an introduction to the back orifice 2000 backdoor program · auerbach publications © 2000 crc...

84-02-02

DATA SECURITY MANAGEMENT

AN INTRODUCTION TO THE BACK ORIFICE 2000 BACKDOOR PROGRAM

Christopher Klaus

I N S I D E

General Information on Backdoor Programs; Installation Procedure; Using BO2K; Server Commands;Protecting Against BO2K

Back Orifice 2000 (BO2K) is a backdoor program designed for misuseand attack. It was released in July 1999 at DefCon VII, a computer hackerconvention held in Las Vegas, Nevada. Credit for developing and releas-ing BO2K was claimed by a computer hacker organization that calls itselfThe Cult of the Dead Cow. BO2K is a refinement of an earlier programwith a similar name. BO2K takes the form of a client/server applicationthat remotely controls an information processing application with a fixedIP (Internet Protocol) address without the knowledge of either the re-sponsible system administrators or the affected end users. Once it hasbeen installed, BO2K gathers information, performs system commands,reconfigures machines, and redirects network traffic without authorizedaccess for any of these services.

BO2K can be used as a simple monitoring tool, but its main purposeis to maintain unauthorized control over another machine for reconfigu-ration and data collection. These features, plus the invisibility of BO2K,make this backdoor program especially dangerous for both the adminis-trators and the end users in a networked environment.

Unlike a conventional computervirus, BO2K is not self-replicating. Itmust deceive an individual user intoinstalling the program. Once it hasbeen installed, BO2K easily performsunauthorized actions without theknowledge of the user.

P A Y O F F I D E A

Back Orifice 2000 (BO2K) is a backdoor programdesigned for misuse and attack. While it can beused as a simple monitoring tool, its main pur-pose is to maintain unauthorized control over an-other machine for reconfiguration and data col-l e c t i o n . T h i s a r t i c l e d e s c r i b e s b a c k d o o rprograms in general, BO2K in particular, and pro-vides suggestions for protecting against it.

Auerbach Publications© 2000 CRC Press LLC

GENERAL INFORMATION ON BACKDOOR PROGRAMSBackdoor programs are significantly more dangerous than conventionalcomputer viruses. This particular type of program can be used by an in-truder to take control of a microcomputer or a workstation and potential-ly to gain broad network access. Until now, the most widely distributedbackdoor programs have been Netbus and the first version of Back Ori-fice. These programs are commonly referred to as Trojan horses, due tothe fact that they pretend to do something other than their actual func-tion. Typically, backdoor programs are sent as attachments to electronicmail messages with innocent-looking file names. Also, BO2K has a plug-in architecture that enables it to disguise itself once it has been installed.

Many authors of backdoor programs claim that they have not writtenthem to be intrusion tools. Rather, the authors claim that their programsare remote-control utilities that demonstrate weaknesses in already in-stalled operating systems. However, the actual use of these programs, asdemonstrated by their past activity, indicates that these Trojan horses arefrequently used to gain unauthorized access to and the use of an infor-mation processing application, although a significant vulnerability cannotbe identified in the operating systems that they impact.

Netbus is available in versions for Windows 95, Windows 98, andWindows NT. The first version of Back Orifice, initially released in July1998, was available for Windows 95 and Windows 98. With the releaseof BO2K, Windows NT is impacted, making this version especially dan-gerous for organizational networked environments.

INSTALLATION PROCEDUREInstalling BO2K involves two separate operations: client installation andserver installation. BO2K installs on the server machine using a simpleprocess. The server application is executed, and BO2K is installed. Thisexecutable, originally named bo2k.exe, possibly can be renamed. Thename that is being used for the executable will be specified in either theclient installation or, as illustrated in Exhibit 1, in the BO2K Configura-tion Wizard.

This Wizard steps through various configuration settings, including theserver file (which is the executable), the network protocol (either TCP[Terminal Control Protocol] or UDP [User Datagram Protocol]), the portnumber, and the data encryption and password use administration mech-anisms in use. Once this process is complete, running bo2kgui.exe exe-cutes the graphical user interface (GUI) for BO2K, which is depicted inExhibit 2.

The BO2K Configuration Wizard is designed to allow for the quicksetup and immediate use, assuming some defaults, of the program on aspecified server. However, many options can be set manually throughthe Configuration utility. These options are mainly used to reduce the


chance that BO2K will be detected by the system administrator or someapplication user. The Configuration Wizard steps through these settings:

• Server File• Network Protocol (UDP or TCP)• Port Number• Encryption (XOR or 3DES [Triple Data Encryption Standard])• Password-Encryption Key

Once the Configuration Wizard completes this activity, the ServerConfiguration utility screen is displayed, as shown in Exhibit 3. This util-ity allows increasingly granular control over how BO2K is run, includingthe client/server telecommunications settings, and the methods for pre-venting the program from being detected. The option variables providedby this utility and their descriptions are discussed in Exhibit 4.

