Back Orifice 2000
The Remote
Administration Tool Developed by the Cult of the Dead Cow
James
Pliska
IFSM 430
Wills
1. Intro
Have you ever been on the computer, and while you are
typing away have your computer shut down for no reason? Or maybe there are some files or programs on
your computer that you can't find or that you've never seen before. Or perhaps you've received a message console
reading, "I am watching you."
These are only a few examples of what could happen if you were being
monitored by Back Orifice 2000 (BO2K), a remote administration tool created by
the hacker group called, "Cult of the Dead Cow (CDC)."
BO2K was written by DilDog of CDC and was officially released to the public in July of 1999. Many of the commands that BO2K comes with were directly ported from Sir Dystic's original source code for the original Back Orifice (BO) program released in August of 98. BO2K is an almost complete rewrite of the original BO. By default, BO2K comes with the capability to talk over TCP as well as UDP, and supports strong encryption through plug-ins. Commands have also been added, upgraded and fixed, especially in the areas of file transfer and registry handling. The name Back Orifice is named as pun on Microsoft's "Back Office." This Microsoft suite contains a remote access program, called SMS (Security Management Server), which has some similar features.
2.Reason for creating BO
BO and BO2K were written with a two-fold purpose: To enhance the Windows operating system's remote administration capability and to point out that Windows was not designed with security in mind. Cult of the Dead Cow members have answered in interviews that it was created in hope that Microsoft might create a more secure operating system such as Unix based platforms. BO and BO2K were written in C++ with an open-source architecture to ensure product development. An open-source architecture also provides a trusted environment and promotes security. Another advantage of open source soft-ware is that it is absolutely free.
3.Back Orifice Definition
Back Orifice is not a
virus. Back Orifice can however, be
considered a Trojan horse. In the case where a user accepts a program and runs
the program without understanding what it is.
Back Orifice is a two part program that includes a client and server
portion. The server program gets
distributed purporting to be something else e.g. PAMMY.EXE . People run it and
nothing appears to happen so they ignore it, the server deletes itself as well
after running.
Trojan horses do not “infect” files as
viruses do since a virus’s main function is to reproduce, instead “Remote
Control Trojan Horse” (RCTH) programs open up your machine to other parties and
gives them incredible control over your system. Back Orifice is a remote administration system which allows a
user to control a computer across a TCP/IP connection using a simple console or
GUI (graphical user interface) application. The
only feature that makes this utility to be classified as malicious Trojan software
is the silent installing and execution. When this program runs, it installs
itself into the system and then monitors it without any requests or messages.
The Trojan also does not manifest its activity in any way.
BO2K can also be considered
to be a "rootkit." A rootkit is a collection of tools (programs)
that a hacker uses to mask intrusion and obtain administrator-level access to a
computer or computer network. The intruder installs a rootkit on a computer
after first obtaining user-level access, either by exploiting a known
vulnerability or cracking a password. The rootkit then collects user IDs and
passwords to other machines on the network, thus giving the hacker root or
privileged access.
BO2K can also be called a
“back door” program. A backdoor is a program that is designed to hide
itself inside a target host in order to allow the installing user access to the
system at a later time without using normal authorization or vulnerability
exploitation.
The total package size of the Back Orifice v1.2 is
exactly 124,928 bytes in length (122K in the Explorer window). The maximum size can be much larger
depending on the files that are attached to BO. BO2K server without any plug-ins installed is ~100K. The client software is ~500K. The reason for
the client software’s size is that there it includes a large, bulky, MFC
(Microsoft Foundation Class), GUI. The
whole suite will fit on a single 1.44MB floppy disk.
The BO2K software package includes the following
executable files:
This is the server portion of the package. The server is the heart of the BO2K system.
It is a completely pluggable control module that runs as quietly as possible,
utilizing negligible system resources.
This is the program that would be running on the "victim's"
computer.
This is the client software which would be used by
the "administrator" of the program.
The client is the user interface to the remote BO2K server. It can
communicate with the BO2K server over whatever networking interfaces have been
installed and supported by the plugin interface.
