84-02-02 DATA SECURITY MANAGEMENT AN INTRODUCTION TO THE BACK ORIFICE 2000 BACKDOOR PROGRAM Christopher Klaus INSIDE General Information on Backdoor Programs; Installation Procedure; Using BO2K; Server Commands; Protecting Against BO2K Back Orifice 2000 (BO2K) is a backdoor program designed for misuse and attack. It was released in July 1999 at DefCon VII, a computer hacker convention held in Las Vegas, Nevada. Credit for developing and releas- ing BO2K was claimed by a computer hacker organization that calls itself The Cult of the Dead Cow. BO2K is a refinement of an earlier program with a similar name. BO2K takes the form of a client/server application that remotely controls an information processing application with a fixed IP (Internet Protocol) address without the knowledge of either the re- sponsible system administrators or the affected end users. Once it has been installed, BO2K gathers information, performs system commands, reconfigures machines, and redirects network traffic without authorized access for any of these services. BO2K can be used as a simple monitoring tool, but its main purpose is to maintain unauthorized control over another machine for reconfigu- ration and data collection. These features, plus the invisibility of BO2K, make this backdoor program especially dangerous for both the adminis- trators and the end users in a networked environment. Unlike a conventional computer virus, BO2K is not self-replicating. It PAYOFF IDEA must deceive an individual user into Back Orifice 2000 (BO2K) is a backdoor program installing the program. Once it has designed for misuse and attack. While it can be been installed, BO2K easily performs used as a simple monitoring tool, its main pur- pose is to maintain unauthorized control over an- unauthorized actions without the other machine for reconfiguration and data col- knowledge of the user. lection. This article describes backdoor programs in general, BO2K in particular, and pro- vides suggestions for protecting against it. Auerbach Publications © 2000 CRC Press LLC GENERAL INFORMATION ON BACKDOOR PROGRAMS Backdoor programs are significantly more dangerous than conventional computer viruses. This particular type of program can be used by an in- truder to take control of a microcomputer or a workstation and potential- ly to gain broad network access. Until now, the most widely distributed backdoor programs have been Netbus and the first version of Back Ori- fice. These programs are commonly referred to as Trojan horses, due to the fact that they pretend to do something other than their actual func- tion. Typically, backdoor programs are sent as attachments to electronic mail messages with innocent-looking file names. Also, BO2K has a plug- in architecture that enables it to disguise itself once it has been installed. Many authors of backdoor programs claim that they have not written them to be intrusion tools. Rather, the authors claim that their programs are remote-control utilities that demonstrate weaknesses in already in- stalled operating systems. However, the actual use of these programs, as demonstrated by their past activity, indicates that these Trojan horses are frequently used to gain unauthorized access to and the use of an infor- mation processing application, although a significant vulnerability cannot be identified in the operating systems that they impact. Netbus is available in versions for Windows 95, Windows 98, and Windows NT. The first version of Back Orifice, initially released in July 1998, was available for Windows 95 and Windows 98. With the release of BO2K, Windows NT is impacted, making this version especially dan- gerous for organizational networked environments. INSTALLATION PROCEDURE Installing BO2K involves two separate operations: client installation and server installation. BO2K installs on the server machine using a simple process. The server application is executed, and BO2K is installed. This executable, originally named bo2k.exe, possibly can be renamed. The name that is being used for the executable will be specified in either the client installation or, as illustrated in Exhibit 1, in the BO2K Configura- tion Wizard. This Wizard steps through various configuration settings, including the server file (which is the executable), the network protocol (either TCP [Terminal Control Protocol] or UDP [User Datagram Protocol]), the port number, and the data encryption and password use administration mech- anisms in use. Once this process is complete, running bo2kgui.exe exe- cutes the graphical user interface (GUI) for BO2K, which is depicted in Exhibit 2. The BO2K Configuration Wizard is designed to allow for the quick setup and immediate use, assuming some defaults, of the program on a specified server. However, many options can be set manually