SYNOPSIS:
In August of 1998, the "Cult of the Dead Cow" released a "remote administration tool" called "Back Orifice." A newer, far more intrusive version was released on July 10, 1999 called "Back Orifice 2000" or "BO2K." While the original release of Back Orifice wreaked havoc when used as a trojan horse remote control server with Windows95 and Windows98 machines, it lacked "WNetEnumCachedPasswords()" error handling and that caused it to fail to function in NT. The new "BO2K" release functions on all windows platforms and possesses features that make it extremely more dangerous to NT systems than it does in "lesser windows versions." If you're using Windows NT (tm), there is grave cause for concern with the existence of Back Orifice 2000.
While the Cult of the Dead Cow vehemently denies that Back Orifice 2000 is anything but a "helpful tool," it has all of the required facilities (and THEN some) that computer crackers require in a trojan horse plus that of excessive stealth. Legitimate "administrative tools" default to an operation of a visible icon either on the traybar or on the screen which indicate their existence to the end user or possess some type of indication of their presence and whether they are in "active" or "standby" mode. Back Orifice 2000 possesses stealth capabilities in all of its multiple modes of operation and yet possesses no direct capability of signalling its presence to the end user on their desktop. At best, the end user might see it in the task list though many efforts were made to also hide it there as well. In addition, there is an "Insidious mode" built into Back Orifice 2000 which causes the filename associated with its startup file to become "illegal" and therefore invisible as well by stuffing a large number of space characters and an "e" at the end of the excessive filelength chain. What possible need is there for this in a "remote administration" tool?
To further erode the credibility of the Cult of the Dead Cow's claims, Back Orifice 2000 was designed to create a remote thread into another legitimate process. While this is highly technical, what Back Orifice 2000 does in NT environments is literally copy itself into another running program (by default, EXPLORER.EXE itself) and then destroy its own original process and by doing so, makes Back Orifice 2000 completely invisible by literally hijacking another legitimate program for it to hide behind. Such behavior is CLEARLY not the philosophy behind a "remote administration tool" and going to such extents to conceal the program when running belies any claims to it being "inert." Sorry, we just don't buy it.
While we can appreciate some extremely creative programming and the revelation of a number of heretofor undocumented Windows functions, this dangerous capability was completely documented in publicly released source code for the Back Orifice 2000 program. This creates an even more dangerous situation as the blueprints for construction of clones of "BO2K" were made widely available to a world of computer delinquents and we expect pieces of the source to emerge in literally hundreds of new trojan horses using the examples provided in the sources.
Regardless of the intent, this trojan horse is extremely dangerous and will become very prolific very quickly as a result of the detailed instructions made available to "roll your own trojan" to the so-called "script kiddies" who have nothing better to do with their lives than break into other people's systems. The world would have been a better place had cDc kept their source code "proprietary." In the real world, customers who need source code to prove your intentions can sign non-disclosure agreements. There was no need to publish and certainly no benefit in doing so. If promotion of an alternate operating system was the goal of this effort, the energy would have been better spent in making the alternatives more attractive to those who might wish to quit using Windows by working on a more "familiar" and "easily configured" desktop for Microsoft customers on said platform.
To our best abilities at determination, any claims that Back Orifice is a "white hat" utility falls victim to the reality of how the rollout was done and the capabilities in which the authors take such seemingly great pride. Even something as simple as bringing up system configuration files in the BO2K client screen to permit editing would have been a de minimis demonstration of legitimacy given the other specific capabilities in Back Orifice 2000. To promote "cracker" features in a demonstration of capabilities rather than those "tools" actual system administrators would find helpful completely belies any attempt by "cDc" and "L0pht Heavy Industries" to pass off Back Orifice 2000 as something intended to be "legitimate."
Like all Remote Control Trojan Horse (RCTH) programs, Back Orifice 2000 must be installed and RUN on your computer in order to become a security danger. Trojan Horses are received as email file attachments, installed by rogue sites which exploit "buffer overflow bugs" in "internet enabled" software or are physically placed onto your machine by someone else. When a trojan horse is RUN, they usually install themselves and become persistent, running automatically without your knowledge every time you start your machine and remain running until you shut down. The presence of a trojan horse program on your machine is not a risk until it HAS been run. In other words, if you have a trojan horse program on your system but have never run it, then it isn't any risk at all until it actually HAS been run.