The BO2K configuration tool changes the BO2K.EXE
server settings. You open up a server, and it retrieves a list of configuration
strings from various places inside the executable. When you save the server
back to disk after making changes, it actually modifies the executable to keep
the changes so there is no external configuration file required. This version
allows you to take your plug-in DLLs and make them a part of the BO2K
executable dynamically.
This is the first in a series of powerful BO2K
plug-ins. This plug-in creates a grey-scale video stream of the remote desktop,
and lets you control the mouse and keyboard remotely. At 160x120 over TCPIO, at
8 frames/sec with the keyboard and mouse captures, it only uses about 3.3K/sec
over the network, which is reasonable, even for 28.8K modem users. It's quite
useful in the office, where you can now use a single keyboard and mouse, hooked
up to one computer to control various machines around you, without using a
switchbox. It's all controlled by a user-definable hotkey. This plug-in is used
in both client and server.
This plug-in provides a graphical file browser and
registry editor to the BO2K interface. Makes common tedious BO2K tasks
point-and-click simple. File browser
allows directory traversal and viewing/modification of file properties. File
upload/download is performed through an encrypted/authenticated channel. This tool works through SSH tunnels as well
with proper transfer options setup. This tool includes the following commands
encapsulated: upload, download, list directory, delete files, remove
file/folder, move files/folders, copy files/folders, rename file/folder, change
file/folder attributes. The registry
editor allows you to surf through the registry, delete keys, add keys, and
rename keys and values. Also lets you create values, and modify their contents.
4.How it works
A.
BO2K can either be sent as a Trojan or can be
accessed from a website. In most cases,
if people are trying to "victimize" your computer, these
"crackers" (malicious hacker) will send you the file disguised as a
helpful tool in order to fool you into loading the BO2K server onto your
computer.
B.
BO2K uses either TCP or UDP protocol depending on
which is selected in the configuration utility. The format of the BO2K packets is: [Length (4 bytes)][{Data that
is 'Length' long] By looking for a
series of packets that contain a 4 byte length (in little-endian byte order),
followed by that length of data, you can detect all BO2k packets, regardless of
the encryption used. This format is used on both the TCP and UDP transports.
The
Transmission Control Protocol (TCP) is the usual method to establish an ongoing
and reliable link between machines. It's used for most ordinary web-surfing and
file transfer activity on the Net. TCP allows for error correction, and for
reconstruction of multiple sequential packets into larger files.
The User
Datagram Protocol (UDP) is a very simple but connectionless protocol.
While a TCP connection involves "negotiations" between machines —
acknowledgment and verification of received data and so forth — UDP doesn't
even check for the existence of the other machine. It simply sends / receives
packets without added steps. It's often described as a "best-effort"
transport protocol. UDP is used for applications that do not need protection
against data loss.
C.
BO2K uses 3DES or XOR (for international version)
encryption. BO2k supports several
networking options. It can use TCP or UDP as transports and encrypt with a
simple XOR encryption algorithm or a more advanced 3DES encryption. The XOR
algorithm can be easily decrypted and requires no brute-forcing, the original
release of Back Orifice 1.2 had a stronger algorithm that did. This means that
it is easy to detect BO2k activity on your network with an intrusion detection
system, no matter which port it uses. The X-Force has been able to decrypt the
XOR'd packets and report which commands are being executed. Although it is
possible to detect BO2k traffic encrypted with 3DES, it would be very difficult
to determine which commands are being used.
Everything
from file transfers to command channels to streaming video can be encrypted
from the very basic, 64bit XOR encryption, to the high-grade, state-of-art
512bit AES encryption. BO2K uses a
NULLAUTH authentication protocol.
D.
BO2K can use any port from 1 and 65535. The port can also be set in the
configuration utility program. The
default port used is 31337.
Most servers
listen on a predefined "port." This port is not a physical connection
like your modem link, but is actually a "virtual port" defined by a
number. This number is contained in the data packets which are the standard
format of Internet communications. Each packet contains a number indicating its
source IP address and port; and its destination IP address and port. The port
is represented by a 16-bit number; so in theory there are 216 or 65,536
possible ports. A number of ports,
mostly below number 1024, have been assigned standardized functions or
protocols. Mail servers "listen" on ports 25 and 110. HTTP servers
(web servers) use port 80. In general, ports below 1024 are reserved for
servers of various kinds.
