First written on 17 Aug, these pages have grown and changed daily as events unfold. "Back Orifice" is a hacker's dream, and a Netizen's nightmare. Back Orifice is not a virus. It is in essence a remote administration tool. It gives "system admin" type privileges to a remote user by way of the computer's Internet link. What does this mean? It means that if Back Orifice is running in your computer, a remote operator anywhere on the global Internet can gain access and do almost anything you can do on your computer -- and some things you can't do -- all without any outward indication of his presence. Back Orifice can arrive disguised as a component of practically any software installation. It can be attached to other files or programs or run on its own. It must be run, by itself or by another application. It then installs itself in seconds, typically erases the original, then may run a specified program. To the user installing an "infected" application, it will appear that all went normally. But from that moment forward, your system offers easy and comprehensive access anytime it is connected to the Internet. In itself, Back Orifice does not cause any malfunction. It runs quite invisibly to the user, consumes insignificant memory and resources, and does little besides simply open up access to standard Windows 95 functions. Win95/98 is in essence a networking operating system. It's designed to give access and control to the system administrator on any network to which it is connected. Back Orifice simply implements standard system admin functions and includes a few handy tools for the remote operator's convenience. But it does so very quietly, almost undetectably. I've created a handy page with the basics about Back Orifice in a Q&A format, with links to helpful hints, more in-depth information and step-by step instructions for detection and removal. Read on for a broad summary of Back Orifice and its implications, and follow my links, on and off this site, for a comprehensive view of this rather surprising tool. A little knowledge can render you virtually free of any threat, and may also nudge you down a road of greater utilization and control of your own computer and its Internet connections. |
NETBUS: ALL THE
FACTS Back Orifice Q&A Detecting Back Orifice More on Finding BO Removing Back Orifice Bulletins! Finally! A Back Orifice Other Anti-BO Tools: Antigen Toilet Paper BOSniffer BOPlug Back OrifiX |
| Proliferation Back Orifice was publicly released by the Cult of the Dead Cow (cDc) on 3 August 1998. It has reportedly been downloaded by well over 100,000 people since then. Its implications are staggering, viewed as a whole. For the first time ever, a relatively simple tool for unauthorized computer intrusion is available to unprecedented numbers of people and is being "implemented" on a mass scale. People are sending the program to one another all over the net, in various guises, wittingly and unwittingly. I have personally obtained the "Back Orifice" (BO) suite, learned its functions, and proceeded to use it freely for the past three days (as of 17 Aug). Along with a few easily-obtained utilities, I have found every function of Back Orifice works almost flawlessly. I gained experience with it on my own systems, then went "hunting" on the Net. I performed random "sweeps" of hundreds of thousands of Net addresses and easily located dozens of Back Orifice installations in computers all over the world. In each and every case, I had full, unfettered access to the affected system. Because available methods show me only those "Orifices" without a password, it's difficult to gauge the magnitude of the BO problem. It's trivial to set up BO with password protection, and undoubtedly most of the mischief-makers who're using it are doing so. Based on my sampling, and the assumption that most BOs use passwords, I believe it to be installed in tens of thousands of Win95/98 PCs worldwide. The number of Orifices is surely growing at a daily accelerating rate. BO will proliferate rapidly until public awareness is raised and software safeguards are widely used. The program can be expected to evolve, and Windows isn't changing anytime soon. So vigilance against BO and tools like it will remain necessary for the foreseeable future. My guess is, the "Back Orifice" issue is yet to reach anywhere near its full proportions. It got some coverage when cDc released it, but so far (17 Aug) the media hasn't yet done it justice. Online news services have published stories (links on right), and I'm told CNN carried some TV coverage. Expect to see much more media coverage in the near future. Prevention At present I know of no antivirus tools which reliably prevent the installation of Back Orifice or reliably remove it once installed. BODetect is the most effective anti-BO app I've yet seen. BOdetect kills it in operation (so you're safe each time it's run), and can run continuously to provide a high degree of security. Thus far, Symantec's Norton AntiVirus does detect Back Orifice, but does not remove itwhen running; as does Mcafee (but reportedly less reliably). No doubt updates will appear on websites supporting the various antivirus/security tools. Here's Norton's Security Alerts page and their helpful Security