27
Jan
2013

Incapsula backdoor protection :detect quarantine and remove

Today we are happy to announce the Beta release of our new ‘Backdoor Protect’ feature that will transparently detect, isolate and disable malicious backdoors on Incapsula protected websites. This new capability was designed to address a high-profile challenge for customers that onboard Incapsula after already being compromised and infected with backdoor shells.

About Backdoor Shells - A Backdoor is a malicious function that enables hackers to remotely operate the site or server for future exploitation, even after the exploit that enabled access has been patched. Backdoors are used to distribute malware and spam, perpetuate distributed denial of service (DDoS) attacks or to assist in the theft of valuable data such as credit card numbers.

Up until today our proactive security measures protected customer websites from being compromised but we could not help customers that were already hacked and infected with backdoor shells, before joining Incapsula.

‘Backdoor Protect’ allowed us to change that.

For many months our security researchers have been intercepting incoming and outgoing backdoor communications and combining it with archived data to compile a very comprehensive dictionary of backdoor kit signatures. The ‘Backdoor Protect’ feature makes use of this database and Incapsula’s inherit ability to deny unlawful access to the website, to immediately detect and quarantine backdoors.

'Backdoor protect' has already proven itself in action. A few weeks ago, while running in "silent mode" ,‘Backdoor Protect’ helped us identify and isolate a malicious backdoor used for an ongoing DDoS attack against major United States banks.

How it works?

Detection: Incapsula’s reverse proxy technology allows us to eavesdrop on all website traffic and uniquely enables us to identify backdoors not only by their HTTP signatures but also by tracing back suspicious remote commands.

Combining both methods results in much tighter and multi-dimensional detection. Even if the backdoor is absolutely new or heavily modified, we will still detect it by the incoming suspicious command strings. This also allows us to counter obfuscation and other masking techniques, simply because we are not looking for clues in the file system but instead monitoring the on-execution “raw” traffic.

Alert and Quarantine: Upon detection, Incapsula will quarantine the backdoor URL, denying access to it. We will automatically notify the website owner and provide a secured “preview-only” link to inspect the backdoor in action. In addition to the preview link, Incapsula will also provide a path to the original backdoor file, enabling quick and easy manual removal. As with our other security features, the action taken can be customized, with options including: 'Auto-Quarantine', 'Alert Only' and the ill-advised 'Ignore'. You can also permanently Whitelist backdoor files, but if you do, you’re doing it at your own risk.

Available to all Incapsula Customers

While in Beta, ‘Backdoor Protect’ will be available for Free in all Incapsula plans, to all of our customers.

‘Backdoor Protect’ will be activated on all accounts and set to 'Alert' by default. This can be changed to "Auto-Quarantine" from the WAF area within your Incapsula account.

Up until now Incapsula offered proactive security solutions. Today, with ‘Backdoor Protect’ in place, we are able to provide instant and reactive mitigation, offering true 360-degree website protection.