity: either in the system tray or in the taskbar, and the signals practically always are seen on the active processes list or among services.

Lastly, any full product has an Uninstall option. It is located in the program tree, which may be used at any time. Backdoors, on the other hand, may be deleted only by an anti-virus utility or by "a surgical intervention" - manually searching and deleting. Because of the previously described reasons, some utilities, claiming to be a full commercial product, are being considered as backdoors.

The position of Kaspersky Lab Int. is clear: Although these programs may be used for authorised remote administration, the user has to be informed about the presence of such utilities on his/her computer. If the user were aware of the program's presence, the message highlighting its detection would hardly confuse him/her. However, if a backdoor has been installed illegally, neglect on the part of the anti-virus program can only be considered as disregarding user security.