Clients are
dynamically assigned a free port number for outgoing requests. The combination
of an IP address and a port number is called a socket. The socket mechanism makes each client/server
connection unique.
The connect
string and binding string can be set in the configuration utility of BO2K. A connect string is a description of how you
want to connect to a remote machine. It specifies a remote address (usually an
IP address, but not necessarily), followed by the network type, the encryption
type, and the authentication type. A typical example of a connect string is: 192.168.55.20,TCPIO,XOR,NULLAUTH. A binding string is a description
of how you want to set up a listening service on the server machine. It
specifies a binding characteristic (usually an IP port or an IP address:port
pair, but not necessarily), followed by network type, encryption type, and
authentication type. A typical example of a binding string is: 15380,UDPIO,3DES,NULLAUTH.
E.
BO2K copies itself to the \\WINDOWS\SYSTEM directory
for Win9X or to the \\WINNT\SYSTEM32 directory for WinNT computers. BO leaves a file called windll.dll in the
system directory. This DLL is used for hooking the keyboard and logging all
keystrokes. Droppers are available,
enabling anyone to package BO into another program, infecting the target upon
execution of that program. The most powerful of these droppers, SilkRope 2.x,
even encrypts BO, so it wont be located with a common file scan.
F.
After getting copied to the directory as a filename
of the client's choice (default name is UMGR32), the original EXE file is
usually deleted in order to cover tracks.
This feature is also chosen by the client in the configuration utility.
G.
Then, BO2K will modify the Registry. BO2K server will
install its programs in the registry in any of the following registry keys:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL-USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices
H.
After that the BO2K will be active in memory each
time Windows starts and will provide access to the infected system for hackers
who have the client part and the correct password.
If Back Orifice has placed a remote thread into a
process that suspends or is terminated, it will then leap to another process
and install a new thread to the new process to keep running. The messy method
by which it sometimes grabs and releases threads can cause a program to fail to
terminate and other odd behaviors under Windows NT causing the stopped program
to hang in limbo, partially removed or can cause a new process which has not
fully initialized to hang.
I.
BO2K uses a smart trick on NT by constantly changing
its PID (process ID) and by creating the additional process of itself that will
keep the backdoor alive even if one of the processes is killed
J.
Besides, the server part adds a random (but large)
number of spaces and 'e' at the end of its name, so the server part file can't
be deleted from Windows (invalid or long name error occurs) though disk
checking utilities don't find any problems with filename. The server part file
can be only deleted from DOS or DOS session.
Reboot Machine
Reboots the server machine. Asks no questions. This will
kill your connection to the server.
Lock-up Machine
Makes the server machine completely unresponsive. The mouse
will not move, and the keyboard will not work. Grinding halt. Also makes the
BO2K server unresponsive and will kill your connection to the server after the
protocol times out.
List Passwords
Under Windows 95/98 this lists the passwords that are stored
in the Internet Explorer password cache. If you've ever checked the 'Remember
My Password' box, your password will be available here. Under Windows NT, it
performs a PWDump-like password hash dump, suitable for import into L0phtCrack.
Get System Info
Returns information about the system, including machine name
and the capacity of the storage devices attached to it.
Log Keystrokes
Captures the keystrokes that the user of the server machine
types at the keyboard to a disk file. Also tells you what windows they typed
the keystrokes into, so you can understand what they were doing. Parameters:
Disk File (Required) - The full pathname of the file to put
the keystroke logs into.
End Keystroke Log
Stops logging keystrokes.
System Message Box
Puts up a dialog box on the server screen. The dialog box
appears on top of everything else and makes a beep sound. Parameters:
Title (required) - The text to put in the title of the
message box.
Text (required) - The body of the message that is in the message box.
Map Port -> Other IP
Binds to a TCP port and redirects all traffic to that port
over to a different IP address. You can use this command to 'bounce' TCP
connections off of the BO2K server. Parameters:
Server Port (required) - The TCP port number that is to be
redirected.
Target IP Address:Port (required) - The destination of the port redirection.
Map Port -> Console App
Binds to a TCP port and redirects the standard input and
output from a console application to the port. This can be used to simulate a
'remote shell'. Parameters:
Port (required) - The TCP port number on the server to put
the console on.
