Back Orifice Reams Windows A New One

Windows achieves total network insecurity.





Microsoft has never really understood networks, and certainly won't let security get in the way of "user friendly", features or flash. These facts combine to make Windows95/98 very dangerous for business use. If you ever doubted, Cult of the Dead Cow's Back Orifice program should convince you. Back Orifice's tiny server can be distributed many ways (usually attached to perfectly innocent files or programs). Once installed, it will email it's perpetrator your IP address, and that person gains total control of your computer, from the Internet or from within your local network.

Once established on your PC, Back Orifice can log your activity, recording names and passwords - and what program ran when you entered a password. Passwords internal to accounting programs are just as vulnerable as network passwords. The perpetrator can migrate BO (Back Orifice) until he finds the administrator's PC and gets the server's admin password. Then your business is at his mercy. The perpetrator can even order a machine to format its own hard disk, or email your latest bid data to your competitor.

Back Orifice is well publicized and can be downloaded from cDc's ftp server at no cost, complete with extensive manuals and instructions. It is marvelously easy to use. Back Orifice uses no fancy hacker secrets. It is programmed entirely using published Windows APIs (Application Programming Interfaces) and other tools distributed with Windows. That isn't to say it won't be fixed up to make it even more sneaky and dangerous in the future.

Microsoft will fix this problem, won't they? Not without completely reconceptualizing their operating systems and their Internet strategy. Since they aren't going to fix it, Microsoft is denying the problem is serious. Further, the problem plays you right into Microsoft's hands, forcing your company to migrate to Windows NT at three times the price**.

Is Windows NT vulnerable to Back Orifice? Not directly, but if you have any Win95/98 on the network, everything is vulnerable.

[ UPDATE: As of late 1999, cDc has issued a version of Back Orifice that infects Windows NT. They are promoting it as a "remote administration tool", which it certainly can be. It gives you total control over the remote machine - a lot more control than PC Anywhere. ]

Won't BO be stopped by ISP's or the company's firewall? No. It can use any TCP/IP port and doesn't look like an invader. Tighten a firewall enough to stop BO and most legitimate uses are stopped too.

Can virus checkers find BO? Yes, by scanning (they can't detect BO activity because it looks just like user activity), so if you believe in locking the barn after the cow is stolen, you can depend on virus checkers. Of course you must keep those virus checkers up to date, because new versions of Back Orifice designed to fool virus detectors will be coming out periodically.

All this may seem pretty bad, but Back Orifice isn't really all that bad - compared to, say, Netbus - and Netbus does NT too.

Automation Access recommends: If you can't get rid of Win95/98, you should make sure you have an excellent anti-virus program and make sure it is up-to-date. That means downloading and distributing a new database just about every week.

For related information, see our article Viruses, Worms and Other Invaders which covers today's fast moving worms and other threats to your system. Also see Wrapster for a new Trojan exploiting the wildly popular Napster MP3 music exchange service.

** Considering the high cost of Microsoft environments and the constant "crack of the week" security patches required to keep NT secure, we suggest examining carefully if your company can use an alternate desktop environment (OS/2, Linux, etc.).

©:Andrew Grygus - Automation Access -
Velocity Networks: Network Consulting Service - Internet Service Provider - Web Page Design and Hosting
All trademarks and trade names are recognized as property of their owners