Tuesday, June 24, 2008

Back Orifice

"Back Orifice" is a hacker's dream, and a Netizen's nightmare.

Back Orifice is not a virus. It is in essence a remote administration tool.

It gives "system admin" type privileges to a remote user by way of the computer's Internet link.

What does this mean? It means that if Back Orifice is running in your computer, a remote operator anywhere on the global Internet can gain access and do almost anything you can do on your computer -- and some things you can't do -- all without any outward indication of his presence.

Back Orifice can arrive disguised as a component of practically any software installation. It can be attached to other files or programs or run on its own. It must be run, by itself or by another application. It then installs itself in seconds, typically erases the original, then may run a specified program. To the user installing an "infected" application, it will appear that all went normally. But from that moment forward, your system offers easy and comprehensive access anytime it is connected to the Internet.

In itself, Back Orifice does not cause any malfunction. It runs quite invisibly to the user, consumes insignificant memory and resources, and does little besides simply open up access to standard Windows 95 functions.

Win95/98 is in essence a networking operating system. It's designed to give access and control to the system administrator on any network to which it is connected. Back Orifice simply implements standard system admin functions and includes a few handy tools for the remote operator's convenience. But it does so very quietly, almost undetectably.

I've created a handy page with the basics about Back Orifice in a Q&A format, with links to helpful hints, more in-depth information and step-by step instructions for detection and removal.

Read on for a broad summary of Back Orifice and its implications, and follow my links, on and off this site, for a comprehensive view of this rather surprising tool.

A little knowledge can render you virtually free of any threat, and may also nudge you down a road of greater utilization and control of your own computer and its Internet connections.

Information of BO and NB

The following document provides a detailed technical explanation of the Back Orifice tool. There is another existing tool called NetBus which has capabilities similar to Back Orifice. The currently available definitions of Norton AntiVirus detect both Back Orifice and NetBus. To download these definitions, please go here.

Back Orifice Overview
Back Orifice is a tool consisting of two main pieces, a client application and a server application. The client application, running on one machine, can be used to monitor and control a second machine running the server application. The operations that the client application can perform on the target machine (e.g., the machine running the server application) include the following:

  • Execute any application on the target machine.
  • Log keystrokes from the target machine.
  • Restart the target machine.
  • Lockup the target machine.
  • View the contents of any file on the target machine.
  • Transfer files to and from the target machine.
  • Display the screen saver password of the current user of the target machine. The creators of Back Orifice also claim to be able to display "cached passwords" for the current user, but no other passwords were displayed during our analysis.

Technical Details

Server application installation
In order for Back Orifice to work, the server application must be installed on the target machine. This involves executing the server application on the target machine. The server application is a single executable file with a size just over 122 kilobytes. The application creates a copy of itself in the Windows system directory and adds a value containing its filename to the Windows registry under the key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\RunServices

The specific registry value which points to the server application is configurable (see section below on configuration). By doing so, the server application always starts whenever Windows starts, and thus is always active. The application will not appear in the Windows task list.

Target machine requirements
The target machine must be running either Windows 95 or Windows 98. The server application will not run on Windows NT. The target machine must have TCP/IP network capabilities.

Communication
The client application communicates with the server application using TCP with encrypted UDP packets.

Configuration of the server application
The server application can be configured with the following parameters:

  • Its installed filename
  • The communication port
  • The name of the value it will add to the registry
  • A password for encrypting the client/server packets used for communication
  • A custom plugin DLL to run with the server application

Default configuration
By default, if the server application has not been otherwise configured, the installed filename is ".exe" (e.g., that's a space followed by ".exe"), the communication port is 31337, the registry value name is empty (e.g., the default registry value entry is used), and no password is used (although the communication is still encrypted).

Is Back Orifice a Threat?
Potentially, the tool can be used by an unscrupulous user (e.g., the attacker) to compromise the security of a computer running Windows 95 or Windows 98, for example, to steal secret documents, destroy data, etc. However, the following are obstacles limiting the threat:

  • The server application must be installed on the target machine. This requires the user of the machine to either deliberately install this application or be tricked into doing so.
  • The attacker must know the IP address of the target machine. Although, the attacker can use the client application to perform a search through a range of IP addresses, this is infeasible if the attacker can not narrow the range to a small subset because there are four billion possible IP addresses.
  • A firewall between the target machine and the attacker virtually makes it impossible for the attacker to communicate with the target machine. Most corporations have firewalls in place.
  • By following safe computing practices, for example, not downloading or running applications from unknown sources, users can protect themselves from the potential threat.

Source http://www.symantec.com/avcenter/warn/backorifice.html