Back Orifice 2000
Back Orifice is a free remote administration tool for Microsoft Windows.
It's also one of the coolest hacking tools ever developed. Originally
released last July, Back Orifice 2000 (BO2K) is the current release of the
software. It works on Windows 95, Windows 98, and Windows NT. It is much
better written than the original Back Orifice. And it's free, and open source.
There are two parts: a client and a server. The server is installed on the
target machine. The client, residing on another machine anywhere on the
Internet, can now take control of the server.
This is actually a legitimate requirement. Perfectly respectable programs,
like pcAnywhere or Microsoft's own Systems Management Server (SMS), do the
same thing. They allow a network administrator to remotely troubleshoot a
computer. They allow a remote tech support person to diagnose problems.
They are mandatory in many corporate computing environments.
Remote administration tools also have a dark side. If the server is
installed on a computer without the knowledge or consent of its owner, the
client can effectively "own" the victim's PC.
Back Orifice's difference is primarily marketing spin. Since it is not
distributed by a respectable company, it cannot be trusted. Since it was
written by hackers, it is evil. Since its malicious uses are talked about
more, its benevolent uses are ignored. That's wrong; pcAnywhere is just as
much an evil hacking tool as Back Orifice.
Well, not exactly. Back Orifice was designed by a bunch of hackers with
fun in mind. Not only can the client perform normal administration
functions on the server's computer -- upload and download files, delete
files, run programs, change configurations, take control of the keyboard
and mouse, see whatever is on the server's screen -- but it can also do
more subversive things: reboot the computer, display arbitrary dialog
boxes, turn the microphone or camera on and off, capture keystrokes (and
passwords). And there is an extensible plug-in language for others to
write modules. (I'm waiting for someone to write a module that
automatically sniffs for, and records, PGP private keys.)
Back Orifice is also designed to hide itself from the server's owner.
Unless the server's owner is knowledgeable (and suspicious), he will never
know that Back Orifice is running on his computer. (Other remote
administration tools, even SMS, also have stealth modes; Back Orifice is
just better at it.) Anti-virus software has been updated to detect default
Back Orifice configurations, but that will only solve most of the problem.
Because Back Orifice is configurable, because it can be downloaded in
source form and then recompiled to look different...I doubt that all
variants will ever be discovered.
Okay, so who's to blame here? The Cult of the Dead Cow wrote and released
Back Orifice. Surely the world is not a safer place because, as CDC's Sir
Dystic put it: "every 14-year-old who wants to be a hacker will try it."
BO2K's slogan is "show some control," and many will take that imperative
seriously. Back Orifice will be used by lots of unethical people to do all
sorts of unethical things. And that's not good.
On the other hand, Back Orifice can't do anything until the server portion
is installed on some victim's computer. This means that the victim has to
commit a security faux pas before anything else can happen. Not that this
is very hard: lots of people network their computers to the Internet
without adequate protection. An attacker can even ask the victim to
install Back Orifice (social engineering might help); the Worm.ExploreZip
worm of this spring did exactly that. Still, if the victim is sufficiently
vigilant, he can never be attacked by Back Orifice.
But what about Microsoft's computing environment? One of the reasons Back
Orifice is so nasty is that Microsoft doesn't design its operating systems
to be secure. It never has. Any program that runs in Microsoft Windows 95
and 98 can do anything. In Unix, an attacker would first have to get root
privileges. Not in Windows. There's no such thing as limited privileges,
or administrator privileges, or root privileges. Microsoft assumes that
anyone who can run a program can reformat the hard drive. This might have
made some sense in the age of isolated desktop computers; after all, if you
could run a program, you were standing in front of the machine. But on the
Internet, this is absurd.
Windows NT was designed as a secure operating system, more or less. There
are provisions to make Windows NT a very secure operating system, such as
privilege levels in separate user accounts, file permissions, and kernel
object access control lists. However, the configuration that makes Windows
NT secure is very very far and distant from the default installed
configuration. Microsoft admits this. You have to make 300+ security
checks and modifications to Windows NT to make it secure in its default
configuration. And on top of this, Microsoft assumes that most users have
Administrator access to their desktop machines anyway. They only really
worry about network security, not host-end security, which is where they
are seriously vulnerable to attacks like Back Orifice 2000. Windows NT
could be secure, but Microsoft refuses to ship the OS in that condition
(presumably they worry that their spiffy animated fading menu bars may be
overlooked).
Malicious remote administration tools are a major security risk. What Back
Orifice has done is made mainstream computer users aware of the danger.
Maybe the world would have been safer had they not demonstrated the danger
so graphically, but I am not sure. There are certainly other similar tools
in the hacker world -- one, called BackDoor-G, has recently been discovered
-- some developed with much more sinister purposes in mind. And Microsoft
only responds to security threats if they are demonstrated. Explain the
threat in an academic paper and Microsoft denies it; release a hacking tool
like Back Orifice, and suddenly they take the vulnerability seriously.
Back Orifice Home Page:
http://www.bo2k.com/
Commentary:
http://www.zdnet.com/zdnn/stories/news/0,4586,2127049,00.html
http://www.infoworld.com/cgi-bin/displayArchive.pl?/99/30/o03-30.36.htm
Microsoft's Systems Management Server:
http://www.microsoft.com/smsmgmt/techdetails/remote.asp
http://www.cultdeadcow.com/news/pr19990719.html
BackDoor-G:
http://www.zdnet.com/zdnn/stories/news/0,4586,2267379,00.html