Published:
12 August 1998
Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-98.134 -- ISS Security Advisory
Cult of the Dead Cow Back Orifice Backdoor
13 August 1998
===========================================================================
Internet Security Systems, Inc. (ISS) has released the following
advisory concerning the release of a Windows 95/98 backdoor named
'Back Orifice' (BO). Once installed this backdoor allows unauthorised
remote users to execute privileged operations on the affected
machine.
*********************ADDITIONAL INFORMATION************************
On Mon, 10 Aug 1998 +0200 GMT, information regarding availability
of the source code for a Unix client of Back Orifice was announced
on the BUGTRAQ public mailing list.
Additional Impact: Remote users may utilise a Unix-based machine
to execute privileged operations on the
affected Windows 95/98 machine.
*******************************************************************
- --------------------------BEGIN INCLUDED TEXT--------------------
ISS Security Alert Advisory
August 6th, 1998
Cult of the Dead Cow Back Orifice Backdoor
Synopsis:
A hacker group known as the Cult of the Dead Cow has released a Windows
95/98 backdoor named 'Back Orifice' (BO). Once installed this backdoor
allows unauthorized users to execute privileged operations on the affected
machine.
Back Orifice leaves evidence of its existence and can be detected and
removed. The communications protocol and encryption used by this backdoor
has been broken by ISS X-Force.
Description:
A backdoor is a program that is designed to hide itself inside a target
host in order to allow the installing user access to the system at a later
time without using normal authorization or vulnerability exploitation.
Functionality:
The BO program is a backdoor designed for Windows 95/98. Once installed it
allows anyone who knows the listening port number and BO password to
remotely control the host. Intruders access the BO server using either a
text or graphics based client. The server allows intruders to execute
commands, list files, start silent services, share directories, upload and
download files, manipulate the registry, kill processes, list processes, as
well as other options.
Encrypted Communications:
All communications between backdoor client and the server use the User
Datagram Protocol (UDP). All data sent between the client and server is
encrypted, however it is trivial to decrypt the data sent. X-Force has been
able to decrypt BO client requests without knowing the password and use the
gathered data to generate a password that will work on the BO server.
The way that BO encrypts its packets is to generate a 2 byte hash from the
password, and use the hash as the encryption key. The first 8 bytes of all
client request packets use the same string: "*!*QWTY?", thus it is very
easy to brute force the entire 64k key space of the password hash and
compare the result to the expected string. Once you know the correct hash
value that will decrypt packets, it is possible to start generating and
hashing random passwords to find a password that will work on the BO
server. In our tests in the X-Force lab, this entire process takes only a
few seconds, at most, on a Pentium-133 machine. With our tools we have been
able to capture a BO request packet, find a password that will work on the
BO server, and get the BO server to send a dialog message to warn the
administrator and kill its own process.
Determining if BO has been installed on your machine:
The BO server will do several things as it installs itself on a target
host:
* Install a copy of the BO server in the system directory
(c:windowssystem) either as " .exe" or a user specified file name.
* Create a registry key under
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRunServices
with the file name of the server file name and a description field of
either "(Default)" or a user specified description.
* The server will begin listening on UDP port 31337, or a UDP port
specified by the installer. You can configure RealSecure to monitor for
network traffic on the default UDP 31337 port for possible warning signs.
In order to determine if you are vulnerable:
1. Start the regedit program (c:windows
egedit.exe).
2. Access the key
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRunServices.
Look for any services that may not have been intentionally installed on the
machine. If the length of one of these file is close to 124,928 (give or
take 30 bytes) then it is probably BO.
Recommended action:
BO can be removed by deleting the server and removing its registry entry.
If possible, you should back up all user data, format your hard drive, and
reinstall all operating systems and software on the infected machine.
However, if someone has installed BO on your machine, then it is most likely
part of a larger security breach. You should react according to your site
security policy.
Determining the password and configuration of an installed BO:
1. Using a text editor like notepad, view the server exe file.
2. If the last line of the file is '8 8$8(8,8084888<8@8D8H8L8P8T8X88'8d8h8l8',
then the server is using the default configuration. Otherwise, the
configuration will be the last several lines of this file, in this order:
<filename>
<service description>
<port number>
<password>
<optional plugin information>
Conclusion:
Back Orifice provides an easy method for intruders to install a backdoor on
a compromised machine. Back Orifice's authentication and encryption is
weak, therefore an administrator can determine what activities and
information is being sent via BO. Back Orifice can be detected and
removed. This backdoor only works on Windows 95 and Windows 98 for now
and not currently on Windows NT.
- ----------
Copyright (c) 1998 by Internet Security Systems, Inc.
Permission is hereby granted for the redistribution of this alert
electronically. It is not to be edited in any way without express consent
of X-Force. If you wish to reprint the whole or any part of this alert in
any other medium excluding electronic medium, please e-mail xforce@iss.net
for permission.
Disclaimer
The information within this paper may change without notice. Use of this
information constitutes acceptance for use in an AS IS condition. There are
NO warranties with regard to this information. In no event shall the author
be liable for any damages whatsoever arising out of or in connection with
the use or spread of this information. Any use of this information is at
the user's own risk.
X-Force PGP Key available at: http://www.iss.net/xforce/sensitive.html as
well as on MIT's PGP key server and PGP.com's key server.
X-Force Vulnerability and Threat Database: http://www.iss.net/xforce
Please send suggestions, updates, and comments to:
X-Force <xforce@iss.net> of Internet Security Systems, Inc.
- --------------------------END INCLUDED TEXT--------------------
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to use any or all of this information is
the responsibility of each user or organisation, and should be done so in
accordance with site policies and procedures.
NOTE: This is only the original release of the security bulletin. It will
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the original authors to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/Information/advisories.html
If you believe that your system has been compromised, contact AusCERT or
your representative in FIRST (Forum of Incident Response and Security
Teams).
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for emergencies.
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv
Comment: ftp://ftp.auscert.org.au/pub/auscert/AUSCERT_PGP.key
iQCVAwUBNdgVaih9+71yA2DNAQGNlwP+OhF/RJkpPXm1iVjdbe0VlKKqrgAGrrAu
BIgtjkM3P8Zof8RefaOBdROuvNESjkT1Jlf9ZWdUqfjotPAjDNMAD3fILsQOJaVI
inefwZzxs16APuKGcb5Lqx1lkhDaULGGHAhx2R4MmSJzRyg6Tp4dpdMEX/K4aioW
1vB3F1MBt1U=
=Vuyp
-----END PGP SIGNATURE-----