USING BO2Kbo2kgui.exe executes the BO2K Workspace (depicted in Exhibit 2),which contains a list of the servers that have been compromised and that

EXHIBIT 1 — The BO2K Configuration Wizard


Aue

rbach P

ub

licatio

ns

© 2

00

0 C

RC

Pre

ss LL

C

EXHIBIT 2 — The Graphical Interface of BO2K

has been saved from a previous use of this program. These servers mustbe defined for BO2K to connect to any system and to begin using theprogram. Each of the named servers must be described by its name, IPaddress, and connection information. Exhibit 5 depicts the screen for ed-iting the server settings.

When a server has been defined, the Server Command Client is dis-played, as illustrated in Exhibit 6. This window enables access to BO2K’scommands. When the user of BO2K clicks on a category, BO2K displaysindividual functions. Some of these functions require that additional pa-rameters such as filenames and port numbers be provided.

SERVER COMMANDSOver 70 commands are contained within BO2K. These commands gatherinformation and send various instructions to the server. After a connec-tion is made between the two machines, a command is selected, the ap-plicable parameters are entered, and the Send Command button runs thecommand on the chosen server. Responses from the server will be dis-played in the Server Response window, which is depicted in Exhibit 7.The server commands and their descriptions are discussed in Exhibit 8.

EXHIBIT 3 — The Server Configuration Utility Screen


PROTECTING AGAINST BO2KOnce BO2K is installed, its highly configurable nature makes it very dif-ficult to detect. Typically, backdoor programs are complex, and severaldetection methods are recommended to achieve maximum awareness ofBO2K installations and protection for any machine or series of machineson a network. By default, BO2K installs itself in a Windows system direc-tory as a file called fileUMGR32.EXE. If Windows NT is running, it will in-stall a service that is listed as Remote Administration Service. This is adefault name, and can be changed.

EXHIBIT 4 — Server Configuration Utility Option Variables

Option Description

File TransferFile Xfer Net Type Lists and changes the network protocol for

communicationFile Xfer Bind Str File transfer bind string where RANDOM is the defaultFile Xfer Encryption Lists and changes the current encryption methodFile Xfer Auth File transfer authentication whose default is NULLAUTH

TCPIODefault Port Displays and changes the port that is being used for

TCP communicationUDPIO

Default Port Displays and changes the port that is being used for UDP communication

Built-inLoad XOR Encryption Enables or disables XOR encryption, which is weaker

than Triple DESLoad NULLAUTH

AuthenticationEnables or disables NULLAUTH authentication

Load UDPIO Module Enables or disables UDP communicationLoad TCPIO Module Enables or disables TCP communication

XORXOR Key Lists and changes the password for XOR authentication

StartupInit Cmd Net Type Displays and changes the network protocol for startupInit Cmd Encryption Displays current value for encryption at startupInit Cmd Auth Displays and changes current authentication for startupIdle Timeout (Ms) Can change the time in milliseconds for the server

timeout and disconnectStealth Operation

Run At Startup Enable or disable BO2K to be run at computer startupDelete Original File Can delete original exe file (the choice is to Enable or

Disable)Runtime Pathname Changes the value for the runtime pathnameHide Process Enable or disable the process from being hiddenHost Process Name (NT) Changes the process name on the host machine; the

default is BO2KService Name (NT) Changes the service name from Remote Administration

Service to another name that is specified in the utility


Host-based vulnerability and intrusion detection applications provideinsufficient protection by themselves. Network-based systems providecritical capabilities that go beyond host-based and anti-viral solutions bydetecting the presence of backdoors across the network, as well as im-proper connection attempts taking place from outside a network.

It is recommended that users join revised versions of anti-virus soft-ware with revised host- and network-based vulnerability scanning appli-cations to detect violations of the organization’s IS security policy thatindicate that the systems involved have been compromised by BO2K. Inaddition, host- and network-based intrusion detection mechanismsshould be used to identify BO2K attacks as they travel over the network.

In addition, it is recommended that computing users take these impor-tant precautions:

• Do not open electronic mail message attachments, especially thoseoriginating from non-trusted sources.

• Do not accept files from Internet chat mechanisms as they inherentlyintroduce vulnerabilities.

EXHIBIT 5 — The Screen for Editing Server Settings


• Be sure that network file sharing not be enabled on computers thatare connected to the Internet without proper security measures beingin place.

Christopher Klaus is the founder and chief technology officer of Internet Security Systems (ISS), Atlanta, Georgia.Its products are based on the Internet Scanner, which Klaus developed while a student at the Georgia Institute ofTechnology. ISS has announced that its Real Secure product is now capable of detecting the presence of BO2K.For more in format ion on th is sub ject , see the most recent ISS Windows Backdoor Update at h t-tp://xforce.iss.net/alerts/advise30.php3.

