The Cult of the Dead Cow released a program called Back Orifice that can be used as a trojan backdoor into vulnerable machines. While the software does need to be installed on the client before it can be used to penetrate the system, several means are readily available to do so -- including the use of Java applications embedded into a Web site. Accessing such a site could lead to the trojan being installed without the users knowledge.
Back Orifice allows several means of access and controlling the trojaned machine, including :
According to a security advisory posted by Internet Security Systems (ISS):
The BO server will do several things as it installs itself on a target host:
* Install a copy of the BO server in the system directory (c:\windows\system) either as " .exe" or a user specified file name.
* Create a registry key under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices with the file name of the server file name and a description field of either "(Default)" or a user specified description.
* The server will begin listening on UDP port 31337, or a UDP port specified by the installer.
Download the Back Orifice executable from this site now.
Click HERE to demo the Java-based trojan containing Back Orifice - WARNING: this will install Back Orifice on your system using a Java Script! Use extreme caution!!!
1. Start the regedit program (c:\windows\regedit.exe).
2. Access the key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices. Look for any services that may not have been intentionally installed on the machine. If the length of one of these file is close to 124,928 (give or take 30 bytes) then it is probably BO.
A program called "Toilet Paper" has been released that can remove Back Orifice. We make no claims as to the suitability of this software package.
To learn more about NT Security concerns, subscribe to NTSDCredits
- Originally reported by Microsoft
- Posted on The NT Shop on August 19, 1998
Copyright (C) 1998 -
M.E. -- ALL RIGHTS RESERVED