The Guide






About Raj


Introduction: BO2k a new menace for Window.
What to Do?: Windows users -- Some steps you can take to minimize the exposure.
Vulnerability of Windows: Other OSes may fare better.

Related Links

Back Orifice -Watch Out
NetBus - The Nastier Cousin
Protect Your Computer System
Net Alert! E-mail Can be Injurious to your Computer System's Health
Computer Security Primer-The Internet
Alternatives to MS Windows Operating System

Back Orifice 2000: A Trojan for Windows NT
by Bruce Gingery

On Thu, 8 Jul 1999 03:55:15 -0500, in <rHZg3.1637$>,
Jon Neiderbach wrote in uswest.dsl:
JN> I am using the Cisco 675 router hooked to a Windows 98 peer-to-peer LAN.
JN> File sharing had been enabled, but I've just changed that...

JN> In the July 8, 1999 New York Times

JN> there is a story about the increased security risks posed by "always on"

While you're considering security and 24/7, don't neglect to notice that this is again DEFCON weekend coming up. The floods in Vegas Thursday can't do anyone any good.

cDc has announced BO2k for NT, as well as W95/98. To add to it Back Orifice is announced to become "open source" this coming weekend, so traditional "signature" identification by virus scanners _will_ become even more useless than the traditional _catch_up_mode_ that they traditionally work in. (someone must be a victim before protection can be added). Within days there almost certainly will be many variants. If the old version was downloaded several hundred thousand
times, the new one(s) may quickly exceed that, with NO way to count.

Press Release:

MSNBC article

Home site

(ShockWave required - is there a previously unannounced hole in it?)      Downloads start July 10, probably on mirror sites, too.

There _may_ be glaring errors in the MSNBC coverage. The work on an NT _server_ of BO (not merely the remote control application "client") was announced many months ago. Don't count on this update being *just* a client, where NT is concerned, unless that is confirmed Saturday.

Reports of plugins (BUTTplugs) & releases for the year-old BO include :

"Sleep mode and TCP control scheduled port connections" (UDP blocking, _any_ port, and portscanning ineffective)

"HTTP and HTTPS Tunnel-Through" (Reverse Logic HTTP allows boserver to be accessed if web browsers can "get out")

Promiscuous mode LAN sniffing    (otherwise unnoticed installed server watches everything going past, sniffing (e.g.) passwords.)

Various and sundry system analyses and data scanning/manipulation.

Various and sundry install schemes, exploiting any known  (and perhaps even some _still_ unadmitted) holes in Windows.     especially ...

IE5 services invocation by buffer overflow for install, if  IE5 is present, even if it is not the normal tools for web. (anyone know if this same problem exists for IE4?)

OpenSource client (written for *N?X, allows porting to anything       not really a BUTTplug, I know, but it seems to fit here. the unattended scripted client hasn't had much distribution unlike the basic client).

ButtTrumpet announcement via E-Mail of successful install     (similar announcing mechanisms use:  Usenet,  IRC (SpeakEasy) and/or eggdrop Botnet   ICQ  AIM )

&SaranWrap/SilkRope trojan installers, launchers.

Reset auto-startup for machines with soft on-timer powerup.

Post _anything_ as outgoing E-mail, as well as directly
sending it, including or excluding a record of it being
sent. It _looks_ like you sent it. Same for Usenet, IRC,
ICQ, AIM, messages etc.

Install its own updates

and likely more I've heard of but forgotten at this point.

In case you've forgotten, the year-old version in the base server included:

Webserver turns your HDD into an open space on the net.
File transfers (either direction) Manipulation of "Net Neighborhood" fileshares Run any program the user can run (and some they can't) Load plugins and run them (the BUTTplugs above) Redirect any port (pretend to be the normal service) Port reflection (hmmm, I _think_. Haven't looked in a long time). Keyboard sniffing Screen capture Video and/or Audio controls (A/V snooping and/or odd effects) Installation of other programs (e.g. NetBus) Killing or disabling of other programs, such as virus scanners. Extend a "DOS prompt" to the remote machine. Shut down (normally), or panic your machine (BSoD). Does not show in task list, taskbar nor tray.

Note that there are rumors of here-to-fore unaddressed OLE/COM security holes, and potential for the "macro virus" problems in Word, Excel, PowerPoint and others (in combination with MS-Money? Access? Encarta? anything that can work together OLE/COM) _still_ being unrepaired (ref Melissa).

In short, anything you've heard of a virus being able to do, including CIH/Chernobyl's capacity to destroy your Flash-BIOS, can also be done by BO. It can disable what little protection there is, for example, in the signature checking of ActiveX controls on webpages. Can mail itself to your address book list, with a cover letter claiming that the executable is an E-Mail "Greeting Card" (which with Silk Rope or Saran might actually run). It can modify your BIOS to unprotect
your boot-sector, and/or crack your BIOS password (if one is installed), and change or remove it. Of course, it can also negate or change W95/98 logins. It can change default associations so that it doesn't have to auto-start, but rather gets you to start it with a saran'd or silkrope'd copy of Word for example. The
registry check is NOT a sure thing.

It is the rumored BO2k, may do the following:

  1. It's a "deep" (complex) attack, or can be

  2. It usess "deep"ly embedded services more easily than its predecessor (COM calls) utilizing anything that Microsoft has been defending as inseparable from windows.

  3. Keying off Melissa, it will reveal "deep" secrets. such things as PKI identity secret keys for client identified SSL sessions, financial data, and auto-decryption of received messages, with mirroring back out to anywhere of the decrypted text.

  4. In an intranet or extranet, it may become a "deep" throat tattletale of everything going on in the NET.

Deep BO was expected as an embarrassment during Chicago COMDEX, but evidently wasn't ready, or just wasn't released. Further investigation reveals that "Deep BO" may have indeed been released and have been far less than presumed (e.g. listening only on 37338 UDP), and without even all of the functionality of the original BO. It seems to have been a competitor, rather than upgrade in BO.

With the addition of stronger encryption reportedly in BO2k, it may
be installed with its primary functionality encrypted (even differently
after each run), making ANY signature identification impossible
by traditional virus scanners. It also may use networked services
to have a "mini bootstrap loader" fetch the main operational code
and execute it, from some distant site on reboot.

What to do? [Next]

Copyright 1999 Dr. Raj Mehta. All rights reserved.