BACKDOORS

One way that cybercriminals can access a server is by using a backdoor. Once they install it, a backdoor allows hackers to bypass typical security measures and access the victim’s server whenever they want. Even if the initial security threat is stopped, the hacker can use the backdoor to control the server without having to start the attack cycle again.  

Backdoors are often used for targeted web attacks, including backdoors which are installed on WordPress sites. 

Once a hacker has control over your server through a backdoor, they will make it part of their botnet and begin using your server resources to carry out attacks on other devices. This not only takes resources from your server functions; it also puts your server at risk of being blacklisted as a malicious IP.

Symptoms

“Outdated WordPress installs and plugins caused the most grief, leading to malware and phishing files on customer accounts. The reason for this is largely due to the growing sophistication of the attacks, making them increasingly difficult to detect. To fix this, we tried integrating Patchman on our servers. As opposed to Patchman, BitNinja does more than virtual-patch known CMS vulnerabilities. BitNinja provides protection for the whole server on every protocol against a wide range of cyber-attacks. It is literally a one-stop 360-degree security solution.”

Elena Tileva

FastComet

Server gets blacklisted

Outgoing spam

Google alerts (phishing/malware content) on websites

Outbound attacks

Suspicious files on the server

High resource usage

THE POWER OF BITNINJA MALWARE DETECTION

Backdoors are typically installed as malware and provide access to the server, so the attacker can use the server’s resources. It’s essential to block and remove the infected malware file as soon as possible to prevent the hacker from creating other backdoors in the system. 

Hackers’ techniques are constantly evolving, and they have been deploying malware which is obfuscated as normal system files. Traditional malware detecting methods are ineffective against these new threats. That’s why we invented a new resource-friendly approach which can detect any obfuscated malware upload attempt while providing a very low false positive rate. The unique technology behind our Malware Detection module is patent pending.

The BitNinja Malware Detection module detects infected files and goes a step further, placing them in quarantine to prevent any further damage to your server. 

 

How is it different against other Malware Detection solutions?

STRUCTURE ANALYSIS

The BitNinja Malware Detection module combines the most advanced techniques for analysis. Our industry-first approach to malware detection is patent pending. (Read our FAQ to learn more.)

OBFUSCATED CODE DETECTION

The latest threat to server security is obfuscated malware. Traditional malware detection can’t find these infected files. BitNinja will read the code structure and even deobfuscate the code to find hidden malware.

RESOURCE-FRIENDLY

BitNinja uses two-level caching: it stores the results of the malware analysis in memory and a database cache. We also use the latest techniques to reduce resource usage: Auditd file monitoring and Aho-Corascik algorithms.

QUICK FULL SCAN

When a new pattern is added to the Malware Detection module, the full scan can run incredibly fast without reading all the files again. This reduces resources and locates emerging threats quickly.

DEFENSE ROBOT

Detecting and removing malware from the server is often not enough. Unlike other solutions, the BitNinja Defense Robot will automatically find the source of the infection. The attacker IP will be blocked, and the abused domain/URI will be automatically “honeypotified”.

AUTO-HONEYPOT SYSTEM

The “honeypotify” function will automatically create a honeypot that captures any attacks. Replacing the backdoor with a web honeypot is an effective way to catch attackers who are searching for vulnerabilities on your servers.

CROWD-SOURCED MALWARE DATABASE

There is power in numbers! One of the biggest benefits of the BitNinja Malware Detection module is our malware database powered by thousands of BitNinja protected servers. This enables us to protect all the servers running BitNinja against zero-day attacks much earlier.

CUSTOM MALWARE SIGNATURES

You can add custom malware patterns to your database. When you add it on one server, the changes will be applied on all of your servers too. Managing custom signatures is easy with BitNinja. After implementing a new signature, it will be in “log only” mode. It will only be active after you confirm the result, so you can safely add new malware patterns without any adverse effects.

WHY DO OUR USERS LOVE THIS MODULE?

“Outdated WordPress installs and plugins caused the most grief, leading to malware and phishing files on customer accounts. The reason for this is largely due to the growing sophistication of the attacks, making them increasingly difficult to detect. To fix this, we tried integrating Patchman on our servers. As opposed to Patchman, BitNinja does more than virtual-patch known CMS vulnerabilities. BitNinja provides protection for the whole server on every protocol against a wide range of cyber-attacks. It is literally a one-stop 360-degree security solution.”

Elena Tileva

FASTCOMET

““As we offer managed and unmanaged services, the challenge for us was to protect both services. For the managed servers all security updates were done on time which was not the case with the unmanaged servers as customers usually don’t update them. We were getting a lot of complaints about website hacking, code injections, vulnerability exploits or compromised mail servers sending out spam and getting blacklisted, so we needed to find a way to protect them, and fast. That’s when we started using BitNinja and all complaints stopped. Our customers experienced reduced load on the servers, and we have not had a single hacking incident since then.” 

