News

Back Orifice Back Again

UPDATE -- The Symantec AntiVirus Research Center (SARC) at Symantec Corp. (www.symantec.com) have analyzed and posted a virus definition set that it says protects against the Back Orifice 2000 Trojan Horse.

The company says the definition set is available now and users of Norton AntiVirus can download it through LiveUpdate or from the Symantec Web site. This will allow the operating system to detect when Back Orifice 2000 has been received. Other security vendors, such as Network Associates Inc. (www.nai.com) are releasing similar solutions.

Earlier today, Internet Security Systems (ISS, www.iss.net) announced that it had decoded the protocols and encryption algorithms in Back Orifice 2000 (BO2K), the Cult of the Dead Cow's update to last year's Trojan Horse application, Back Orifice, that provided remote access to Windows 9.x machines. Released just 48 hours ago at the Las Vegas hacker convention Def Con, BO2K has the ability to do the same with machines running Windows NT, making it a much larger threat to the corporate enterprise.

ISS reports it is sharing whatever information it has with Microsoft Corp. and is rapidly developing countermeasures for inclusion to its security software RealSecure and Internet Scanner.

Bob Olson, vice president of product marketing for Network-1 Security Solutions Inc. (www.network-1.com), says Back Orifice can access passwords, capture keystrokes and send the machine faulty warning messages. BO2K can even turn on the machine's microphone and listen for noise around the machine, and access the MS-DOS prompt and perform any function that can run from DOS.

It does all this by sending an e-mail message containing the IP address of the machine to some Web e-mail address such as Hotmail or Yahoo. Then, as the attacker, you remotely connect to the machine and begin administering it. Any applications on a Windows NT machine has access to the communication ports. Back Orifice 2000 takes advantage of this and uses any port in the machine it chooses.

This is where Network-1 has come in. The company has developed software called CyberwallPlus that locks down communication ports on the NT machine and only allows them to open up after the administrator has been notified.

"The real threat behind this is that the authors made it encoded so that it's difficult to detect it in a machine," says Olson. "[The Cult] did it purposely to point out the deficiencies in Windows NT security."

Not only does Back Orifice run undetected but it can get on the machine in a variety of ways. One is by floppy disk. In the original Back Orifice, the executable program was called "[spacebar].exe" so the file name was virtually invisible. The executable can also be sent by e-mail and "Saran Wrapped" onto another bona fide application.

Other innovations may come along as well, since the Cult decided to make this version open source, allowing other hackers to come up with their own implementation of the Trojan Horse. Symantec reports its solutions will defend against variations of Back Orifice 2000 as well.

As for the Cult of the Dead Cow, it's marketing this as a pure administration tool. The Cult's Web site has a press release announcing the "product," saying it will be free for download July 10 on the Back Office 2000 Web site (www.bo2k.com) during the hacker convention Def Con VII in Las Vegas. "Unfortunately for Microsoft, Back Orifice 2000 could bring pressure on the software leviathan to finally implement a security model in their Windows operating system," states the release. "Failure to do so would leave customers vulnerable to malicious attacks from crackers using tools that exploit Windows' breezy defenses." -- Brian Ploskina

About the Author

Scott Bekker is editor in chief of Redmond Channel Partner magazine.

Featured

  • Microsoft Appoints Ex-GE Exec Its First COO Since 2016

    Microsoft has a new chief operating officer (COO), its first since Kevin Turner left the role -- and the company -- in 2016.

  • Image of a futuristic maze

    The 2024 Microsoft Product Roadmap

    Everything Microsoft partners and IT pros need to know about major Microsoft product milestones this year.

  • Microsoft, Oracle Announce Updates to Joint Database IaaS Service

    The Oracle Database@Azure infrastructure-as-a-service offering from Oracle and Microsoft is getting new capabilities, including integrations with key Microsoft data and security services.

  • 2025 Support Cliffs Approaching for Exchange 2016, Dynamics 365 PSA

    Microsoft recently sounded the warning bell for two of its products, Exchange Server 2016 and Dynamics 365 Project Service Automation (PSA), both of which are set to reach end-of-support milestones next year.