Warning - Back Orifice Backdoor may be present!!
Low Ee Mien
Just a warning to everyone who downloads files
from the Files Exchange Centre on one of the
Singapore ONE's websites at http://fun.s-one.net.sg :
I think I have found the Back Orifice backdoor /
Trojan Horse program present in one of the files
there. It installed itself as an auto-start program
in my registry under Run Services. Once installed,
I have been told, it would have acted as an illegal
server providing full access to the system through
the network for any would-be hackers who have the
client program.
Can't be sure which file it was, because I have
downloaded quite a number of files to try out these
past few days, so it's either one or more of the
following:
WinAmp 2.02
CuteFTP 2.6
Microsoft Media Player 6.0
Any one of the Wing Commander Secret Ops episodes
Need for Speed III playable demo
I'm sorry I can't be any more specific than that.
Is there any way to scan for the presence of the
Back Orifice program embedded in an EXE file?
Low Ee Mien
NTU/SAS/CE
Singapore
Distribution :
* sg.cablenet
* sg.cablenet.help
* soc.culture.singapore
* DP
* AM1
* [SK] on S-ONE
boon
and system dll files . Is that the way Orifice behave as an embedded exe
virus? I have suspected that there are some form of virus infected in my PC
but I can't trace what and where it is.
Maybe you can shed light on the behaviour of the orifice virus?
This will greatly help alot of us to trace whether we have caught the virus.
And this happens after I have downloaded some of the files in Exchange
centre...
Low Ee Mien wrote in message
Low Ee Mien
> My Thunderbyte virus scanner keep beeping for change in
> header in the exe and system dll files . Is that the way
> Orifice behave as an embedded exe virus? I have suspected
> that there are some form of virus infected in my PC
> but I can't trace what and where it is...
Heard that it can be embedded in an EXE file and
distributed around. Once you run the EXE file, it loads
itself into memory and proceeds to configure your system
to run it every time you boot up.
As far as I can determine, it loads itself up in one
of the auto-start program entries in your registry, under
Run Services. You can either look at it yourself, or use a
utility like More Properties to edit it.
The auto-start entry referred to a 124 KB file, o.exe which
I found to be residing in the \windows\system directory.
Once you delete the registry entry, you can re-boot, and
then remove the file from system.
Peng Jianxiong
William Lim wrote:
> Juz run this s/w to detect and remove back orifice..
>
> boon wrote in message <6v6sde$i92$1...@newsie.singa.pore.net>...
> >My Thunderbyte virus scanner keep beeping for change in header in the exe
> >and system dll files . Is that the way Orifice behave as an embedded exe
> >virus? I have suspected that there are some form of virus infected in my PC
> >but I can't trace what and where it is.
> >
> >Maybe you can shed light on the behaviour of the orifice virus?
> >This will greatly help alot of us to trace whether we have caught the
> virus.
> >
> >And this happens after I have downloaded some of the files in Exchange
> >centre...
> >Low Ee Mien wrote in message
> >
> >
>
> Name: BoDetect_NeedsMFC.zip
> BoDetect_NeedsMFC.zip Type: Zip Compressed Data (application/x-zip-compressed)
> Encoding: x-uuencode
Xac
Norton Anti virus should be able to clean it up.
Synapse Man
Cute, meh?
Lord_Daemon
irascibly,
Lord_Daemon
Steve Cheong
under Local_Machine
---------Software
-----------Microsoft
----------windows
------Currentversion
-----Run,Runonce
Check for any programs that was not intentionally run by any program u
installed.
if u have, u got the virus
to know more read this
Hacker Group Releases Windows
Intrusion Tool
(08/04/98; 4:42 p.m. ET)
By Andy Patrizio, TechWeb
A hacker group has released a remote utility that will
let
anyone access a Windows PC and fully control and
manipulate the computer over a TCP/IP network.
The tool is called Back Orifice, a play on Microsoft
Back Office, although it has nothing to do with the
Microsoft administration tool.
It was reportedly developed by a programmer in his
early 20s, who is a member of the Cult of the Dead
Cow, a hacker group that dates back to 1984. The
programmer, when interviewed by TechWeb, would
not give his real name, but said he goes by the name
Sir
Dystic.
Back Orifice was released last weekend at DefCon VI,
the annual hacker convention sponsored in Las Vegas,
where some participants wore masks to cover their
identities.