Full command line (required) - The full command line of the program that you
wish to execute.
Map Port -> HTTP Fileserver
Serves HTTP requests over A TCP port. The HTTP server allows
you to browse the filesystem of the server machine and the local network
neighborhood. The HTTP server can be 'rooted' at a particular directory in
order to restrict which files people can download and browse through.
Parameters:
Port (required) - The port number to put the HTTP server on.
Root Path (optional) - The optional root directory of the browsable filesystem.
Map Port -> TCP File Receive
Receives a file that is send to the chosen port via a raw
send (such as with Netcat), and dumps it directly to a file. Useful as a
quick-and-dirty, unencrypted, file transfer method. Parameters:
Port (required) - The port number to receive the file on.
Pathname (required) - The pathname to receive the file to.
List Mapped Ports
Returns a list of which ports on the server machine are
mapped to which services.
Remove Mapped Port
Removes a mapped port, stopping whatever service it was
providing. Use this to turn off a console app spawn, the HTTP fileserver, TCP
File Receive, etc. Parameters:
Port (required) - the port that the service you wish to stop
was spawned on.
TCP File Send
Sends a file directly from the server to a target machine
via TCP. Suitable for send a file to another server running the "TCP File
Receive" port service. Parameters:
Source Port (optional) - The desired source port on the
server from which to send the file data. If you do not choose a source port,
one will be selected at random.
Target Address:Port (required) - The target machine's TCP receive service
address.
Pathname (required) - The name of the file on the server to send to the remote
machine.
Add Share
Shares a machine resource on the server. Right now limited
to drives/paths. Parameters:
Pathname (required) - The pathname that you want to share to
the world.
Share Name (required) - The name that you wish the share to be known as.
Remove Share
Unshares a machine resource on the server. Parameters:
Share Name (required) - The name of the share that you wish
to remove.
List Shares
Lists which shares on the system are available and which
paths/resources they map to. Also shows hidden shares.
List Shares on LAN
Enumerates the shares on the server's local network. Like
network neighborhood.
Map Shared Device
Maps a share on a remote machine to a local drive letter.
Much like 'mounting' a remote share.
Local Name (required) - The local name of the shared device
(Drive letter).
Remote Share Path (required) - The UNC Pathname to the remote share
Username:Password (optional) - The username/password pair used to share this
device if the machine is in "share password" mode.
Unmap Shared Device
Unmaps a share on a remote machine from a local drive
letter. Much like 'unmounting' a remote share. Parameters:
Local Name (required) - The local name of the shared device.
List Connections
Lists which machines are connected to the server, using
shared resources.
List Processes
Shows the process list for the server machine, with process
names and process identifiers. Optionally on Windows NT, you can specify the
name of an alternate Windows NT machine to dump the process table of remotely.
Parameters:
Remote machine (optional) - The machine name of the Windows
NT machine to retrieve the process table of.
Kill Process
Abruptly terminates a running process on the server machine
given its process ID. A list of process IDs is returned by the previous 'List
Processes' command. Parameters:
Process ID (required) - The process ID of the process you
wish to terminate.
Start Process
Starts a process by running an executable file on the
server. Parameters:
Pathname and arguments (required) - The command line of the
program to execute.
Create Key
Creates a registry key. Does not set a default value to the
key. Parameters:
Full Key Path (required) - The full path from the base of
the registry to the key. The HKEY abbreviations are supported in the key path,
for example: "HKLM\Software\Microsoft\Windows" is a valid key, where
HKLM is an abbreviation for HKEY_LOCAL_MACHINE. Valid abbreviations are:
HKCR,HKU,HKLM,HKCU, and HKDD.
Set Value
Creates and/or sets the value of a registry key. Parameters:
Full Key Path (required) - The full path from the base of
the registry to the key. Type:(Value
Name):Value Data (required) - This string is comprised of three sub-parameters:
Type can be one of Binary,DWORD,String,MultiString, or ExpandString data
types. Value Name is the name of the value, and Value Data is the
type-specific data to be stored in the key.
