Backdoor Category Description
This SonicWALL IPS signature category consists of a group of signatures that can detect and prevent traffic related to backdoor Trojans and worms on a network. Many Trojans and worms, once they compromise a system, can open a backdoor to a computer by forcing it to listen on a particular port for commands that the attacker can send remotely. Attackers can use backdoors to take control of a computer, doing everything from causing the computer download and execute additional malware, relay spam, or open and close its CD-ROM drive repeatedly. A backdoor connection on a network is extremely damaging and can slow down network traffic, result in the compromise of important data, and make computers unusable. A backdoor connection is always a serious threat and should be investigated immediately
Signatures in this category detect traffic once a Trojan or worm has been installed on a compromised network computer, often called a bot or zombie. Detected traffic includes both inbound commands and outbound responses to and from infected computers, as well as communication across infected computers that may indicate that one infected machine is attempting to transmit its infection to other computers on the network. While these signatures can block such traffic and make a bot on a network largely useless for attackers, administrators should follow up by checking the computers involved for infection. Often the traffic detected will come from a rootkit which can run in kernel-mode and hide its presence from all but the best antivirus scanners. Although false positives may be possible, administrators should perform thorough checks on computers involved with backdoor traffic and consider reformatting them.
SonicWALL backdoor signatures are categorized from medium to high priority and should be kept enabled for prevention. Because this particular set of signatures is largely retroactive, administrators should use these in conjunction with SonicWALL Gateway AntiVirus signatures as well as other SonicWALL IPS signatures to close vulnerabilities that can allow Trojans and worms on to the network in the first place. Using all parts of a unified threat detection system can provide administrators with the appropriate tools to prevent, contain, and respond to serious attacks.