Despite the silly name, Back Orifice is quite a serious
tool. It lets remote users access a Windows 9x system's
file system, the Registry, the control panel,
passwords,
network access, and even processes and devices. If a
camera is hooked up to the PC, remote users can take
pictures with it.
Even more disturbing, is the keyboard monitor will log
all keystrokes, including passwords.
For Back Orifice to work, a small executable is needed
on the client computer. There is a stealth program that
can be installed on a computer that will delete itself
after
installation, according to the programmer. He said he
is
planning a Windows NT version in the future.
The programmer said he wrote Back Orifice because
Microsoft has said there is little or no security in
Windows 9x, but the vast majority of computers on the
Internet are Windows 9x-based.
"But who on the Net cannot afford to be concerned
about security?" he said. "Part of the issue of dealing
with security is it's a complicated issue, and Windows
95 is marketed at 5-year-olds. They don't want to
confuse people with all those security features."
There are legitimate uses for Back Orifice, the unnamed
programmer said. It can be used as a
remote-administration tool and for tech-support issues
because a remote tech-support agent could poke
around in an ailing computer with ease. "I have had
many responses to it from professionals saying 'I do
intend to use this legitimately'," he said.
Microsoft views Back Orifice as no different than
remote-access tools like Symantec's pcANYWHERE,
and does not plan to issue any patches to block Back
Orifice infiltration.
"It doesn't create or exploit any holes in the Windows
platform," said Karan Khanna, product manager for
Windows NT and manager of Windows-related
security issues at Microsoft. "If users follow safe
computing practices -- [such as] don't download
software from sources they do not know and don't
install software that isn't digitally signed -- they
are
safe."
Back Orifice does represent a threat, but not from
Internet hackers, said David Moskowitz, president of
Productivity Solutions, a consultancy in King of
Prussia,
Penn. "In the hands of disgruntled employees, you have
problems," he said. "Most types of malicious attacks
for
companies come from disgruntled employees -- not
from disinterested third-parties."
The creator of Back Orifice said he hopes this will
light
a fire under Microsoft to fix security problems in its
operating system.
"The only way they will have any incentive to make a
good OS is if there's a direct and immediate threat --
not that I wrote this to be a threat," he said.
"They're
going to have to deal with it, or it may end up
affecting
their business. And I have little doubt that there are
other programs out there like this one that they've
never
heard of."
Moskowitz said he thinks Sir Dystic -- who said he is
unemployed and hopes Back Orifice will get him a job
-- should find someone with business sense to turn his
utility into a legitimate product.
"He's got a potential business that's worth millions of
dollars," Moskowitz said. "There is a problem with
managing Windows 95 workstations, and if he's got a
way to make this work and turn it into a legit product,
he's sitting on top of a bloody gold mine."
----------------------------------------------------------------------------------------------------------------
Security Firm Exposes Back Orifice
Functions
(08/07/98; 8:01 p.m. ET)
By Andy Patrizio, TechWeb
Just a week after a hacker group posted a utility that
could give anyone on a TCP/IP network complete
access to another Windows 95 PC, a security firm has
come out with an evaluation of the software and its
potential threat, and a method to detect and remove it
from the system.
The group, Cult of the Dead Cow, released Back
Orifice at its annual Las Vegas gathering, called
DefCon, last week. Back Orifice, programmed by a
young programmer who would only identify himself as
Sir Dystic, promised to give users access to another
computer's file system, network information, registry,
and processes.
More ominously, it could sniff network traffic and save
all keyboard keystrokes, including passwords.
The advisory comes from Internet Security Systems
(ISS), of Atlanta, which develops network security
software and has a R&D team, called X-Force, which
searches for security holes like the ones Back Orifice
exploits.
The X-Force team examined Back Orifice and found it
provides "an easy method for intruders to install a
back
door on a compromised machine." It also said Back
Orifice's authentication and encryption is weak, and
therefore easy to detect and determine what has been
transmitted.
Back Orifice promised so much, there was some
speculation it was a hoax, but ISS said it does
everything it claims to do. "We wouldn't have gone out
with an advisory if it wasn't real," said Chris Klaus,
chief
technology officer and founder of ISS.
ISS found how Back Orifice installs itself on the
computer, setting up files and burying itself in the
Registry, and posted details on how to remove it. The
company is developing a Back Orifice detector and
remover, but couldn't say when it would be released.
