Backdoor Found
Impact
A backdoor is a program that is designed to hide itself on a target host. While all backdoor
programs are different, generally they allow the installing user access to the target system at
a later time without using normal authorization or vulnerability exploitation. Two popular backdoor
programs are NetBus and Back Orifice.
Background
Back Orifice, a program developed by The Cult of the Dead Cow, is a backdoor program designed for Windows 95/98. Upon installation,
Back Orifice begins listening on a pre-specified
UDP port (by default 31337).
At this point, anyone who knows on which port Back Orifice is listening, and the
Back Orifice password, may remotely control the target host. Back Orifice is comprised
of two parts: client and server. The server is placed on the target system while the client
is used to control the remote host. The client portion of Back Orifice may be either
text or graphics based. Using Back Orifice, malicious users may execute commands, list files,
start/stop services, share directories, upload and download files, modify/delete registry entries and
kill programs running on the target system. The Back Orifice program was developed by an
underground hacker group called The Cult of the Dead Cow.
NetBus, another back door program, is very functionally similar to Back Orifice, but also
allows a malicious user to open/close the CD-ROM drive, send interactive dialogs to chat with the
compromised system and listen to the target system's microphone (if one is installed). NetBus
uses
TCP for communications, and always uses ports 12345 and 12346 to listen for incoming connections. And,
like Back Orifice, NetBus allows the installer to assign a password to the program. NetBus, unlike
the Back Orifice program, will also run on Windows NT.
The Problems
The problem with these types of programs is, of course, that remote and/or local users can take
control of a target system (which is in and of itself bad enough), and then may use the
information found on that system to further compromise the network on which that system resides. For
instance, both Back Orifice and NetBus allow a malicious user to view cached passwords on
a target system (which are stored in clear text). These passwords may then be used to attempt to access
the various servers on the network. Also, both programs come with keystroke loggers which may be used
for the same purpose. Obviously, the presence of a compromised machine on the network poses an
enormous security risk for the entire network.
Both Back Orifice and NetBus are relatively new programs, and the full implications
of both may not be easily assessed at this point. It is interesting to note that the Back Orifice program
has been downloaded over 200,000 times from the Cult of the Dead Cow's web site alone. In a few months, literally
millions of copies of these programs may be floating around the Internet - installed, configured and
silently working. The release of Back Orifice and NetBus has ushered in a new era in hacking.
Historically, hacking has been the province of those with enough knowledge and dedication to find and
exploit vulnerabilities in certain operating systems and programs - a relatively small group of people to be sure. Now,
though, using "turnkey" hacking programs such as Back Orifice and NetBus, anyone with an
Internet connection and even the most basic understanding of computing and the Internet can wreak havoc
on target systems and networks. The chances that you will be a victim of such an exploit rises with each
download.
Resolution
Good security practices, and smart and safe web browsing, are often the resolutions to this vulnerability.
Back Orifice and NetBus both need to be run on the target system to be installed (in other words,
they cannot be installed remotely). Usually, it will not be the malicious user running the
program, it will be the user of the system. Both of these backdoor programs may be combined
with other executables, so that when the other executable is run, the exploit, or
trojan horse,
program runs in the background. These executables may come in many forms:
software programs, hidden in the installation routines of software programs,
as attachments to animated email postcards and as attachments to regular email messages to name
just a few of the delivery vehicles. As such, never install software or run programs that come
from questionable or untrusted sites. This point cannot be made often enough, and will become
even more relevant as these types of backdoor programs become more numerous and harmful in nature. With all of
the threats out there, it's just not worth it.
The above paragraph deals mainly with threats from external users. But, internal users
may also decide to employ these programs. In such cases, defending against attacks involve
limiting access to machines to only those who are authorized to use them. The use of access and BIOS
level passwords may help, as well as limiting physical access to machines. Sometimes, though, even
the most thoughtful security procedures will not prevent a malicious user from infecting a system on
the network. Fortunately, there are procedures for detecting and removing Back Orifice and
NetBus once they have been installed. Read ISS's
Windows Backdoor Alert for detailed information
on these detection and elimination procedures.
Note: Several programs purporting to remove Back Orifice and NetBus
carry trojan horse programs. The most popular of these "cleaner" programs
is named bosniffer.exe. Under no conditions should this program be run. If at all possible, removal
should be done manually. If this is not feasible or possible, stick with cleaner programs developed
by known vendors, such as McAfee, Norton, etc.
Where can I read more about this?
Read AntiOnline's thoughts on Back Orifice at their
Back Orifice Information page. Other good sites
for Back Orifice information include IDG's
Security Watch, a2000's BO Info site, and,
of course, The Cult of the Dead Cow itself, from which you can download the
program and plugins for evaluation purposes.
A good source of information on the NetBus program is a2000's
NetBus Information site.
Other sites to visit include ircHelp and
Technotronic, from which you can download the
program for evaluation purposes.