Trojan horses are NOT viruses and have nothing in common with viruses. They do not "infect" files as viruses do since a virus's main function is to reproduce, instead "Remote Control Trojan Horse" (RCTH) programs open up your machine to other parties and gives them more control of your machine than you yourself have. Using a trojan horse "server" placed on your machine, the person on the other end can go anywhere on your system and can read, write to, delete, download or modify any file on your machine. They can also "place" files onto your machine by uploading them to you. Trojans also possess a number of other capabilities which extend beyond your registry and file system. Some trojans can also record your room audio if you have a microphone connected and Back Orifice's plug-ins such as "bo-peep" can activate your television camera if you have one and record room video and can also grab your screen at 8 frames per second and steal whatever you're looking at now. These are yet additional capabilities that are not required in a remote administration or "maintenance" tool which abound in BO2K.
Privacy Software Corporation's BOClean 4.02 software, designed to detect and defeat trojan horse programs, is fully effective in removing Back Orifice 2000 regardless of the filename or manner of delivery and, as is the case with other trojans, can also disable this program instantly upon detection. BOClean will also remove the files and registry hooks without the need to disconnect from the internet or reboot the victim's machine. This precludes the risks of registry editing and possible loss of data and permits the victim to remove the program and continue their use of a TCP/IP connection without loss of work or time. BOClean does not use general antivirus methodologies as they are useless against RCTH programs such as Back Orifice 2000. Instead, BOClean "melds" with your system's memory and is able to examine all processes on your system as well as threads to protect against trojan horses with stealth or other unusual characteristics such as encryption or compression by examining them in their final operating states as your microprocessor "sees" the end result of their loadups. No other methodology works like BOClean in defeating intrusions on your desktop.
CAPABILITIES:
Back Orifice 2000 consists of a server program which is by default named to UMGR32.EXE which permits anyone using the "BO2KGUI.EXE" client on their end to remotely control the victim's machine. The Back Orifice 2000 trojan can have its server filename changed easily to any other filename besides UMGR32.EXE and thus the filename could be anything. Back Orifice 2000 (BO2K) is a risk to all Win32 platforms including Windows95, Windows98, Windows 2000 and Windows NT.
As to the capabilities of the Back Orifice 2000 server, we quote from the documentation on Cult of the Dead Cow's public site below verbatim:
In addition to the claimed capabilities, Back Orifice 2000 (BO2K) permits the remote end to login to your machine and then send and receive data posing as you. It can also reroute network connections and can fully defeat a firewall because of its ability to operate on any port (including http and ftp ports normally used behind a firewall) and can wait if the port it is configured on is busy to access it before forwarding data it has stored. Combined with the encryption capabilities of Back Orifice 2000, the packet signals can elude "over the wire signature analysis" and plug-ins soon to become available for Back Orifice 2000 will provide UDP packet capabilities with similar reliability to TCP packets to be used to further elude many intrusion systems. Because of these designs, the only effective way to stop Back Orifice 2000 is at the desktop infested by it as it can be easily adjusted to change its signatures at whim. Variants soon to appear are also expected to have little in common with the original version to further elude signature analysis and are also likely to be compressed in addition to different methodologies of encryption. Because all of the source code and design principles for BO2K have been publicly released, we can expect even greater deviations in capabilities of other trojan horse writers who steal from the BO2K sources and further modify the capabilities.
When Back Orifice 2000 is first run on a victim's machine, it gives no indication whatsoever that it has been successfully started. Nothing happens when the trojan horse program is first run. It is expected that Back Orifice 2000 will be "silkroped" or otherwise embedded into other programs for delivery and it will withstand compression and encryption to elude antivirus software almost immediately after its release. Any software that Back Orifice 2000 is embedded into will work as intended (such as pictures, games or other executable "dropper programs") as is typically done to install trojan horses but the Back Orifice 2000 code within will not give any indication of its presence when it is started.
