An Introduction to the Back Orifice 2000 Backdoor Program

Home , Back Orifice, Back Orifice 2000, Cult of the Dead Cow, NetBus, Remote administration

84-02-02

DATA SECURITY MANAGEMENT AN INTRODUCTION TO THE BACK ORIFICE 2000 BACKDOOR PROGRAM

Christopher Klaus

INSIDE General Information on Backdoor Programs; Installation Procedure; Using BO2K; Server Commands; Protecting Against BO2K

Back Orifice 2000 (BO2K) is a backdoor program designed for misuse and attack. It was released in July 1999 at DefCon VII, a computer hacker convention held in Las Vegas, Nevada. Credit for developing and releas- ing BO2K was claimed by a computer hacker organization that calls itself The Cult of the Dead Cow. BO2K is a refinement of an earlier program with a similar name. BO2K takes the form of a client/server application that remotely controls an information processing application with a fixed IP (Internet Protocol) address without the knowledge of either the re- sponsible system administrators or the affected end users. Once it has been installed, BO2K gathers information, performs system commands, reconfigures machines, and redirects network traffic without authorized access for any of these services. BO2K can be used as a simple monitoring tool, but its main purpose is to maintain unauthorized control over another machine for reconfiguration and data collection. These features, plus the invisibility of BO2K, make this backdoor program especially dangerous for both the administrators and the end users in a networked environment. Unlike a conventional computer virus, BO2K is not self-replicating. It PAYOFF IDEA must deceive an individual user into Back Orifice 2000 (BO2K) is a backdoor program installing the program. Once it has designed for misuse and attack. While it can be been installed, BO2K easily performs used as a simple monitoring tool, its main purpose is to maintain unauthorized control over an- unauthorized actions without the other machine for reconfiguration and data col- knowledge of the user. lection. This article describes backdoor programs in general, BO2K in particular, and pro- vides suggestions for protecting against it.

GENERAL INFORMATION ON BACKDOOR PROGRAMS Backdoor programs are significantly more dangerous than conventional computer viruses. This particular type of program can be used by an in- truder to take control of a microcomputer or a workstation and potential- ly to gain broad network access. Until now, the most widely distributed backdoor programs have been Netbus and the first version of Back Ori- fice. These programs are commonly referred to as Trojan horses, due to the fact that they pretend to do something other than their actual func- tion. Typically, backdoor programs are sent as attachments to electronic mail messages with innocent-looking file names. Also, BO2K has a plug- in architecture that enables it to disguise itself once it has been installed. Many authors of backdoor programs claim that they have not written them to be intrusion tools. Rather, the authors claim that their programs are remote-control utilities that demonstrate weaknesses in already installed operating systems. However, the actual use of these programs, as demonstrated by their past activity, indicates that these Trojan horses are frequently used to gain unauthorized access to and the use of an information processing application, although a significant vulnerability cannot be identified in the operating systems that they impact. Netbus is available in versions for Windows 95, Windows 98, and Windows NT. The first version of Back Orifice, initially released in July 1998, was available for Windows 95 and Windows 98. With the release of BO2K, Windows NT is impacted, making this version especially dangerous for organizational networked environments.

INSTALLATION PROCEDURE Installing BO2K involves two separate operations: client installation and server installation. BO2K installs on the server machine using a simple process. The server application is executed, and BO2K is installed. This executable, originally named bo2k.exe, possibly can be renamed. The name that is being used for the executable will be specified in either the client installation or, as illustrated in Exhibit 1, in the BO2K Configura- tion Wizard. This Wizard steps through various configuration settings, including the server file (which is the executable), the network protocol (either TCP [Terminal Control Protocol] or UDP [User Datagram Protocol]), the port number, and the data encryption and password use administration mechanisms in use. Once this process is complete, running bo2kgui.exe executes the graphical user interface (GUI) for BO2K, which is depicted in Exhibit 2. The BO2K Configuration Wizard is designed to allow for the quick setup and immediate use, assuming some defaults, of the program on a specified server. However, many options can be set manually through the Configuration utility. These options are mainly used to reduce the

EXHIBIT 1 — The BO2K Conﬁguration Wizard

chance that BO2K will be detected by the system administrator or some application user. The Conﬁguration Wizard steps through these settings:

• Server File • Network Protocol (UDP or TCP) • Port Number • Encryption (XOR or 3DES [Triple Data Encryption Standard]) • Password-Encryption Key

Once the Conﬁguration Wizard completes this activity, the Server Conﬁguration utility screen is displayed, as shown in Exhibit 3. This utility allows increasingly granular control over how BO2K is run, including the client/server telecommunications settings, and the methods for pre- venting the program from being detected. The option variables provided by this utility and their descriptions are discussed in Exhibit 4.