Delete Key
Deletes a key from the registry. Deletes all values and keys
underneath the target key as well. Parameters:
Full Key Path (required) - The full path from the base of
the registry to the key. See above for description.
Delete Value
Deletes a value from a registry key. Parameters:
Full Key Path (required) - The full path from the base of
the registry to the key. See above for description.
Value Name (required) - The name of the value within the key to delete.
Enumerate Keys
Lists the single-level subkeys of a particular registry key.
Parameters:
Root Key Path (required) - The full path from the base of
the registry to the key you wish to enumerate subkeys of. See above for
description.
Enumerate Values
Lists the values of a particular registry key. Parameters:
Full Key Path (required) - The full path from the base of
the registry to the key you wish to enumerate values of. See above for
description.
Capture Video Still
Captures a video image bitmap from a video capture device,
such as a Quickcam, or external cameram, and saves it to a disk file.
Parameters:
Device # (required) - The number corresponding to the video
capture device to capture from. A list of capture devices can be retrieved with
the 'List Capture Devices' command below.
Filename (required) - The full pathname of the BMP file to capture the video
image to.
Width, Height, BPP (optional) - The width and height of the image to capture,
along with the bitmap bit depth. Defaults are 640x480x16bpp.
Capture AVI
Captures a motion video from a video capture device and
saves it to the local drive (uncompressed). Parameters:
Device # (required) - The number corresponding to the video
capture device to capture from. A list of capture devices can be retrieved with
the 'List Capture Devices' command below.
Filename (required) - The full pathname of the AVI file to capture the video
sequence to.
Seconds (optional) - The number of seconds to record to the AVI file. Default
is 5 seconds.
Width, Height, BPP (optional) - The resolution of the video stream to capture,
and the bit depth, Defaults to 160x120x16bpp.
Play WAV File
Plays a WAV audio file through the system default mixer.
Parameters:
Filename (required) - The full path name the .WAV audio file
to play.
Play WAV File In Loop
Plays a WAV file over and over again. User won't be able to
stop the sound. To stop the sound, use the 'Stop WAV File' command below.
Parameters:
Filename (required) - The full path name the .WAV audio file
to play.
Stop WAV File
Stops whatever audio file is being played through the
default mixer.
List Capture Devices
Lists the video capture devices in the system, giving each
an index number to refer to them by.
Capture Screen
Captures the desktop screen to a disk file. Like pressing
printscreen, pasting into a paint program, and saving to disk. Parameters:
Filename (required) - The full path name of the file to save
the screen image to.
List Directory
Displays a directory listing of files, their dates and times
of creation, and their sizes. Also shows attributes. Parameters:
Pathname (required) - The full pathname from the filesystem
root to the desired directory.
Find File
Given a directory and a wildcard file specification,
recursively hunts down all files beneath or at the specified directory matching
the filespec criteria. Parameters:
Root path (required) - The full pathname from the filesystem
root to start searching at.
Filename Spec (required) - The filename wildcard specification to match.
Accepts standard '*' and '?' wildcards.
Delete File
Deletes a file via its full pathname. Parameters:
Pathname (required) - The full pathname from the filesystem
root to the file to delete.
View File
Views the contents of a text file through the command
response window. Useful for browsing small text files. Parameters:
Pathname (required) - The full pathname from the filesystem
root to the file to view.
Move/Rename File
Moves a file from one pathname to another. Renames a file if
the paths point to the same directory. Can be used to move a file across
filesystems and networked machines. Parameters:
Pathname (required) - The full pathname from the filesystem
root to the source file to move.
New Pathname (required) - The full pathname from the filesystem root to the
destination file.
Copy File
Copies a file from one pathname to another. Can be used to
copy a file across filesystems and networked machines. Parameters:
Pathname (required) - The full pathname from the filesystem
root to the source file to copy.
New Pathname (required) - The full pathname from the filesystem root to the
destination file.
Make Directory
Creates a directory. Will only create one directory at a
time. Parameters:
Pathname (required) - The full directory name, ending in the
directory to create.
Remove Directory
Removes a directory. Will only remove one directory at a
time and will not remove files within a directory. Parameters:
Pathname (required) - The full directory name, ending in the
directory to create.
