Recent Bugs - Revisited


In the August 4 article Recent Bugs (and Fixes), I somewhat glossed over Back Orifice in order to go over the Long Filename Attachment Bug, specifically because Back Orifice won't run on NT, while the e-mail bug could affect NT installations.

And at that time anyway, Microsoft hadn't released any response to Back Orifice (in particular, the reports that it could affect NT installations eventually).

Things are popping now, though!

Back Orifice, a few weeks later...

  1. The following Discussions at Suite101.com: "Recent Bugs" Article Discussion (this topic) and detecting back orifice (Computer News and Opinion topic) regarding both e-mail bugs and BO.

  2. MS Security Bulletin: Information on the Back Orifice Program (originally posted 8/4/98; last updated 8/12/98)

  3. cDc's rebuttal to the MS Security Bulletin, including a statement that they're going to port BO to NT

  4. NTBugTraq's Russ Cooper's post about Back Orifice (8/5/98)

Some Common Sense
Yes, BO's good...

Russ Cooper makes some excellent points in his post cited above, an important one being that the BO client is only a bit over 100K in size - not nearly as large as other remote control clients, and quite easy to slip into a download of whatever sort (falsely named executable "freeware" or "shareware" file; an ActiveX control; whatever). (Note that link takes you to ButtPlugs for BO.)

Furthermore, he adds that since BO can be so easily disguised, the anti-virus people will be hard-pressed to come up with a detection scheme.

...but detectable

However, Cooper emphasizes that this thing, once installed, shouldn't be all that hard to detect, using some common sense. For one, especially over a phone line, you'd be able to detect a slowdown in your connection if someone were downloading your files.

Moreover, a simple NETSTAT-a command would be as effective as any port listener (such as plisten.exe) in the case of a program such as this.

And of course, the anti-virus people are all over this one. Even Privacy Software Corporation, makers of NSClean and IEClean, released BOClean yesterday (8/17/98), which claims to detect and clean BO from Win9x installations (for $20).

Even cheaper (read: free), X-Force has posted an advisory regarding detecting and removing a BO client from a Win9x installation, which involves installing the server, finding a bogus entry in the Registry, then removing that entry (and then uninstalling the server).

Is this a security issue?

cDc maintains that BO's raison d'etre is that your OS should literally have "the ability to monitor and even prevent disk and registry access."

The copyright of the article Recent Bugs - Revisited in Windows NT Workstation is owned by Tracey Kirkpatrick-Pritchett. Permission to republish Recent Bugs - Revisited in print or online must be granted by the author in writing.

Go To Page: 1 2 3

Articles in this Topic    Discussions in this Topic