through the Configuration utility. These options are mainly used to reduce the Auerbach Publications © 2000 CRC Press LLC EXHIBIT 1 — The BO2K Configuration Wizard chance that BO2K will be detected by the system administrator or some application user. The Configuration Wizard steps through these settings: • Server File • Network Protocol (UDP or TCP) • Port Number • Encryption (XOR or 3DES [Triple Data Encryption Standard]) • Password-Encryption Key Once the Configuration Wizard completes this activity, the Server Configuration utility screen is displayed, as shown in Exhibit 3. This util- ity allows increasingly granular control over how BO2K is run, including the client/server telecommunications settings, and the methods for pre- venting the program from being detected. The option variables provided by this utility and their descriptions are discussed in Exhibit 4. USING BO2K bo2kgui.exe executes the BO2K Workspace (depicted in Exhibit 2), which contains a list of the servers that have been compromised and that Auerbach Publications © 2000 CRC Press LLC The Graphical Interface of BO2K EXHIBIT 2 — Auerbach Publications © 2000 CRC Press LLC EXHIBIT 3 — The Server Configuration Utility Screen has been saved from a previous use of this program. These servers must be defined for BO2K to connect to any system and to begin using the program. Each of the named servers must be described by its name, IP address, and connection information. Exhibit 5 depicts the screen for ed- iting the server settings. When a server has been defined, the Server Command Client is dis- played, as illustrated in Exhibit 6. This window enables access to BO2K’s commands. When the user of BO2K clicks on a category, BO2K displays individual functions. Some of these functions require that additional pa- rameters such as filenames and port numbers be provided. SERVER COMMANDS Over 70 commands are contained within BO2K. These commands gather information and send various instructions to the server. After a connec- tion is made between the two machines, a command is selected, the ap- plicable parameters are entered, and the Send Command button runs the command on the chosen server. Responses from the server will be dis- played in the Server Response window, which is depicted in Exhibit 7. The server commands and their descriptions are discussed in Exhibit 8. Auerbach Publications © 2000 CRC Press LLC EXHIBIT 4 — Server Configuration Utility Option Variables Option Description File Transfer File Xfer Net Type Lists and changes the network protocol for communication File Xfer Bind Str File transfer bind string where RANDOM is the default File Xfer Encryption Lists and changes the current encryption method File Xfer Auth File transfer authentication whose default is NULLAUTH TCPIO Default Port Displays and changes the port that is being used for TCP communication UDPIO Default Port Displays and changes the port that is being used for UDP communication Built-in Load XOR Encryption Enables or disables XOR encryption, which is weaker than Triple DES Load NULLAUTH Enables or disables NULLAUTH authentication Authentication Load UDPIO Module Enables or disables UDP communication Load TCPIO Module Enables or disables TCP communication XOR XOR Key Lists and changes the password for XOR authentication Startup Init Cmd Net Type Displays and changes the network protocol for startup Init Cmd Encryption Displays current value for encryption at startup Init Cmd Auth Displays and changes current authentication for startup Idle Timeout (Ms) Can change the time in milliseconds for the server timeout and disconnect Stealth Operation Run At Startup Enable or disable BO2K to be run at computer startup Delete Original File Can delete original exe file (the choice is to Enable or Disable) Runtime Pathname Changes the value for the runtime pathname Hide Process Enable or disable the process from being hidden Host Process Name (NT) Changes the process name on the host machine; the default is BO2K Service Name (NT) Changes the service name from Remote Administration Service to another name that is specified in the utility PROTECTING AGAINST BO2K Once BO2K is installed, its highly configurable nature makes it very dif- ficult to detect. Typically, backdoor programs are complex, and several detection methods are recommended to achieve maximum awareness of BO2K installations and protection for any machine or series of machines on a network. By default, BO2K installs itself in a Windows system direc- tory as a file called fileUMGR32.EXE. If Windows NT is running, it will in- stall a service that is listed as Remote Administration Service. This is a default name, and can be changed. Auerbach Publications © 2000 CRC Press LLC EXHIBIT 5 — The Screen for Editing Server Settings Host-based vulnerability