1. Symantec/
  2. Security Response/
  3. Backdoor.Shellbot


Risk Level 1: Very Low

June 3, 2005
April 30, 2010 3:46:09 AM
Systems Affected:
Backdoor.Shellbot is a detection name used by Symantec to identify malicious software programs that share the primary functionality of enabling a remote attacker to have access to or send commands to a compromised computer.

Background information
In the past, malware authors were primarily motivated by notoriety and fame. They tried to create the maximum possible impact by causing widespread disruption and damage to people's lives and assets. In many of the major outbreaks of worms in the early years of the new millennium, the worms involved were designed to spread as quickly as possible. They contained little or no extra functionality beyond the ability to seek out new computers to which to spread. The worms caused damage by literally overwhelming and choking the network and computer infrastructure available, which caused systems to grind to a halt.

As the computing world evolved and new revenue generation methods appeared, it did not take the malware authors long to figure out how to redirect their efforts to make money instead of simply causing disruption. Threats such as back doors evolved out of the need to monetize the sometimes considerable efforts put into developing the malware. These Trojans are normally stealthy and do not advertise their presence on the computer. They perform their malicious activities surreptitiously and do not use up too much in the way of system resources in the hope that users will not notice any negative side effects. This is because the longer the threat can remain on the computer, the more profit the malware author can potentially make.

Back door Trojans are common because they are useful to their owners; they can allow for an open-ended list of activities. Capabilities such as being able to download and execute additional executable files give the malware authors near-limitless power over the compromised computer and endless scope for revenue generation.

In the legitimate software industry, a back door is known as a remote access application. There are many legitimate uses for these kinds of remote access applications. They give IT support organizations a powerful tool to access, troubleshoot and repair computers without needing a person to be physically present at the computer. This changed the way support organizations operated and these techniques are now commonly used. There are many examples of these kinds of applications, both commercial applications sold by legitimate software vendors as well as open source implementations. We have seen time and time again that malware authors are adept at borrowing ideas from the legitimate software industry. It therefore comes as no surprise that they have taken the idea of creating a back channel and implemented their own versions of it.

Who creates back door Trojans?
Back door Trojans are generally created by malware authors who are organized and aim to make money out of their efforts. These types of Trojans can be highly sophisticated and can require more work to implement than some of the simpler malware seen on the Internet.

What happens after the Trojan is installed?
When first installed on a computer, these kinds of Trojans typically send a message to a predetermined Internet address to indicate to the controller that the Trojan has been successfully installed. The message may include some information about the location, type, and specifications of the computer on which the Trojan is running.

The Trojan may then open a network port and listen for commands or access requests from a remote controller. During this time it may also begin to perform other predetermined activities such as gathering more information and logging keystrokes.

What can back door Trojans do?
These Trojans vary in sophistication and capabilities. Very simple examples may simply open up a remote shell (command line interface) for direct use by a remote attacker. Others may have specific operations built-in that a controller can easily invoke by sending specific commands.

The typical capabilities may allow a remote attacker to:
  • Collect information (system and personal) from the computer and any storage device attached to it
  • Terminate tasks and processes
  • Run tasks and processes
  • Download additional files
  • Upload files and other content
  • Report on status
  • Open remote command line shells
  • Perform denial of service attacks on other computers
  • Change computer settings
  • Shut down or restart the computer

Are there any tell tale signs?
Back door Trojans are generally designed for stealth, and as such will try to keep a low profile. Their activities are usually invisible to the end user and they generally do not consume a large percentage of system resources or bandwidth so as not to raise any suspicions.

Firewalls or network monitoring tools may show network traffic to or from unusual remote addresses. Unusual or unexpected network connections using protocols such as IRC may indicate the presence of a back channel, particularly if the user does not normally use these means of communication.

What are the risks?
Back door Trojans pose a relatively high risk of damage or loss to the user if they can remain undetected and active for a significant time. On the lower end of the scale is annoyance through the loss of bandwidth or performance due to actions performed by the Trojan (such as relaying spam emails or hosting a server for dubious content). On the upper end of the scale the risks include identity theft and the loss of money from online accounts due to the theft of login credentials. The risk from any one particular back door Trojan is time bound due to the fact that control channels used by the threat may only be in operation for a limited time.

What can I do to minimize the risks?
As a general rule, users should always run up-to-date antivirus software with real-time protection such as Norton Antivirus, Norton Internet Security, Norton 360 or Symantec Endpoint Protection. In addition, a firewall -- or better still, an Intrusion Prevention System (IPS) -- will help to block back channel activities initiated by these types of malicious programs. Program controls such as those found in Symantec Endpoint Protection can also help to prevent unknown programs such as these from executing in the first place.

How can I find out more?
Advanced users can submit a sample to Threat Expert to obtain a detailed report of the system and file system changes caused by a threat.


Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":

  • Use a firewall to block all incoming connections from the Internet to services that should not be publicly available. By default, you should deny all incoming connections and only allow services you explicitly want to offer to the outside world.
  • Enforce a password policy. Complex passwords make it difficult to crack password files on compromised computers. This helps to prevent or limit damage when a computer is compromised.
  • Ensure that programs and users of the computer use the lowest level of privileges necessary to complete a task. When prompted for a root or UAC password, ensure that the program asking for administration-level access is a legitimate application.
  • Disable AutoPlay to prevent the automatic launching of executable files on network and removable drives, and disconnect the drives when not required. If write access is not required, enable read-only mode if the option is available.
  • Turn off file sharing if not needed. If file sharing is required, use ACLs and password protection to limit access. Disable anonymous access to shared folders. Grant access only to user accounts with strong passwords to folders that must be shared.
  • Turn off and remove unnecessary services. By default, many operating systems install auxiliary services that are not critical. These services are avenues of attack. If they are removed, threats have less avenues of attack.
  • If a threat exploits one or more network services, disable, or block access to, those services until a patch is applied.
  • Always keep your patch levels up-to-date, especially on computers that host public services and are accessible through the firewall, such as HTTP, FTP, mail, and DNS services.
  • Configure your email server to block or remove email that contains file attachments that are commonly used to spread threats, such as .vbs, .bat, .exe, .pif and .scr files.
  • Isolate compromised computers quickly to prevent threats from spreading further. Perform a forensic analysis and restore the computers using trusted media.
  • Train employees not to open attachments unless they are expecting them. Also, do not execute software that is downloaded from the Internet unless it has been scanned for viruses. Simply visiting a compromised Web site can cause infection if certain browser vulnerabilities are not patched.
  • If Bluetooth is not required for mobile devices, it should be turned off. If you require its use, ensure that the device's visibility is set to "Hidden" so that it cannot be scanned by other Bluetooth devices. If device pairing must be used, ensure that all devices are set to "Unauthorized", requiring authorization for each connection request. Do not accept applications that are unsigned or sent from unknown sources.
  • For further information on the terms used in this document, please refer to the Security Response glossary.
Writeup By: Hon Lau and Henry Bell
Summary| Technical Details| Removal

Search Threats

Search by name
Example: W32.Beagle.AG@mm
STAR Antimalware Protection Technologies
2016 Internet Security Threat Report, Volume 21
  • Twitter
  • Facebook
  • LinkedIn
  • Google+
  • YouTube