USING BO2K bo2kgui.exe executes the BO2K Workspace (depicted in Exhibit 2), which contains a list of the servers that have been compromised and that

The Graphical Interface of BO2K EXHIBIT 2 —

EXHIBIT 3 — The Server Conﬁguration Utility Screen

has been saved from a previous use of this program. These servers must be defined for BO2K to connect to any system and to begin using the program. Each of the named servers must be described by its name, IP address, and connection information. Exhibit 5 depicts the screen for editing the server settings. When a server has been defined, the Server Command Client is displayed, as illustrated in Exhibit 6. This window enables access to BO2K’s commands. When the user of BO2K clicks on a category, BO2K displays individual functions. Some of these functions require that additional parameters such as filenames and port numbers be provided.

SERVER COMMANDS Over 70 commands are contained within BO2K. These commands gather information and send various instructions to the server. After a connection is made between the two machines, a command is selected, the ap- plicable parameters are entered, and the Send Command button runs the command on the chosen server. Responses from the server will be displayed in the Server Response window, which is depicted in Exhibit 7. The server commands and their descriptions are discussed in Exhibit 8.

EXHIBIT 4 — Server Conﬁguration Utility Option Variables

Option Description

File Transfer File Xfer Net Type Lists and changes the network protocol for communication File Xfer Bind Str File transfer bind string where RANDOM is the default File Xfer Encryption Lists and changes the current encryption method File Xfer Auth File transfer authentication whose default is NULLAUTH TCPIO Default Port Displays and changes the port that is being used for TCP communication UDPIO Default Port Displays and changes the port that is being used for UDP communication Built-in Load XOR Encryption Enables or disables XOR encryption, which is weaker than Triple DES Load NULLAUTH Enables or disables NULLAUTH authentication Authentication Load UDPIO Module Enables or disables UDP communication Load TCPIO Module Enables or disables TCP communication XOR XOR Key Lists and changes the password for XOR authentication Startup Init Cmd Net Type Displays and changes the network protocol for startup Init Cmd Encryption Displays current value for encryption at startup Init Cmd Auth Displays and changes current authentication for startup Idle Timeout (Ms) Can change the time in milliseconds for the server timeout and disconnect Stealth Operation Run At Startup Enable or disable BO2K to be run at computer startup Delete Original File Can delete original exe ﬁle (the choice is to Enable or Disable) Runtime Pathname Changes the value for the runtime pathname Hide Process Enable or disable the process from being hidden Host Process Name (NT) Changes the process name on the host machine; the default is BO2K Service Name (NT) Changes the service name from Remote Administration Service to another name that is speciﬁed in the utility

PROTECTING AGAINST BO2K Once BO2K is installed, its highly configurable nature makes it very dif- ficult to detect. Typically, backdoor programs are complex, and several detection methods are recommended to achieve maximum awareness of BO2K installations and protection for any machine or series of machines on a network. By default, BO2K installs itself in a Windows system directory as a file called fileUMGR32.EXE. If Windows NT is running, it will in- stall a service that is listed as Remote Administration Service. This is a default name, and can be changed.

EXHIBIT 5 — The Screen for Editing Server Settings

Host-based vulnerability and intrusion detection applications provide insufﬁcient protection by themselves. Network-based systems provide critical capabilities that go beyond host-based and anti-viral solutions by detecting the presence of backdoors across the network, as well as im- proper connection attempts taking place from outside a network. It is recommended that users join revised versions of anti-virus soft- ware with revised host- and network-based vulnerability scanning applications to detect violations of the organization’s IS security policy that indicate that the systems involved have been compromised by BO2K. In addition, host- and network-based intrusion detection mechanisms should be used to identify BO2K attacks as they travel over the network. In addition, it is recommended that computing users take these impor- tant precautions:

• Do not open electronic mail message attachments, especially those originating from non-trusted sources. • Do not accept ﬁles from Internet chat mechanisms as they inherently introduce vulnerabilities.

EXHIBIT 6 — The Server Command Client Enables Access to the BO2K Commands

• Be sure that network ﬁle sharing not be enabled on computers that are connected to the Internet without proper security measures being in place.

Christopher Klaus is the founder and chief technology ofﬁcer of Internet Security Systems (ISS), Atlanta, Georgia. Its products are based on the Internet Scanner, which Klaus developed while a student at the Georgia Institute of Technology. ISS has announced that its Real Secure product is now capable of detecting the presence of BO2K. For more information on this subject, see the most recent ISS Windows Backdoor Update at ht- tp://xforce.iss.net/alerts/advise30.php3.

