Information about "Back Orifice"
================================
as of September 1998


Name:                Back Orifice
Alias:               BO
Author:              Sir Dystic [cDc]
Origin:              United States
Release Date:        30th July 1998
Version:             1.20
Size:                124'928 Bytes plus config data record
Type:                Trojan Horse
Dangerous:           Very
Vulnerable Systems:  Windows 95/98
Customisable:        Fully, incl. PlugIn's
Droppers:            Available
Comment:             Extremely powerful


Description:

  Back Orifice is the most popular trojan at the moment. Since its release on DEFCON VI
by Cult of the Dead Cow (cDc), it has spread extraordinarily fast around the globe.
Well, Sir Dystic did a great job. Back Orifice is the most powerful trojan available at
present. It is configurable for many special purposes by using plugins. The many options
make it no easy toy for hacker kids however. One must know a lot to use this one right.


Basics:

  Back Orifice hides itself from the task list when active. Upon infection, it installs
itself in the Registry under the key HKLM/Software/Microsoft/Windows/CurrentVersion/
RunServices, therefore launched by Windows upon system start. It copies itself into the
<WindowsRootDir>\system directory, and then deletes the installer. The standard installer
has an invisible icon.

  You need to have Windows 95 or 98 to get infected. BO wont install itself on a NT system.
This is due to the static usage of some system DLL's, which are not available under NT.
For infection it is needed that you run the executable on your system. It is *not* possible
to get infected by just browsing the web or reading E-Mails. Theoretically. However,
there are bugs in many Internet software packages, including Microsoft Internet Explorer,
Microsoft Outlook Express and Netscape Communicator. Some bugs may allow someone to run
arbitrary code on your machine without the need for your help. But these bugs are *very*
difficult to exploit, and this can only be done by a true hacker. Those attacking you with
Back Orifice however usually are only kids playing superhacker, so you needn't get worried
about those security bugs too much. But to be on the safe side please install the updates,
service packs and bugfixes for the Internet software and for your Windows, available at
www.microsoft.com and www.netscape.com respectively.


Tech:

  Back Orifice is fully configurable. The standard port is 31337, name is " .exe" and
it uses no password. But this can all be configured. BO always places an entry in the
RunServices section in the Registry, whether the configuration is valid or not. BO uses
the UDP protocol for communication, which means that it is not locatable by a common port
scan. It only responds to packets encrypted using the password it was configured to by
the attacker. It has also the option to run plugins. These plugins can be written by
anyone, and therefore is a BO server not limited to its standard functionality, but can
easily be extended with other functions, known examples include sending a mail upon
infection, and connecting to an IRC server and tell all the chatters there that the
computer is infected, as well as a sophisticated network traffic sniffer. BO lends full
control over the infected machine, including: application launch and control, directory
and file mgmt, net connection and share mgmt, compression and decompression, HTTP server,
keyboard log, screen capture, webcam capture, play sounds, ping, plugin mgmt, process mgmt,
port redirection mgmt, Registry mgmt, resolve host, display dialog boxes, system
information including cached passwords, lockup, reboot, TCP file send and receive.
  There is the possibility to misconfigure BO so it will not copy itself to the system
directory but stay where it is and run from there. The Registry entry in this case is not
valid, which makes it harder to locate.
  BO leaves a file called windll.dll in the system directory. This dll is used for hooking
the keyboard and logging all keystrokes.
  Droppers are available, enabling anyone to package BO into another program, infecting
the target upon execution of that program. The most powerful of these droppers,
SilkRope 2.x, even encrypts BO, so it wont be located with a common file scan.
