By Scott R. Hogg
Network Systems Consultant
On August 1st, 1998 at the DefCon hacker convention a group by the name "Cult of the Dead Cow" (CDC) unveiled their latest invention "BackOrifice" (BO). This software takes advantage of many known API calls to provide services and information to a remote computer about Windows 95 and 98 computers. This remote computer runs the BO graphical program and the Windows 95 and 98 computers must be running the BO agent software. The graphical software on the remote computer runs on NT and UNIX systems and simply points to the IP address of the victims computer. The software is freely available and can be downloaded from www.cultdeadcow.com/tools/bo.html.
The BackOrifice software is supposedly capable of doing the following things to the Windows 95 or 98 computer that is running the BackOrifice agent.
Execute commands on the computer (hidden from task bar)
Manipulate files on computers drives (list, copy, rename, delete)
Start client services remotely
Share directories on computer
Upload/download files remotely
Manipulate the Windows registry
Kill, List, and Spawn processes
Get current user information
Get information on computer (Windows version, etc.)
Gather performance information (CPU, memory)
List mounted drives
Crack Windows passwords (Screen saver, cached passwords, etc.)
Get information on network resources
Play ".WAV" files and send dialog-box messages to victim
Redirect network traffic
Record keystrokes on computer
Capture what is on the computers screen
Sniff network traffic remotely
Note: In our testing of this software in our isolated lab, several of these features did not work as advertised. However, many worked quickly and flawlessly.
BackOrifice can only be used against Windows 95 and 98 computers, but NT or UNIX can be used at the perpetrators end. When the boserve.exe is run on the computer, the software loads itself into the c:\windows\system directory as a " .exe" file of 122KB. There is also a registry change that is performed by default (\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices).
The current security perimeter architecture helps mitigate against BackOrifices use. The security perimeters help prevent direct communications from the intranet and the external networks. Therefore, the firewalls help prevent the direct network connection between the BackOrifice GUI and the Windows 95 or 98 computer running the BackOrifice agent. However, there are situations where not all network traffic goes through the security perimeters. Properly configured firewalls are critical to minimizing the external threat.
There is a greater threat for BackOrifice to be used internally by employees. Malicious mischief would be easily performed because of the ease of use of this software. BackOrifice contains features that could be viewed as entertaining in a "play jokes on your friends and co-workers" sort of way. It is likely that internal workers will manually load the Windows 95 or 98 agent on fellow employees workstations and use the software internally across their local LAN.
Since the BackOrifice software is small it can be concealed and attached to e-mail messages. If a user clicks on the attachment, the BackOrifice program could be loaded on the users computer without their knowledge. However, it is against the current security policies for users to download software off the Internet. Furthermore, it is documented in the security policies (Best Practices) that users should think before launching e-mail attachments. Users should know who is sending the message and know that the attachment will not cause harm ahead of time. It is also documented in the Roles and Responsibilities sections of the security policies that each user is responsible for ensuring the integrity of data and creating backups to protect that data. Furthermore, the current mail systems allow for the logging and tracking of all e-mail messages. Therefore, should it be necessary an investigation could search back through the logs and find both the originator and the destination of a message. We also have procedures to isolate "blanket" distributions of e-mail messages. It is possible to purge messages from e-mail queues before they even reach users. There are also security policies prohibiting the use of "blanket" distributions of messages for anti-spamming prevention and chain-letter forwarding by employees.
Several e-mail packages do have known vulnerabilities that allow them to execute HTML or Java linked to URLs contained within e-mail messages. When these items are clicked on by users, various attacks could take place such as loading the BackOrifice software on the computer. Netscape Mail program, Microsoft Outlook and Outlook Express, Eudora Pro 4.0 and 4.01, and Eudora Light have this vulnerability. Qualcomm and Microsoft have since come out with fixes for their e-mail programs. So far, Microsoft Exchange does not contain these vulnerabilities.
Detection and Removal:
The BackOrifice application communicated with the victims Windows 95 or 98 computer with UDP port 31337 packets by default. The software can be configured to work on different ports, but if traffic of this type is observed on the network, it is a strong indication that BackOrifice is in use. However, the software utilizes a very simple encryption algorithm that can be easily cracked, but this helps disguise the attacks that are taking place. Network-based intrusion detection could be used to look for the UDP port 31337 traffic, but the traffic is likely to be highly localized when there is insider mischief and the UDP port can be customized.
The BackOrifice software on the Windows 95 or 98 computer does install itself in a default location, and makes registry changes by default. Therefore, the existence of the software can be easily detected if the default values are being used. In fact, there are many programs that have recently been released that can detect, remove, and even continue to monitor for BackOrifice. Programs like ToiletPaper, BOdetect, BO Remover, BackOrifice Eliminator, Plugger, among others. Some of these programs come from unverified sources and may in fact do the opposite of what they advertise. However, Symantec Norton AntiVirus can detect BackOrifice whether it has been concealed or not. More anti-virus software will likely include these tests and cleansing procedures in upcoming releases to help rid the computers of BackOrifice and help keep them clean.
Currently we use Network Associates McAfee V-Shield for detecting viruses and the like. A good plan of action would be to update the DAT files on users workstations through SMS when a new DAT file is released that can detect BackOrifice. Even if the software does not cleanse the computer, that function is easily done manually and this might even require re-formatting the hard-drive. Microsofts SMS might even be able to scan for the software by doing a software inventory for BackOrifice being installed with the default settings. The September version of the McAfee V-Shield virus definition file will be able to detect BackOrifices existence on a computer removal will have to be manual.
BackOrifice was released with a lot of fanfare and mysticism. However, over the last several weeks, a greater understanding of the software has been achieved. Given that our firewalls prevent direct connections in most cases and we have well-documented e-mail policies, the external threat is reduced. Security policies also prohibit its distribution internally. Since BackOrifice is only capable of taking advantage of desktop OSs, internal NT, or UNIX servers are not affected. Soon we will use virus software for our desktops having the capability to detect and remove the software from users computers.