Backdoor.Shellbot is a detection name used by Symantec to identify malicious software programs that share the primary functionality of enabling a remote attacker to have access to or send commands to a compromised computer.Background information
In the past, malware authors were primarily motivated by notoriety and fame. They tried to create the maximum possible impact by causing widespread disruption and damage to people's lives and assets. In many of the major outbreaks of worms in the early years of the new millennium, the worms involved were designed to spread as quickly as possible. They contained little or no extra functionality beyond the ability to seek out new computers to which to spread. The worms caused damage by literally overwhelming and choking the network and computer infrastructure available, which caused systems to grind to a halt.
As the computing world evolved and new revenue generation methods appeared, it did not take the malware authors long to figure out how to redirect their efforts to make money instead of simply causing disruption. Threats such as back doors evolved out of the need to monetize the sometimes considerable efforts put into developing the malware. These Trojans are normally stealthy and do not advertise their presence on the computer. They perform their malicious activities surreptitiously and do not use up too much in the way of system resources in the hope that users will not notice any negative side effects. This is because the longer the threat can remain on the computer, the more profit the malware author can potentially make.
Back door Trojans are common because they are useful to their owners; they can allow for an open-ended list of activities. Capabilities such as being able to download and execute additional executable files give the malware authors near-limitless power over the compromised computer and endless scope for revenue generation.
In the legitimate software industry, a back door is known as a remote access application. There are many legitimate uses for these kinds of remote access applications. They give IT support organizations a powerful tool to access, troubleshoot and repair computers without needing a person to be physically present at the computer. This changed the way support organizations operated and these techniques are now commonly used. There are many examples of these kinds of applications, both commercial applications sold by legitimate software vendors as well as open source implementations. We have seen time and time again that malware authors are adept at borrowing ideas from the legitimate software industry. It therefore comes as no surprise that they have taken the idea of creating a back channel and implemented their own versions of it.Who creates back door Trojans?
Back door Trojans are generally created by malware authors who are organized and aim to make money out of their efforts. These types of Trojans can be highly sophisticated and can require more work to implement than some of the simpler malware seen on the Internet. What happens after the Trojan is installed?
When first installed on a computer, these kinds of Trojans typically send a message to a predetermined Internet address to indicate to the controller that the Trojan has been successfully installed. The message may include some information about the location, type, and specifications of the computer on which the Trojan is running.
The Trojan may then open a network port and listen for commands or access requests from a remote controller. During this time it may also begin to perform other predetermined activities such as gathering more information and logging keystrokes.What can back door Trojans do?
These Trojans vary in sophistication and capabilities. Very simple examples may simply open up a remote shell (command line interface) for direct use by a remote attacker. Others may have specific operations built-in that a controller can easily invoke by sending specific commands.
The typical capabilities may allow a remote attacker to:
- Collect information (system and personal) from the computer and any storage device attached to it
- Terminate tasks and processes
- Run tasks and processes
- Download additional files
- Upload files and other content
- Report on status
- Open remote command line shells
- Perform denial of service attacks on other computers
- Change computer settings
- Shut down or restart the computer
Are there any tell tale signs?
Back door Trojans are generally designed for stealth, and as such will try to keep a low profile. Their activities are usually invisible to the end user and they generally do not consume a large percentage of system resources or bandwidth so as not to raise any suspicions.
Firewalls or network monitoring tools may show network traffic to or from unusual remote addresses. Unusual or unexpected network connections using protocols such as IRC may indicate the presence of a back channel, particularly if the user does not normally use these means of communication.What are the risks?
Back door Trojans pose a relatively high risk of damage or loss to the user if they can remain undetected and active for a significant time. On the lower end of the scale is annoyance through the loss of bandwidth or performance due to actions performed by the Trojan (such as relaying spam emails or hosting a server for dubious content). On the upper end of the scale the risks include identity theft and the loss of money from online accounts due to the theft of login credentials. The risk from any one particular back door Trojan is time bound due to the fact that control channels used by the threat may only be in operation for a limited time.What can I do to minimize the risks?
As a general rule, users should always run up-to-date antivirus software with real-time protection such as Norton Antivirus, Norton Internet Security, Norton 360
or Symantec Endpoint Protection
. In addition, a firewall -- or better still, an Intrusion Prevention System (IPS) -- will help to block back channel activities initiated by these types of malicious programs. Program controls such as those found in Symantec Endpoint Protection can also help to prevent unknown programs such as these from executing in the first place.How can I find out more?
Advanced users can submit a sample to Threat Expert
to obtain a detailed report of the system and file system changes caused by a threat.
Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":