Receive File
Creates encrypted/authenticated socket and receives a file
over it. Uses a proprietary transfer protocol, but it's simple and its not FTP
(phew!). Parameters:
BINDSTR,NET,ENC,AUTH (opt) - The ubiquitous BO2K binding
string specification. Specifies which port, network protocol, encryption type,
and authentication type. Any field can be left blank to use the defaults.
Pathname (required) - The full pathname to the file that will be received.
Send File
Creates encrypted/authenticated socket and sends a file over
it. Uses a proprietary transfer protocol, but it's simple and its not FTP
(phew!). Parameters:
Address(required)[,NET,ENC,AUTH] (opt) - The ubiquitous BO2K
connect string specification. Specifies which address to connect to, also
specifies network protocol, encryption type, and authentication type. Any field
except address can be left blank to use the defaults.
Pathname (required) - The full pathname to the file to send.
List Transfers
Lists which transfers are active to which files over which
ports. Lists transfers started with receive, send, or emit file commands.
Cancel Transfer
Cancels a file transfer either in progress, or one that has
not yet started. Cancels transfers started with receive, send, or emit file
commands. Parameters:
Pathname (required) - The full pathname to the file
associated with the transfer to cancel.
Freeze File
Compresses a single file. Parameters:
Pathname (required) - The source pathname from the
filesystem root to the file to compress.
Output Pathname (required) - The output pathname from the filesystem root to
the file to write the compressed output to.
Melt File
Uncompresses a single file that has been compressed with
"Freeze File". Parameters:
Pathname (required) - The source pathname from the
filesystem root to the file to uncompress.
Output Pathname (required) - The output pathname from the filesystem root to
the file to write the decompressed output to.
Resolve Hostname
Resolves a host name to a network address using a DNS query.
Parameters:
Hostname (required) - The hostname string to resolve.
Resolve Address
Resolves a network address to a hostname using a DNS inverse
query. Parameters:
Address (required) - The network address to reverse-resolve.
Shutdown Server
Shuts the BO2K Server down completely. The server will lose
all connections and will be unresponsive. Parameters:
DELETE option (optional) - If you fill this field in with
the phrase 'DELETE', it will fully uninstall the BO2K server such that it
doesn't run any more upon boot-up or login. Does not remove the actual
installed file, however. It just won't run on startup.
Restart Server
Shuts down and restarts the BO2K Server. Useful if you have
made any configuration changes or if the BO2K server has been corrupted or is
behaving strangely due to poorly written plugins or whatnot. The server will
lose all connections but will remain responsive once it comes back up.
Parameters:
Host process name (optional) - If you are running under
Windows NT, and not as a service, you can choose to hop the BO2K server
around between different processes' address space. This is of limited
usefulness, but it does make you feel like the 'ghost in the machine'.
Load Plugin
Dynamically loads an external BO2K plugin DLL. Runs all of
the plugin initialization code and registers new commands with the server.
Parameters:
Plugin filename (required) - The full pathname from the root
of the filesystem to the plugin DLL you wish to load.
Debug Plugin
Dynamically loads an external BO2K plugin DLL using a more
debugger-friendly loading method. This method requires that the DLL is a
standard Windows DLL, but allows for debugger interaction with the plugin. For
developers only. Parameters:
Plugin filename (required) - The full pathname from the root
of the filesystem to the plugin DLL you wish to load.
List Plugins
Gives a list of which BO2K plugins are currently loaded.
Remove Plugin
Unloads a plugin via its plugin number. Plugin number is
determined from the output of the "List Plugins" command. Parameters:
Plugin number (required) - The plugin number to unload as
returned by the List plugins command.
Start Command Socket
Starts up a BO2K command socket that a client can connect
to, authenticate with, and send encrypted commands to. Parameters:
[NETMOD][,ENC][,AUTH] (optional) - the network module,
encryption, and authentication settings for the command socket. If any of these
are left blank, defaults are used.
[Bind Str] (optional) - The binding string for the command socket. This is
optional, but is usually filled in. If it's not, then the default binding
string is used.
List Command Sockets
Lists the command sockets that the BO2K server has made
available. Lists socket information along with the internal 'command socket #'.