Center. Also see links. A combination of BODetect and Norton AntiVirus, both kept updated and both run continuously, should give a high degree of protection against BO as well as some against other similar trojans. But there is no such thing as foolproof commercial software products for this purpose. Your best protection against BO and its ilk is to know a few basics, know the risks, and keep yourself well-informed. First and foremost, installing or running just any program that's been sent to you is risky. If you receive a program from an unknown individual, or one which is passed on to you by an acquaintance who himself may have accepted it incautiously, realize that running it could cause damage. Back Orifice is only one of the potential consequences. I'm not talking about documents or images, nor e-mails; but programs. Games, utilities, applications, etc. Detection and Removal I have compiled a rather large amount of technical info and step-by-step instructions which allow detection and removal of BO. More will follow, including reviews of various countermeasures, some of which may even make it possible to catch an intruder in the act as they use BO or similar to access a system. See this page and watch for the "Countermeasures" link to appear above. Rescue Disabling and/or removing Back Orifice from your own system is relatively easy once you know it's there. It does require just a bit of basic knowledge average users may not possess, but simple instructions can suffice. All the necessary technical facts are available at the Internet Security Systems website in their Security Alert Advisory on Back Orifice at http://www.iss.net/xforce/alerts/advise5.html. (By the way, these guys deserve a grateful acknowledgement for being first online with excellent analysis, which made it possible for me to work safely with BO.) However, some may find this a bit too technical. For this reason, I have worked out some simple step-by-step instructions for removing a typical BO. To find those instructions, go here. In my 3 days of exploration with BO, I found I could not in conscience leave "orificed" people in their predicament. I rescued about a dozen very startled people from their unsuspected plight. Imagine their surprise as this message appeared on their console:
Most of us keep information of one kind or another in our PCs which is of a private, privileged or financially sensitive nature. With Back Orifice installed, absolutely none of that information is safe from loss and/or prying eyes. It's a rather shocking revelation, and a scary thing to realize someone else is "in" your computer. It didn't always work, but I was usually able to establish a dialogue with the victim. In two instances, where the desperate users were incapable of doing it themselves, I have removed BO from the victim's system for them from my own console using BO's own tools. Usually though I have simply informed them of links to information about BO and where necessary, walked them through the removal process. Needless to say, I've earned some thanks for alerting these folks, and made a new friends in places like Israel, Australia, and New Zealand as well as a couple here in the US. NOTE: I strongly do NOT recommend that anyone now do as I did then. It is no longer safe to perform broad sweeps of BO's default port. People monitor that port and will complain to your ISP, who may consider it necessary to cancel your account for their own protection. In my efforts to gauge the problem -- which was my actual purpose -- I readily detected perhaps a hundred systems online with BO, and could easily have found hundreds more. There was not enough time in the day to help them all. So I ceased to try. Quite aside from time constraints, my ISP has voiced concerns about the legal ramifications. And since I can use my time to do more for more people simply by publishing this page I don't see any point in entering anyone's system uninvited. However, persons with a severe problem or persistent recurrence of BO may wish to request my help to track down their Orifice. You're welcome to email me. I just ask that you first try BODetect, perhaps other tools as they come online, and use the information on this site to do what you can on your own. |
Links: http://www.iss.net/xforce/alerts/advise5.html -- Internet Security Systems has "cracked" Back Orifice and reveals the technical facts. If you're a moderately experienced user and know how to edit the Windows Registry, this is the essential information on removal of BO. http://www.cultdeadcow.com/ -- The originator of Back Orifice, the Cult of the Dead Cow is a well-known hacker group, reportedly the oldest such group in existence. They offer the full "suite" of Back Orifice for download at their site. Technically skilled persons will find it fascinating. Believe it or not, Back Orifice has wonderful potential as a legitimate tool. http://www.abcnews.com/sections/tech/ http://www.news.com/News/ http://www.news.com/News/ http://www.zdnet.com/zdnn/stories/ http://www.wired.com/news/news/ http://www.wired.com/news/news/ http://www.wired.com/news/news/ http://www.wired.com/news/news/ http://commons.somewhere.com/cud/1998/ Slashdot, a news-for-nerds E-zine, has followed the BO story:
|
