Good Guys and Bad Guys Are Using This Method To Open Ports
From Tony Bradley, CISSP, MCSE2k, MCSA, A+
Ideally you want to restrict and control the traffic that is allowed into your network or computer. This can be done in a variety of ways. Two of the primary methods are to make sure that unneccesary ports on your computer are not open or listening for connections and to use a firewall- either on the computer itself or at the network perimeter- to block unauthorized traffic.
By monitoring traffic and manipulating firewall rules based on events it is possible to create a sort of “secret knock” that will open the gate and let you through the firewall. Even though no ports may be open at the time, a specific series of connection attempts to closed ports may provide the trigger to open a port for communication.
In a nutshell, you would have a service running on the target device which would watch network activity- typically by monitoring firewall logs. The service would need to know the “secret knock”- for example failed connection attempts to port 103, 102, 108, 102, 105. If the service encountered the “secret knock” in the correct order it would then automatically alter the firewall rules to open a designated port to allow remote access.
The malware writers of the world have unfortunately (or fortunately- you’ll see why in a minute) begun to adopt this technique for opening backdoors on victimized systems. Basically, rather than opening ports for remote connection that are readily visible and detectable, a Trojan is planted which monitors the network traffic. Once the “secret knock” is intercepted the malware will awaken and open the pre-determined backdoor port, allowing the attacker access to the system.
Read more: here