Depending on how Back Orifice 2000 has been configured, there are many different modes of operation to ensure its ability to hide. All of the modes first make an attempt to become persistent (runs automatically each time you start your computer) by placing a file into the windows system folder which can be configured to ANY filename when Back Orifice 2000 is configured by the perpetrator. By default the filename is UMGR32.EXE.
Once the file has been copied in, the original file received which contained the Back Orifice 2000 trojan is deleted to hide its tracks. Once this is done, Back Orifice 2000 will then place an auto-startup entry into the registry in any number of possible places, completely configurable by the perpetrator among numerous combinations - it can place it into the HKEY_CURRENT_USER and HKEY_USERS registry hives in the user's "Run" location, and in Windows95 or 98 it can be put into the "RunServices" key as well under HKEY_LOCAL_MACHINE. In addition, it can alternatively be placed into the HKEY_LOCAL_MACHINE "Run" equivalent as well and the name of the value can literally be anything, as can the name of the file the value points to. Only by testing each and every registry entry against a known copy of the file (or an encrypted or compressed variant) for contents can any particular registry entry key be suspected with this particular "remote administration server."
In NT environments, Back Orifice 2000 can install itself as a system service and will even hijack the necessary permissions to do so, posing as "administrator" to do so. When installed as a service, Back Orifice 2000's filename doesn't even need to be "marked" as an executable. It can be posted as a VXD virtual device, a *.TXT textfile or any other file extension that would be instantly skipped over by antivirus software because it isn't an "executable" based on its file extension. When BO2K is run on NT or Windows2000, it will also create a "remote thread" into another legitimate program and copy itself into the shared memory space belonging to that other program. By default, this hijacked process is EXPLORER.EXE, the desktop itself. It can be readily configured to do the same thing into any other KNOWN program running on the infested system. Our expectation is that the perpetrators will hide it inside an antivirus program that would be reluctant to destroy itself. In NT environments, once Back Orifice 2000 has successfully buried its thread into the other program, it is then free to completely remove its own process and instead sit on the CPU stack running from the remote thread it hid in the other program. This in turn makes it impossible to detect once it's buried itself deeply into an NT or Windows 2000 system as no process walker will see threads that have null values and no dependencies will exist for task monitors or process viewers to latch onto.
If Back Orifice has placed a remote thread into a process that suspends or is terminated, it will then leap to another process and install a new thread to the new process to keep running. The messy method by which it sometimes grabs and releases threads can cause a program to fail to terminate and other odd behaviors under Windows NT causing the stopped program to hang in limbo, partially removed or can cause a new process which has not fully initialized to hang. In this latter case, we've seen the BO2K thread function fully while the program it was attached to dies. Back Orifice 2000 has been observed crashing the infested process under NT service pack 3 and service pack 4 causing the infested process to display an "access violation" error when the remote end is playing with process lists or password grabs. Under Service pack 5, Back Orifice 2000 runs smoothly and never crashes though a memory leak will be seen that continues until the NT machine suddenly crashes a day or two after infestation with zero free memory.
If BO2K happens to be attached to the EXPLORER.EXE process on an NT or Windows2000 system, killing EXPLORER can sometimes shut down BO2K without it "leaping" to another process. Explorer normally will restart however and reload Back Orifice 2000 into a new remote thread but will momentarily expose its underlying file and process until it completes the leap. At this point, the BO2K process CAN be killed successfully. Since the destruction of the underlying process occurs within seconds, one has to catch it at JUST the right time before BO2K is finished hiding itself.
In Windows95 and Windows98 system, the operating systems themselves lack the DACL/SID capabilities which allow Back Orifice to fully embed and then hide itself and thus Win95 and Win98 systems are not as major a security disadvantage as NT users have. Instead, in these environments, Back Orifice 2000 hides itself by removing itself from the kernels' function export table which makes it vanish from the task list. They simply hack the kernel itself here to hide it but Back Orifice 2000 CAN be found with sophisticated "show all" process management tools that check for bogus export addresses and shifted export registers. NT however is willing to lie about what it sees and what it knows.