Stop Command Socket
Shuts down a BO2K command socket. This can be used to shut
down all sockets, btw. And that's probably not a good idea. Parameters:
Command Socket # (required) - The number of the command
socket to shut down, as returned by the 'List Command Sockets' command.
6.Public Use
BO2K can be used as a remote administration tool. It can enable administration of many Windows
boxes through encrypted channels. You can perform common tasks on many machines
without having to walk over to each and every one of them. It will allow you to
control a Windows machine that is many miles away with the kind of flexibility
that UNIX users have enjoyed for decades, without a Virtual Private Network
(VPN) setup.
BO2K
can inevitably be used as a cracking tool as well. It is difficult to gauge the magnitude of the problem because
Back Orifice servers can only be detected if they are not setup with a
password. The following image shows
that there have been 1,763,293 from the BO2K website:
|
Page Views |
D/l |
Bugs |
Support |
Patches |
All Trkr |
Tasks |
CVS |
|
2,124,981 |
1,763,293 |
150 ( 261 ) |
56 ( 87 ) |
5 ( 3 ) |
230 ( 359 ) |
10 ( 12 ) |
407 |
BO2K
is only as dangerous as the person operating as the client and the victim on
the server-side. For example, if BO2K
was loaded on your computer and no commands were requested by the client,
nothing would happen. However, if the
client has malicious intentions the damages are limitless. BO2K is a very powerful tool
and it can be used either responsibly or irresponsibly.
7. Similar Programs
Because
Back Orifice is open sourced, anyone and copy and modify the program as they
please. Many have done so and a few of
the modified versions of BO are: Attack
FTP Installer ; BackDoor ; DeepBO ; Executor ; FTP Trojan ; FTP99 ; Happy99 ;
NetMonitor ; SubSeven etc.
Bomaze is able to simulate the Back Orifice server part. That means if
someone comes along searching your computer for an installed Back Orifice
server, he/she will be presented something like a Back Orifice server - a
program that looks like a Back Orifice server - from the outside. Unlike the
original Back Orifice server, Bomaze does not execute the commands from the
client but shows them to you. Further more Bomaze gives you the possibility to
send messages back to the client.
BOSniffer sends an encrypted BO packet to the client, but NOT the
one
the client wants. ie: you send a PING_HOST with BOGUI. The packet sent out says
something like "Ping host, wait for PONG reply". Therefore it is only
waiting for a PONG reply and no other. So BOSniffer sends a packet back that is
NOT PONG, and the client says to itself "hey I got a response, but its not
PONG... better hunt for pong maybe I missed it!" so it searches like
crazy. Hence the "**( missing packet 12314 )**" scroll. BOGUI works
itself to death.
8.Detection Programs
BoDetect is
a tool you can use to rid yourself of Back Orifice and ensure it doesn't come
back. BoDetect will do the following: Detect all instances of Back Orifice
currently running on your system; Kill those processes instantly and without
the need to reboot; Remove the Back Orifice entries from your registry; Monitor
your system to prevent further Back Orifice infection; Rename the actual Back
Orifice executable to a safe name and store it safely.
With BOClean, any (covered) trojan horse will be automatically detected
and deleted within 10 seconds of its execution (using standard manufacturer's
configuration). Which is well within the time it takes to find your system and
access it, so no information is ever likely to leave your system without your
knowing. With no effort on your part (well, OK, a mouseclick).
BOshield is a small
efficient scanner that operates like the anti-virus scanner VShield. It detects
and removes Back Orifice servers once they are started. It uses little memory
and consumes insignicant processing time. It can remove the original Back
Orifice 1.20 server, BO server configured by the server configuration program
supplied with the Back Orifice suite and other modified BO servers such as the
Trojan BOsniffer.
Backwork cleans the
computer of Trojan Horses. It protect the computer every time it is started,
when the user logs in and while working on the computer (the program is
resident in memory). The program checks the registry and when it thinks a
Trojan was installed, it warns the user and if wanted removes the installed
Trojan from the system. It is also possible to scan the hard disks.
Jammer is a tool that
protects you against NetBus and Back Orifice. It is a low-level network sniffer
that captures all incoming and outgoing network traffic. All services, ports
and any protocols are under Jammer attentive monitoring.