Forrester Research analyst Ted Jullian said Back
Orifice illustrates how easily systems can be
compromised, and how important effective security is.
"If there's a lesson to be learned, it's simply the
importance of having intrusion detection in place, and
also putting in mechanisms to control what users bring
in," he said.
----------------------------------------------------------------------------------------------------------------
Vendors Rush Back Orifice
Detectors To Market
(08/12/98; 8:10 p.m. ET)
By Andy Patrizio, TechWeb
Perhaps the surest sign that hacker tool Back Orifice
represents a real threat is the number of vendors
falling
over themselves to get cleaning software on the market.
Back Orifice, a hacker tool that promises total access
to a Windows 95 system via a TCP/IP network, was
released August 3 by the hacker group Cult of the
Dead Cow (cDc). It was written by an unemployed,
20-something programmer from the San Francisco Bay
Area who uses the name Sir Dystic.
The tool was first introduced at DefCon IV, the annual
hacker gathering in Las Vegas sponsored by cDc.
Since it was posted, 35,000 copies have been
downloaded, according to cDc.
Publicly, Microsoft has said Back Orifice is no big
deal,
but the reaction by security firms and anti-virus
vendors
contradicts that. In the week since the product's
release, four vendors have released Back Orifice
detection and/or cleaning software.
Among those vendors are Fresh Software, which
makes Time's Up, a product that lets parents limit how
long children play PC games; Trend Micro, maker of
the Web-based Trend HouseCall service for searching
for viruses; Privacy Software, which released BOClean,
a Back Orifice remover, and Panda Software, which
updated its anti-virus software line to detect and
remove Back Orifice.
But the rush to release cleaners is more of a marketing
ploy than an indication of a real threat, said Russ
Cooper, editor of NTBugtraq, which follows operating
system bugs and exploits. "The fact that you're
infecting
yourself with Back Orifice is no different than
infecting
yourself with a boot-sector virus," he said.
Back Orifice, while dangerous in that it can monitor
all
tasks, access the registry and file system, and catch
the
keystrokes from a keyboard, can't force its way into a
computer. To get in, an executable must be run on the
PC.
Cooper doesn't believe Back Orifice is a great risk,
but
he also isn't happy with cDc for releasing it. "cDc
wants
to convince the world that Windows 95 isn't secure," he
said. "Well, thank you, but we didn't need [cDc] to
prove that."
Microsoft continues to insist
Back Orifice isn't a threat,
despite the huge number of
downloads and the rush for
cleaner software. "Our
recommendation, just like any
other software, is that users
should be careful installing
software from untrusted
sources," said Karan Khanna,
product manager for Windows
NT. Khanna said Microsoft
has no plans to patch
Windows 98 to block Back
Orifice.
Microsoft is eager to prevent other vendors from
profiting from Back Orifice, said Rob Enderle of Giga
Information Group. "Microsoft doesn't want to create a
revenue opportunity for people doing this, so they are
being cautious about reacting."
But cDc is not standing still. The group released a
Unix
client for Back Orifice, so someone on a Unix system
can probe a Windows 95 PC, and it also released
plug-ins for the software, called BUTTPlugs.
cDc also says Microsoft has privately asked the group
for help in patching Windows 98, which Microsoft's
Khanna denied.
----------------------------------------------------------------------------------------------------------------
August 17, 1998, Issue: 728
Section: News & Analysis
Hostile Applet Alert
Rutrell Yasin
A hostile Java applet containing the Back Orifice
hacker tool has been discovered on a Java consulting firm's Web
site, officials at Java security supplier Finjan Software Ltd. reported
last week. Designed by the Cult of the Dead Cow hacker group and
introduced at the recent Def Con hacker conference, Back Orifice can
remotely monitor and control Windows 95 and
Windows 98 systems. It can add and delete files, directories and
registry
entries. As a demonstration, the Back Orifice application was embedded
in a
Java applet and installed in a browser. The demo shows that someone with
malicious intent could very well use mobile code-Java and ActiveX
applications-to launch a new kind of attack on networks. Finjan offers a
line of
security tools-SurfinShield and SurfinGate-that can block this type of
applet and protect companies from the growing threat mobile code poses
to network
resources. The company also is teaming up with Worldtalk Corp. to
protect
corporate E-mail systems from mobile code threats.
To get the program & futher details follow this
http://www.cultdeadcow.com/tools/bo.html
Pls note above FYI only. not to be abused.