Tech Talk

August 3, 1998

August 10, 1998

August 17, 1998


Tech Week

A new Windows utility unveiled at a hacker convention in Las Vegas last week has security experts and system administrators everywhere scrambling for protection. The utility, called "Back Orifice," allows just about anyone to gain control over certain computers running Windows 95 or Windows 98. It was released under the guise of an "Administrative Tool" during the sixth annual DefCON hacker conference in Las Vegas. The program's name, which humorously belies its potential for destruction, is meant to mock a suite of server management applications from Microsoft called Back Office. The program was developed by a group of hackers calling themselves the Cult of the Dead Cow (CDC). The program's creator, who goes only by the name "Sir Dystic," said the utility was created to force Microsoft to rethink its security strategy. Dystic alleges that, in an effort to make computers more user friendly, Microsoft has compromised system security. Back Orifice appears to be an all-in-one hacker suite intended to raise public awareness about computer security. In order to exploit a system, a hacker or administrator must install a sort of Back Orifice client on the target machine -- a task that isn't as difficult as it sounds. While the program easily can be installed personally by a system administrator, the task also can be accomplished remotely by a hacker without the victim ever being aware of it. The Back Orifice installer can be disguised as just about anything, but probably the most easily accomplished method of installation would be to send it as an attachment to an e-mail message. Though many security experts advise that no attachment from an unknown source ever should be opened, it is not uncommon for individuals to receive such files. The program also can be installed by exploiting a new security hole found in popular e-mail programs from Microsoft, Netscape and Eudora. That hole, originally discovered by a group of programmers in Finland last month, tricks Microsoft Outlook Express, Outlook 98 and Netscape's Windows e-mail clients into executing a line of code hidden within the name of a file sent as an attachment. A week later, the flaw was found to affect Eudora as well. That code, it was discovered, could be used to launch Trojan horse applications -- like Back Orifice. While applications already exist that allow for remote administration of most computers, Back Orifice is dangerous because the first thing the program does when it is installed is hide the fact that it is installed. It can also be configured to run under whatever name the hacker chooses. The program comes in the form of a single executable file that, once launched, establishes a hidden connection to a remote machine, where a hacker or administrator can view or alter virtually any system component, including the Windows Registry, password files, database files and personal documents. The program also can be used to retrieve screenshots of a victim's computer, or to record keystrokes for obtaining passwords and log-ins to secure machines. Predictably, Microsoft said Back Orifice did not represent a threat to Windows end users. That depends, of course, on your personal definition of the term "threat." If an "end user" isn't bothered by the thought of someone secretly monitoring his activity, the program wouldn't present a much of a problem. But for any user worried about even moderate breeches of system integrity, or for anyone with a connection to an NT server, or for that matter to any Windows machine, Back Orifice could be a security nightmare if the machines are not protected by a corporate firewall. Here's why: If an attacker is successful in installing Back Orifice on a Windows machine with access to another computer over a Wide Area Network, he easily could access that machine's "lmhosts" file. With that file, which contains a list of hosts -- complete with NetBios names and IP addresses -- and a few minutes of recorded keystrokes taken just after system startup, a hacker could gain access to any number of other machines. But even if its installation is masked, several applications have surfaced claiming to be able to "sniff out" the Back Orifice client. Also, several recent posts on NTBUGTRAQ.COM outline methods for detection and elimination of the program. Still, the best way to prevent Back Orifice from ending up on your machine is to simply be careful. Think twice about executing files received via e-mail or downloaded from questionable sites. Third-party software publishers, including Networks Associates Inc., still are developing products to battle the utility.


August 3, 1998

August 10, 1998

August 17, 1998