Finally, Back Orifice 2000 runs the "image" copy while disconnecting itself from the file it started from. This cuts the connection between the process and the file from which it started making it difficult or almost impossible to determine where it began running from. The image remains running, ready to connect to anyone "out there" who has the Back Orifice Client and knows the password and mode to access the server on your machine. When you turn off your machine, Back Orifice starts up again from the file and registry location or services database depending on how it was configured. In NT machines, Back Orifice 2000 isn't a process at all, it's a thread within another running process and therefore is nearly impossible to find.
REMOVAL OF BACK ORIFICE 2000 SERVER:
The Back Orifice 2000 server will install its program in the registry in any of the following registry keys:
It can also be registered under CurrentControlSet\Services but will be lost in a literal "mountain of entries" in NT or Windows2000 and the name of the associated launch file will be stored as a binary chain entry rather than as a text name you can read in REGEDIT. If you can decode hexadecimal ascii values to alphanumerics, then you can possibly spot the location of the file that is started but this will be challenging to most folks. In NT systems since the SID and DACL of services entries in the database can be "permissioned" it is also possible that future builds of Back Orifice 2000 will hide its own registry entry so as to not be found with REGEDIT or REGEDT32.HKEY_LOCAL_USER\Software\Microsoft\Windows\CurrentVersion\Run HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
The "kids" at Cult of the Dead Cow are formidable programmers and have learned very well the techniques of most intruder detection designs. They are not to be underestimated. Whereas previous commonplace trojans were hard coded to have extremely specific behaviors, locations and filenames, BO2K departs completely from what had been. As a result, removal is still possible as it has been with earlier trojans, but the location, filename and signatures of Back Orifice 2000 take completely into account prior removal methods and as cDc says itself on its own site, removal is very difficult and was designed to be. Antivirus methodologies may work on some default copies of BO2K.EXE when they arrive on your machine as a result of a file string match between the antivirus database and the file you receive but you should NOT expect to see unmodified copies of Back Orifice 2000 (BO2K). Signature analysis WILL fail 99% of the time as BO2K was designed to foil existing methods of protection.
Use of Privacy Software Corporation's
BOClean 4.02 program will
safeguard against Back Orifice 2000 by removing the program, critical data
files belonging to it and its registry entries automatically without risk of
damage, or the need to disconnect the infested machine or reboot. A 4.03
version of BOClean will be released shortly to deal with what we expect the
"clones" to be able to do with the released source code for Back Orifice
2000.
COPYRIGHTED MATERIAL:
Copyright (c) 1999 by Privacy Software Corporation.
Permission is granted for the retransmission of this advisory by electronic means. It is not to be edited in any way without the express consent of Privacy Software Corporation. Requests to reprint this information in whole or in part should be directed to technology@privsoft.com.
Disclaimer: The information within this advisory may change without notice and is provided by Privacy Software Corporation AS IS. No warrantees, express or implied, are provided with respect to this information nor should any be construed by the transmission of this information. Any use of this information or its recommendations is solely at the risk of the user as study of Back Orifice 2000 and its clones will be necessarily an ongoing project subject to change at any given moment. The information contained herein was current as of the time of its writing. Reality can change in seconds in a digitally connected world.
Contact Privacy Software Corporation at http://www.privsoft.com,
http://www.nsclean.com, email to technology@privsoft.com. Copies of the Back
Orifice 2000 distribution as captured by Privacy Software Corporation will
only be provided to recognized security interests and responsible,
recognized members of the press with the technical capability to conduct
independent research on this trojan horse program or in the alternative, we
will provide the URL where the programs can be obtained independently.
Copies will NOT be provided by us to any other parties. Privacy Software
Corporation reserves the right to refuse transmission without further
explanation. Under the provisions of Privacy Software Corporation's customer
and website privacy policies, we cannot divulge email from our customers
regarding their experiences with these trojan horse programs nor can we
divulge their identities under any circumstances.