MA-003.011999: Back Orifice(BO)Original Issue Date: 29th January 1999 1.0 Description1.1 Overview Back Orifice, a windows 95/98 backdoor, was released on July 21st 1998 by the "Cult of the Dead Cow" group. This program allows unauthorized users to control a computer across a UDP connection using a text or graphics based client. 1.2 Limitation 1.2.1 Only computers running on windows 95/98 are vulnerable to BO attack. 1.2.2 BO is a trojan horse, which requires the target computer to either deliberately install BO or be tricked into doing so. 1.2.3 The IP or the subnet of the target computer must be known to the attacker and the target port also must be open . Placing firewall between attacker and target could prevent this. 2.0 Technical Matters2.1 Installation BO could be installed deliberately, or by tricked(e.g. through attachment files in e-mail or doubious downloadable file). However, the file has to be executed in order for it to be installed. The target machine also must be running either Windows 95 or Windows 98 and have UDP network capabilities It is a self extract file installed into (c:\windows\system) either as " .exe" or a user specified file name. Create a registry key under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices with the file name of the server file name and a description field of either "(Default)" or a user specified description and begin to listening on UDP port 31337, or a UDP port specified by the installer. 2.2 Functionality BO allows intruders to manipulate system control(e.g. log keystrokes, lockup or reboot), file system control(e.g. copy, rename, delete, view, and search files), process control(e.g. list, kill, and spawn processes), registry control(e.g. list, create, delete and set keys and values), network control(e.g. list, create and delete network connections) as well as other functions. 3.0 Possible Steps3.1 Detection 3.1.1 Start the regedit program (c:\windows\regedit.exe) 3.1.2 Access the key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CurrentVersion\RunServices. Look for any strange services that may not have been intentionally installed on the machine. If the length of the files are close to 124,928(plus or minus 30 bytes), it is probably BO. 3.2 Test Vulnerability 3.2.1 You can use the netstat program to check if the system is vulnerable. 'netstat -an' will list all connected and listening ports, so you can see if there are any open UDP ports that shouldn't be open, and take corrective action. Here is some sample output from netstat: C:\WINDOWS>netstat -an | find "UDP"
UDP 0.0.0.0:31337 *:* In this example, you can see a UDP service listening on port 31337. This service is Back Orifice. It doesn't have to be on port 31337, so if you see anything else that looks suspicious, check your registry. 3.3 Reaction 3.3.1 BO can be removed by deleting the infected files. BODetect is one of the good program to find and removed BO. BODetect can be found here: http://www.cbsoftsolutions.com/Products/download.htm The good things about BODetec is it can monitor your system all the time. You also can run it independently if you want. 3.32 A few anti-virus software can also provide solutions for BO detection but not all has the ability to remove it. The list of current vendors is available in MyCERT's Links to Updated Anti-Virus Database. 4.0 More Information 4.1 ISS Security Alert Advisory: Back Orifice Backdoor - http://www.iss.net/xforce/alerts/advise5.html 4.2 ISS Security Alert Advisory: Update of cDc Back Orifice - http://www.iss.net/xforce/alerts/advise8.html |