The BO2K Server Response Window EXHIBIT 7 —

EXHIBIT 8 — Server Commands

Command Description

Simple Ping Sends a packet to the server to determine if the machine is accessible Query Returns the version number of the BO2K server System Reboot Machine Shuts down and reboots the machine Lock-up Machine Freezes the remote machine and requires that it be rebooted List Passwords Retrieves a list of users and their passwords Get System Info Retrieves this information: Machine name Current user Processor Operating system version (SP version) Memory (physical and paged) All fixed and remote drives Key Logging Log Keystrokes Logs keystrokes to a file; entry of a file name is required in order to store the output End Keystroke Log Stops recording keystrokes to the specified file View Keystroke Log Views a keystroke log file Delete Keystroke Log Deletes a keystroke log file GUI System Message Box Displays a text box on the server that contains a specified title and text TCP/IP Map Port Æ Other IP Redirects the network traffic from a specified port on the server to another IP address and port Map Port Æ TCP File Receives a file from a specific port; the entry requires the indication Receive of a specific port, as well as the path and filename List Mapped Ports Lists all of the redirected ports and the relevant source and destination information Remove Mapped Port Removes the specified redirected port TCP File Send Connects to the specified port and sends a file; the entry requires the indication of a specific target IP address and port, as well as the path and filename M$ Networking Add Share Creates a new share on the remote machine; the entry requires the indication of a pathname and a sharename Remove Share Removes a share; the entry requires the indication of the sharename List Shares Lists all of the shares on the server machine List Shares On LAN Lists the shares on the LAN Map Shared Device Maps the shared device Unmap Shared Device Removes the specified mapped shared device List Connections Lists the network connections on the remote computer, both current and persistent. Process Control List Processes List all of the processes that are running on the server; the entry requires the indication of the remote machine name Kill Process Kills the specified process; the entry requires the indication of the process ID number, which can be obtained from the List Processes command Start Process Starts a process on the server that is specified by the pathname and the arguments Registry Create Key Creates a key in the registry; the entry requires the indication of the full key path

EXHIBIT 8 — Server Commands (Continued)

Command Description

Set Value Sets a value of a registry key; the full key path, the value name, and the value data must be specified Get Value Displays the registry entry for the specified key path and value Delete Key Deletes a registry key; the entry must specify the full key path Delete Value Deletes a registry key for a specified key path and value Rename Key Renames a registry key; the entry requires that both the current and new key name be specified Rename Value Renames a registry value; the entry requires that both the current key path-value name and new key value be specified Enumerate Keys Displays and counts all of the subkeys for the specified key path Enumerate Values Lists the values of the specified registry key Multimedia Capture Video Still Captures a still video image from the specified device. The filename and device number of the image must be specified by the user and contain the image size (the width and height in pixels) as well as the BPP. If these dimensions are not indicated, a default of 640 ¥ 480 pixels and 16 bpp would be used. Capture AVI Captures an AVI (compressed video image) file from the specified device; the filename and device number of the image must be specified by the user and contain the image size (the width and height in pixels) as well as the BPP. If these dimensions are not indicated a default of 640 ¥ 480 pixels and 16 bpp would be used Play WAV File Plays the specified WAV file Play WAV File In Loop Plays the specified WAV file repeatedly until stopped Stop WAV File Stop a WAV file that is playing List Capture Devices Shows the attached system devices that are capable of capturing video Capture Screen Creates an image of the current screen; entry of the pathname for file output is required File/Directory List Directory Lists files and directories from the specified machine and the remote path Find File Searches for a file on the server machine; the entry requires specification of the path and filename Delete File Removes a file from the server’s drive View File Allows the specified file to be viewed on the remote machine Move Or Rename File Moves or renames a file; the entry must specify the pathname for both the old and the new file Copy File Copies a file on the BO2K server; the entry must specify both the source and the target pathnames Make Directory Makes a directory on the server; the entry requires that a pathname be designated Remove Directory Removes the specified directory Set File Attributes Sets the file attributes for the specified pathname (ARSHT) Receive File Receives a file from a server; the entry requires BINDSTR, NET, ENC, AUTH and the pathname Send File Sends a file to a machine; the entry requires IP, NET, ENC, AUTH, and the pathname List Transfers Shows a list of the files that are being transferred Cancel Transfer Cancels a transfer for the specified pathname Compression Freeze File Compresses files; the entry requires the pathname for the original and output files Melt File Decompresses file; the entry requires the pathname for the original and output files DNS Resolve Hostname Retrieves the FQDN and IP address of the specified machine Resolve Address Retrieves the FQDN and IP address of the specified machine

EXHIBIT 8 — Server Commands (Continued)

Command Description

Server Control Shutdown Server Stops BO2K on the server; the user must type delete before sending the command Restart Server Restarts BO2K after using the Shutdown Server command Load Plugin Loads the specified plug-in Debug Plugin Debugs the specified plug-in List Plugins Lists the plug-ins that have been installed Remove Plugins Removes the specified plug-in using its number, which is found through the preceding List Plugins command