Back Orifice Back Again

UPDATE -- The Symantec AntiVirus Research Center (SARC) at Symantec Corp. ( have analyzed and posted a virus definition set that it says protects against the Back Orifice 2000 Trojan Horse.

The company says the definition set is available now and users of Norton AntiVirus can download it through LiveUpdate or from the Symantec Web site. This will allow the operating system to detect when Back Orifice 2000 has been received. Other security vendors, such as Network Associates Inc. ( are releasing similar solutions.

Earlier today, Internet Security Systems (ISS, announced that it had decoded the protocols and encryption algorithms in Back Orifice 2000 (BO2K), the Cult of the Dead Cow's update to last year's Trojan Horse application, Back Orifice, that provided remote access to Windows 9.x machines. Released just 48 hours ago at the Las Vegas hacker convention Def Con, BO2K has the ability to do the same with machines running Windows NT, making it a much larger threat to the corporate enterprise.

ISS reports it is sharing whatever information it has with Microsoft Corp. and is rapidly developing countermeasures for inclusion to its security software RealSecure and Internet Scanner.

Bob Olson, vice president of product marketing for Network-1 Security Solutions Inc. (, says Back Orifice can access passwords, capture keystrokes and send the machine faulty warning messages. BO2K can even turn on the machine's microphone and listen for noise around the machine, and access the MS-DOS prompt and perform any function that can run from DOS.

It does all this by sending an e-mail message containing the IP address of the machine to some Web e-mail address such as Hotmail or Yahoo. Then, as the attacker, you remotely connect to the machine and begin administering it. Any applications on a Windows NT machine has access to the communication ports. Back Orifice 2000 takes advantage of this and uses any port in the machine it chooses.

This is where Network-1 has come in. The company has developed software called CyberwallPlus that locks down communication ports on the NT machine and only allows them to open up after the administrator has been notified.

"The real threat behind this is that the authors made it encoded so that it's difficult to detect it in a machine," says Olson. "[The Cult] did it purposely to point out the deficiencies in Windows NT security."

Not only does Back Orifice run undetected but it can get on the machine in a variety of ways. One is by floppy disk. In the original Back Orifice, the executable program was called "[spacebar].exe" so the file name was virtually invisible. The executable can also be sent by e-mail and "Saran Wrapped" onto another bona fide application.

Other innovations may come along as well, since the Cult decided to make this version open source, allowing other hackers to come up with their own implementation of the Trojan Horse. Symantec reports its solutions will defend against variations of Back Orifice 2000 as well.

As for the Cult of the Dead Cow, it's marketing this as a pure administration tool. The Cult's Web site has a press release announcing the "product," saying it will be free for download July 10 on the Back Office 2000 Web site ( during the hacker convention Def Con VII in Las Vegas. "Unfortunately for Microsoft, Back Orifice 2000 could bring pressure on the software leviathan to finally implement a security model in their Windows operating system," states the release. "Failure to do so would leave customers vulnerable to malicious attacks from crackers using tools that exploit Windows' breezy defenses." -- Brian Ploskina

About the Author

Scott Bekker is editor in chief of Redmond Channel Partner magazine.

comments powered by Disqus
Most   Popular