Demetris Valiandes

Valicom Net Cloud Services

“In the past my server was continuously getting hacked and infected with malware. Just when I thought I cleaned the files and patched the holes more infections popped up! I lost a few good customers because of this and needed a solution fast! BitNinja pops up with an email explaining that my ip address was greylisted for sending out spam which came from one of the websites on my server. I decided to give them a try. Now, my sites are cleaned up and BitNinja stopped ALL the attacks on my server. One NEVER got through yet.”

Michael Rock

The Internet Presence, LLC

FREQUENTLY ASKED QUESTIONS

Will I get a report or alert when BitNinja finds malware on my server?

Yes, you can get daily and weekly email reports about malware detected on your server. If you use Slack, you can also get instant alerts about infected files through our Slack integration.

How frequently do you update the malware signature database?

We are continuously adding new malware patterns to the BitNinja Malware Detection module. Our patent-pending Structure Analysis technology keeps the database up to date on the latest threats. BitNinja users can also add custom signatures to the database, so all BitNinja protected servers have an extra layer of security from the power of crowdsourcing.

Can I add my own malware signatures?

Yes, and we also encourage you to do it if you find malware. You can easily add new patterns from the BitNinja Dashboard or in the CLI. Don’t worry, the newly added signatures will start in “Log only” mode and they’ll be active only after you confirm the results in the Dashboard. This keeps our crowd-sourced malware database safe and provides a powerful shield against emerging threats.

How can I restore a file from quarantine in case of a false positive?

Our Malware Detection module has a very low false positive rate, but in the rare event BitNinja labels a suspicious file as malware, you can easily restore it from quarantine. It’s only one click in the BitNinja Dashboard or a simple command in the CLI: bitninjacli –restore=/path/to/file.

How long does it take to run a full scan on a server?

The first full malware scan on your server can takes longer because BitNinja has to thoroughly examine all the files on the server. It is recommended to run the first full malware scan ASAP, to clean the server from previous infections. After the first full scan, we use two-level caching, so subsequent full scans will take much less time. 

It’s hard to estimate the average running time for a full scan, because every server is different, and a lot of factors affect how long the scan takes. However, in most cases, after the first full malware scan, BitNinja Malware Detection can check 8,000-15,000 files/sec by using the two-level caching.

Can I whitelist/exclude a path or a file from the BitNinja Malware Detection module?

Yes. If you don’t want a file or path being monitored by the BitNinja Malware Detection module, you can whitelist them in the configuration or simply use this CLI command: bitninjacli [–module=MalwareDetection] [–whitelist-file=/path/to/file]

What kind of file change monitoring system is used?

We use two kinds of tools to check the file changes on your server:

  • Inotify 
  • Auditd

You can read more about them in this article.

What kinds of methods are used for detecting malware?

We use MD5, sub-string and rule-based patterns, however, these traditional methods are not always effective against the latest generation of hidden malware. In order to detect obfuscated malware, we use code structure and code structure snippet analysis technology. When necessary, BitNinja will automatically deobfuscate suspicious code in an isolated sandbox malware lab hosted by us. The Structure Analysis technology behind our malware detection is patent pending.

Can I schedule malware scans for a specific time and date?

Currently, you can choose different frequencies for scheduled malware scans, for example: every 15 days. Soon, we’ll be adding an option to set the exact date and time for the scans, for example: every Tuesday at 3:00 am.

What happens when BitNinja detects malware?

When BitNinja finds a suspicious file on your server, it will be moved to the quarantine. This allows you to review the files and prevents any further damage to your server. In the rare event of a false positive, you can easily restore files from the quarantine too. 

What is the difference between the real-time Malware Detection module and the manual/scheduled malware scans?

The real-time Malware Detection module continuously monitors file changes on your server, so if there’s a malware upload attempt, BitNinja will detect it. The manual and scheduled scans check all the files thoroughly for malware. We recommended running a scan when you install BitNinja for the first time, and also when the malware database is updated. Read more about the differences between real-time detection and scans here.

What is Defense Robot?

The BitNinja Defense Robot is the first real-time malware root cause analysis solution on the market. Our Defense Robot automates how sysadmins and IT teams stop malware attacks. Typical malware detection software only finds the malware. In the past, it was up to the server admin or IT team to find the source of the problem and track the hacker. Now, BitNinja automatically finds the backdoor and the attacking IP, blocking the attack and preventing any further infections on the server. You can find more details about the BitNinja Defense Robot in this article

BUILD YOUR SECURITY

START THE 7-DAY FREE TRIAL WITH FULL FUNCTIONALITY 
WITHOUT SPENDING A CENT.

(No credit card required)