Jammer is a
real-time packet analyzer. It decrypts all network traffic and finds NetBus or
Back Orifice trying to log on your computer.
Jammer also allows you to see what ports are active and who is connected
to your computer. Jammer also includes a registry monitor. If a trojan tries to
modify the registry Jammer will notify you about it and allow you to block it.
Microsoft packages MSInfo32 with its Office suite. MSInfo has the ability to view all running applications. Comparing the Running Apps to files found using File Find, or those listed in the appropriate Registry key(s), is a very effective way to search for a BO. In particular, because MSInfo displays the full path, a BO that's been located somewhere obscure may be easily unveiled. Burying BO in a sub-sub-directory of drive E: may seem clever, but that makes it stand out prominently in the MSInfo listing. Practically everything else will be on C: and/or will be easily recognized as a valid program.
The DOS Netstat utility shows the status of your TCP connections.
It's a bit cryptic and technical but it sees all. Netstat can provide key evidence of BO's presence.
Netstat can
also serve as a very quick test for suspicious activity. If Netstat shows activity on port 31337, you
almost certainly have an Orifice. But its port can be configured to any valid number from 0 to
65535. Back Orifice can even utilize
ports normally reserved for NetBIOS networking functions, such as 137 (nbname),
138 (nbdatagram) and 139 (nbsession).
As BO is revised and adapted, as it inevitably will be, Netstat should remain among the most foolproof ways to spot its activity. BO — or any similar application — absolutely must use a TCP port to function, and Netstat will always reveal what ports are in use. Also, Netstat sometimes reveals the address of the remote machine that's connected to your open port. With some trojans, this may lead you directly to your intruder, but unfortunately Netstat doesn't show the remote IP on the "connectionless" UDP protocol used by BO.
9.Safegaurds
It is very difficult to detect Back Orifice running on a machine
because it is so highly configurable. At the same time, backdoors are
multi-dimensional and several detection methods available to achieve maximum
protection and awareness of the installation of BO2K on a machine or series of
machines on a network. By default, BO2K will install itself in a Windows system
directory as the fileUMGR32.EXE. If Windows NT is running, it will install a
service listed as "Remote Administration Service". This is the
default name, and can be changed.
Educating users of this is one step towards a secure computer.
Some
steps that a user may take are as follows:
Many of the companies that produce anti-virus programs also deal in the
network administration tool arena. The applications these companies produce are
similar in functionality to BO2K with the difference being cDc offers their
program free of charge. The companies see this factor as having the potential
to seriously undermine their profit margins. So, they use a commonplace tool to
remove this program as a threat; knowing full well that millions of computer
systems in this country run anti-virus programs, including the networks this
tool could be used on. They use this to their advantage by having it detect and
label BO2K as a virus.
CDC has produced a program that is to be used in a
legitimate business environment by a network administrator to aid in the
administration of the computers they manage. They want you to know exactly how
legit Back Orifice really is but these companies are trying to prevent this freely
available tool from being released by using one of their own product line
applications to suppress BO2K so that another of their products can flourish.
Both Symantec and Microsoft's products stand to lose a good percentage of
market shares if BO2K were allowed to be released free to the public and become
a commonly used tool. All of these programs, not just BO2K, can be detrimental
to any computer system if used in the wrong hands. BO2K must be given a chance
to prove itself a legitimate tool and taken off the virus definitions lists.
11.Conclusion
BO2K is a very dynamic remote
administration tool that can be used harmfully as well as productively in a
business environment. Thousands of
people have used and are using this product today. How these people are using this product is hard to tell. Education about the features and threats of
this program is essential. People’s
ignorance and misled opinions through media can prove to be very
expensive. Who would of thought that
you could get a powerful computer program worth anywhere from $100-$300 for
free and without breaking the law! If
you are planning to download this program, I hope that you can make the right
decision in how you plan on using it.
Reference Page
http://www.nwinternet.com/~pchelp/bo/bo.html
http://bo2k.sourceforge.net/indexwhatis.html
http://www.burgettsys.com/faq/specific/monitoring/bo2k_doc.html
http://www.symantec.com/avcenter/warn/backorifice.html
http://www.sg1.net/security/bo.htm
http://sourceforge.net/projects/bo2k/