Back Orifice 2000: Admin Utility or Hacking Tool?

Surely you've heard the news already: Back Orifice 2000 (BO2K) is floating around the Internet now. Even though Cult of the Dead Cow (cDc) hasn't officially released the software and source code, at least one person that got hold of the prerelease code at the DefCon 7 convention last weekend made the software available on the Internet almost immediately upon receipt. And if rumors are correct, the distribution currently floating around is infected with the CIH virus-- it figures that someone would do this. I got my hands on a copy of BO2K, and I didn't find any virus in the package--but no matter, the software alone is dangerous enough. BO2K, like its predecessor Back Orifice, is a remote control application that lets a person gain very robust access to a remote OS--namely Windows NT and Windows 9x. Although the older Back Orifice does not run under NT, BO2K most certainly does. I took a peak under the hood of BO2K, and this is a very impressive application from a usefulness standpoint. It has some serious power that you don't find with run-of-the-mill NT-based remote control software. For instance, using the BO2K client, a person can manage the Registry, start a command socket, capture keyboard strokes, list passwords, control processes, and turn on the microphone or video capture camera--and that's just the tip of the iceberg. The real difference between BO2K and other remote control software is its presence. Software such as pcAnywhere leaves footprints all over the OS to let you know it's installed and running. BO2K, on the other hand, leaves little if any finger prints on the system. Using the BO2K Server Configuration utility, I found that I could define BO2K's process name and even hide that process on the system. This means I can make BO2K appear to be something harmless, such as Internet Explorer (IE), by naming the process IEXPLORER. After this process starts and is hidden on the system, you'll have a tough time finding and killing the process--not to mention removing the software from your system. BO2K also supports plugins, which means third parties can develop custom add-on controls for BO2K. For instance, a Server Message Block (SMB) sniffer plugin is available that can grab NT authentication packets off the network. A malicious user can crack those packets to extract password hashes. Adding to the danger, a user can attach BO2K to any executable file. I guess the real impact of BO2K is threefold: it runs on NT now, it's very stealthy in nature, and it's very powerful. And to top it all off, cDc is releasing the source code to the public under the GNU license scheme, which means anybody with a programming background can further alter the code, making it very difficult for virus detection vendors to check for all mutations of BO2K as a Trojan on a given system. If you check the cDc Web site, you'll see the press release that states motives and opinions regarding this tool. Quoting from the press release, "Back Orifice 2000 is a best-of-breed network administration tool, granting sysadmins \[sic\] access to every Windows machine on their network. Using Back Orifice 2000, network administrators can perform typical desktop support duties without ever leaving their desk." It strikes me as odd that a group would make such a claim, yet provide the means for the software to become almost invisible on a given system. That action speaks the true motive for developing this software, and I don't think I need to iterate it for you. The press release went on to say, "Unfortunately for Microsoft, Back Orifice 2000 could bring pressure on the software leviathan to finally implement a security model in its Windows operating system." Well we all know NT already has security subsystems in place, so what cDc is really saying is that it thinks NT's overall security model isn't conducive to protecting the OS against certain Trojans, such as BO2K. cDc says BO2K is a remote administration tool, but the instant somebody uses the tool for ill-intent, it becomes a Trojan--and that's the purpose of releasing BO2K. cDc wants to show the world that NT is an insecure OS by having it infect thousands and thousands of NT systems. After thinking about NT's security heavily over the past week, and conversing with some of my friends in the security world regarding NT's overall security, I have to admit that cDc is somewhat correct--the security subsystems in NT do need some improvement. I know Microsoft will disagree with me on this note, but my opinion stands. If it weren't true, Microsoft wouldn't be adopting Kerberos and making other security-related changes in Windows 2000 (Win2K) that move away from NT 4.0 technology. On a UNIX platform, it's possible to compile the kernel so that no user (including root) can take ownership of a process running on the system. This protection isn't possible with NT. Through BO2K, an intruder can easily take over a given system and quite possibly an entire network. I don't know enough about NT internals to envision how Microsoft can change the OS to prevent software such as BO2K from becoming effective. But I can take a guess and say that the models used in the UNIX world would probably serve as a great example. And, if I had to take another guess, I'd say that cDc would rather have you load a copy of Linux than wait for Microsoft to find a way to prevent the shenanigans possible with BO2K. For now, we'll have to contend with the potential that BO2K will make its way into our networks. So the million-dollar question for the next few months will be, "How do I detect and remove BO2K?" I'm afraid the answer won't come in the form of blanket statements. Remember, cDc is releasing the source code, so you'll see mutations in the near future. I read a press release from a virus-detection vendor who shall go unnamed in this editorial. The company said that people generally underestimate the capability of modern virus scanners to detect Trojans. The press release continued by asking how many people are capable of manipulating a large set of code (such as that found with BO2K) into a program that can bypass a scan for the original version of BO2K. The vendor doesn't think many people have this capability and takes the position that the company's antivirus scanner will be able to find most, if not all, renditions of BO2K. I don't know what exposure the writer of that press release has to the underground world of cracking systems, but I can tell you that there are plenty of crackers capable of slinging code with the best programmers. Therefore, antivirus software vendors should not underestimate the capabilities and resources available to crackers, or their reputations might suffer down the line when their software falls short of detecting the latest BO2K mutation. As of Tuesday this week, I had only heard from three organizations professing to provide detection software capable of finding BO2K on a given system. Those companies are Internet Security Systems (ISS), MetaTech (in Australia), and Symantec. ISS has added BO2K detection to its Internet Scanner product, available at http://www.iss.net. MetaTech has added BO2K detection to its Trojan Defense Suite, available at http://tds.metatech.net. Symantec has added detection to its anti-virus software, available at http://www.symantec.com. Even though I haven't heard from any other companies regarding BO2K detection, you can bet they either have initial BO2K detection now or are working on it at a feverish pace. Be sure to check with your vendor of preference ASAP. You'd be well advised to get some kind of detection system in place pronto--don't put it off. In addition to installing detection software, you need to practice standard antivirus and anti-Trojan countermeasures to help prevent BO2K from entering your system. For example, never open an email attachment unless you're absolutely sure that it doesn't contain any malicious code; never download software from unknown vendors or software authors; don't let ActiveX, Java, or other scripting languages execute in your browser or mail client; and when you install new software, use monitoring tools such as Mark Russinovich's FileMon and RegMon (available at http://www.sysinternals.com) to track system additions and changes. Although taking these steps won't grant you 100 percent immunity from BO2K infection, it will reduce the danger considerably. Before I sign off this week, I want to issue a stern warning. If you come across a copy of BO2K, DO NOT make the mistake of putting this software online for download, and don't email it outside of this country. Why? Because BO2K supports strong encryption in the form of Triple-DES for network communications (Triple-DES support comes as a plugin). Triple-DES is subject to export restrictions by the US government. This means that if you're in possession of a product containing strong encryption capabilities, the responsibility falls on you to ensure the product is not distributed to any areas restricted by federal law.

Hide comments

Comments

  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
Publish