EXHIBIT 6 — The Server Command Client Enables Access to the BO2KCommands


EXHIBIT 8 — Server Commands

Command Description

SimplePing Sends a packet to the server to determine if the machine is

accessibleQuery Returns the version number of the BO2K server

SystemReboot Machine Shuts down and reboots the machineLock-up Machine Freezes the remote machine and requires that it be rebootedList Passwords Retrieves a list of users and their passwordsGet System Info Retrieves this information:

Machine nameCurrent userProcessorOperating system version (SP version)Memory (physical and paged)All fixed and remote drives

Key LoggingLog Keystrokes Logs keystrokes to a file; entry of a file name is required in order

to store the outputEnd Keystroke Log Stops recording keystrokes to the specified fileView Keystroke Log Views a keystroke log fileDelete Keystroke Log Deletes a keystroke log fileGUISystem Message Box Displays a text box on the server that contains a specified title

and textTCP/IP

Map Port Æ Other IP Redirects the network traffic from a specified port on the server to another IP address and port

Map Port Æ TCP FileReceive

Receives a file from a specific port; the entry requires the indication of a specific port, as well as the path and filename

List Mapped Ports Lists all of the redirected ports and the relevant source and destination information

Remove Mapped Port Removes the specified redirected portTCP File Send Connects to the specified port and sends a file; the entry requires

the indication of a specific target IP address and port, as well as the path and filename

M$ NetworkingAdd Share Creates a new share on the remote machine; the entry requires

the indication of a pathname and a sharenameRemove Share Removes a share; the entry requires the indication of the

sharenameList Shares Lists all of the shares on the server machineList Shares On LAN Lists the shares on the LANMap Shared Device Maps the shared deviceUnmap Shared Device Removes the specified mapped shared deviceList Connections Lists the network connections on the remote computer, both

current and persistent.Process Control

List Processes List all of the processes that are running on the server; the entry requires the indication of the remote machine name

Kill Process Kills the specified process; the entry requires the indication of the process ID number, which can be obtained from the List Processes command

Start Process Starts a process on the server that is specified by the pathname and the arguments

RegistryCreate Key Creates a key in the registry; the entry requires the indication of

the full key path


Set Value Sets a value of a registry key; the full key path, the value name, and the value data must be specified

Get Value Displays the registry entry for the specified key path and valueDelete Key Deletes a registry key; the entry must specify the full key pathDelete Value Deletes a registry key for a specified key path and valueRename Key Renames a registry key; the entry requires that both the current

and new key name be specifiedRename Value Renames a registry value; the entry requires that both the current

key path-value name and new key value be specifiedEnumerate Keys Displays and counts all of the subkeys for the specified key pathEnumerate Values Lists the values of the specified registry key

MultimediaCapture Video Still Captures a still video image from the specified device. The filename

and device number of the image must be specified by the user and contain the image size (the width and height in pixels) as well as the BPP. If these dimensions are not indicated, a default of 640 ¥ 480 pixels and 16 bpp would be used.

Capture AVI Captures an AVI (compressed video image) file from the specified device; the filename and device number of the image must be specified by the user and contain the image size (the width and height in pixels) as well as the BPP. If these dimensions are not indicated a default of 640 ¥ 480 pixels and 16 bpp would be used

Play WAV File Plays the specified WAV filePlay WAV File In Loop Plays the specified WAV file repeatedly until stoppedStop WAV File Stop a WAV file that is playingList Capture Devices Shows the attached system devices that are capable of capturing

videoCapture Screen Creates an image of the current screen; entry of the pathname for

file output is requiredFile/Directory

List Directory Lists files and directories from the specified machine and the remote path

Find File Searches for a file on the server machine; the entry requires specification of the path and filename

Delete File Removes a file from the server’s driveView File Allows the specified file to be viewed on the remote machineMove Or Rename File Moves or renames a file; the entry must specify the pathname for

both the old and the new fileCopy File Copies a file on the BO2K server; the entry must specify both the

source and the target pathnamesMake Directory Makes a directory on the server; the entry requires that a pathname

be designatedRemove Directory Removes the specified directorySet File Attributes Sets the file attributes for the specified pathname (ARSHT)Receive File Receives a file from a server; the entry requires BINDSTR, NET,

ENC, AUTH and the pathnameSend File Sends a file to a machine; the entry requires IP, NET, ENC, AUTH,

and the pathnameList Transfers Shows a list of the files that are being transferredCancel Transfer Cancels a transfer for the specified pathname

CompressionFreeze File Compresses files; the entry requires the pathname for the original

and output filesMelt File Decompresses file; the entry requires the pathname for the original

and output filesDNS

Resolve Hostname Retrieves the FQDN and IP address of the specified machineResolve Address Retrieves the FQDN and IP address of the specified machine

EXHIBIT 8 — Server Commands (Continued)

Command Description


Server ControlShutdown Server Stops BO2K on the server; the user must type delete before sending

the commandRestart Server Restarts BO2K after using the Shutdown Server commandLoad Plugin Loads the specified plug-inDebug Plugin Debugs the specified plug-inList Plugins Lists the plug-ins that have been installedRemove Plugins Removes the specified plug-in using its number, which is found

through the preceding List Plugins command

EXHIBIT 8 — Server Commands (Continued)

Command Description


an introduction to the back orifice 2000 backdoor program · auerbach publications © 2000 crc...

Documents