Current VT detection is 40/63 with most of the major AVs detecting by signature. Also as is common with backdoors, none of the AI/Next Gen solutions are detecting it. MD5: 5460AC43725997798BAB3EB6474D391F
Course theyre not detecting it. If AV's detected back doors opened on the system it would blow the lid off all kinds of things that as a user you're not supposed to be aware of.
I think over the past 20 years Microsoft made attempts to make Windows a more secure environment that were opposed by the big corporate software devs who wanted to install hidden functionality.
AV's detect backdoors by signature; the only way they can be detected. For a signature to be developed, the backdoor has to be first discovered of course. Behavior analysis is ineffective against a backdoor since in themselves, they do nothing malicious other than establish a remote network connection.
So you think AV's can not be coded to recognise when a new process is doing something suspicious like opening ports or accessing private data, contacts, pictures, security credentials and say hmmmm let's check this out. What is the name of the executable, is it signed and by who? What application is it part of, was this executable it installed at the same time as the application? Is that a known application? Is it connecting to a known domain? Is that the domain of the application developer? If not then whois that domain? Let's check the executable against the database of known executables, does its signature, file size, checksum match ? Hmmm this process is very suspicious let's alert the user about this and ask them to upload it to us for analysis. The old "malware can only be identified by definition files" story is what they want you to think. It is as bogus today as it always has been. More so in fact with today's computers so much more powerful and vastly increased internet bandwidth.
Backdoor attacks: How they work and how to protect against them http://blog.trendmicro.com/backdoor-attacks-work-protect/ Note: The Trend Micro product referenced is an AI/Machine Learning scanner specifically "tuned" to detect the activity noted.
Yeah well they are going to call it something fancy like AI. If antivirus had plugins I could code one to do everything I said and a lot more while watching tv and eating ice cream. All the back end stuff is already there and has been for years. Netstat, process explorer, access controls etc. Known executable databasing would be best performed by antivirus corporate servers as would requests for conformation if that executable had already been identified as benign etc. But the overall approach I described could have been implemented years ago and has nothing to do with AI. Its simply a matter of building an if else tree to see if it passes or fails tests that create suspicion, if it is already known to be safe, etc They are all stuck trying to perform a juggling act between alerting the user to what they consider malware without accidentaly alerting the user to what you might call, corporate "hidden functionality".
The problem is telling legitimate backdoors apart from illicit ones. Most people can't. Lots of software applications phone home.
Yes, they do and even though people usually can't, the implementation I described above could. The problem is I don't have the resources to build such applications or the time or the funding. If I did I would be very unpopular in the corporate world because my security software implementation would not only blow all the competition out of the water it would expose corporate spyware that phones home and allow the user to block it as would my web browser which would have all the TLS ciphers in a drop down. Check or uncheck the ones you want. Website IP address pinning along with cert pinning to avoid DNS lookups for often used websites and to break most mitm attacks. They can spoof a DNS lookup response to direct you to a mitm server a lot more easily than they can spoof a direct connection to a real IP address. All the coverage of mitm attacks yet how many of your supposed security vendors told you that. Also no phoney ad server blockers my browser would by default not make connections to third party domains unless the user actively clicks a link to one. Blocked third party domain connections visible in a dropdown to be unblocked if required. All that and more should be standard stuff in a web browser.
