BO2k a new menace for Window.
|What to Do?: Windows users -- Some steps you can take to minimize the
|Vulnerability of Windows: Other OSes may fare better.
Back Orifice 2000:
A Trojan for Windows NT
by Bruce Gingery
On Thu, 8 Jul 1999 03:55:15 -0500, in <rHZg3.1637$Ur1.email@example.com>,
Jon Neiderbach wrote in uswest.dsl:
JN> I am using the Cisco 675 router hooked to a Windows 98 peer-to-peer LAN.
JN> File sharing had been enabled, but I've just changed that...
JN> In the July 8, 1999 New York Times
JN> there is a story about the increased security risks posed by "always on"
While you're considering security and 24/7,
don't neglect to notice that this is again DEFCON weekend coming up. The floods in Vegas
Thursday can't do anyone any good.
cDc has announced BO2k for NT, as well as W95/98. To add to it Back Orifice is announced
to become "open source" this coming weekend, so traditional
"signature" identification by virus scanners _will_ become even more useless
than the traditional _catch_up_mode_ that they traditionally work in. (someone must be a
victim before protection can be added). Within days there almost certainly will be many
variants. If the old version was downloaded several hundred thousand
times, the new one(s) may quickly exceed that, with NO way to count.
(ShockWave required - is there a previously unannounced hole in it?)
Downloads start July 10, probably on mirror sites, too.
There _may_ be glaring errors in the MSNBC
coverage. The work on an NT _server_ of BO (not merely the remote control application
"client") was announced many months ago. Don't count on this update being *just*
a client, where NT is concerned, unless that is confirmed Saturday.
Reports of plugins (BUTTplugs) & releases for the year-old BO include :
"Sleep mode and TCP control scheduled port connections" (UDP blocking, _any_
port, and portscanning ineffective)
"HTTP and HTTPS Tunnel-Through" (Reverse Logic HTTP allows boserver to be
accessed if web browsers can "get out")
Promiscuous mode LAN sniffing (otherwise unnoticed installed server
watches everything going past, sniffing (e.g.) passwords.)
Various and sundry system analyses and data scanning/manipulation.
Various and sundry install schemes, exploiting any known (and perhaps even some
_still_ unadmitted) holes in Windows. especially ...
IE5 services invocation by buffer overflow for install, if IE5 is present,
even if it is not the normal tools for web. (anyone know if this same problem exists for
OpenSource client (written for *N?X, allows porting to anything
not really a BUTTplug, I know, but it seems to fit here. the unattended scripted client
hasn't had much distribution unlike the basic client).
ButtTrumpet announcement via E-Mail of successful install (similar
announcing mechanisms use: Usenet, IRC (SpeakEasy) and/or eggdrop Botnet
ICQ AIM )
&SaranWrap/SilkRope trojan installers, launchers.
Reset auto-startup for machines with soft on-timer powerup.
Post _anything_ as outgoing E-mail, as well as directly
sending it, including or excluding a record of it being
sent. It _looks_ like you sent it. Same for Usenet, IRC,
ICQ, AIM, messages etc.
Install its own updates
and likely more I've heard of but forgotten at this point.
In case you've forgotten, the year-old version in the base server included:
Webserver turns your HDD into an open space on the net.
File transfers (either direction) Manipulation of "Net Neighborhood" fileshares
Run any program the user can run (and some they can't) Load plugins and run them (the
BUTTplugs above) Redirect any port (pretend to be the normal service) Port reflection
(hmmm, I _think_. Haven't looked in a long time). Keyboard sniffing Screen capture Video
and/or Audio controls (A/V snooping and/or odd effects) Installation of other programs
(e.g. NetBus) Killing or disabling of other programs, such as virus scanners. Extend a
"DOS prompt" to the remote machine. Shut down (normally), or panic your machine
(BSoD). Does not show in task list, taskbar nor tray.
Note that there are rumors of here-to-fore unaddressed OLE/COM security holes,
and potential for the "macro virus" problems in Word, Excel, PowerPoint and
others (in combination with MS-Money? Access? Encarta? anything that can work together
OLE/COM) _still_ being unrepaired (ref Melissa).
In short, anything you've heard of a virus being able to do, including CIH/Chernobyl's
capacity to destroy your Flash-BIOS, can also be done by BO. It can disable what little
protection there is, for example, in the signature checking of ActiveX controls on
webpages. Can mail itself to your address book list, with a cover letter claiming that the
executable is an E-Mail "Greeting Card" (which with Silk Rope or Saran might
actually run). It can modify your BIOS to unprotect
your boot-sector, and/or crack your BIOS password (if one is installed), and change or
remove it. Of course, it can also negate or change W95/98 logins. It can change default
associations so that it doesn't have to auto-start, but rather gets you to start it with a
saran'd or silkrope'd copy of Word for example. The
registry check is NOT a sure thing.
It is the rumored BO2k, may do the following:
It's a "deep" (complex) attack,
or can be
It usess "deep"ly embedded
services more easily than its predecessor (COM calls) utilizing anything that Microsoft
has been defending as inseparable from windows.
Keying off Melissa, it will reveal
"deep" secrets. such things as PKI identity secret keys for client identified
SSL sessions, financial data, and auto-decryption of received messages, with mirroring
back out to anywhere of the decrypted text.
In an intranet or extranet, it may become a
"deep" throat tattletale of everything going on in the NET.
Deep BO was expected as an embarrassment during
Chicago COMDEX, but evidently wasn't ready, or just wasn't released. Further investigation
reveals that "Deep BO" may have indeed been released and have been far less than
presumed (e.g. listening only on 37338 UDP), and without even all of the functionality of
the original BO. It seems to have been a competitor, rather than upgrade in BO.
With the addition of stronger encryption reportedly in BO2k, it may
be installed with its primary functionality encrypted (even differently
after each run), making ANY signature identification impossible
by traditional virus scanners. It also may use networked services
to have a "mini bootstrap loader" fetch the main operational code
and execute it, from some distant site on reboot.
What to do?