New Back Orifice Virus May Threaten NT

An update to an old threat is slated for release on July 10, 1999, and may be coming to a Windows NT computer near you. Last year, a well-known hacking group called Cult of the Dead Cow released the Back Orifice (BO) threat. Once a hacker gets a user to run the BO client application on the user's computer through deception or stealth, the intruder can use the BO server to gain complete control over the user's system. Although NT users could safely ignore this threat--BO was compatible only with Windows 9x-a new version, Back Orifice 2000 (BO2K), may be released this weekend. Not only is BO2K stronger, smaller, and stealthier than the original BO threat, it is fully NT compatible. BO2K will also be harder to detect. Unlike the original BO, which used a default port setting that made it easy to find, BO2K will use a variable port setting, making detection difficult. The hacking world is already abuzz with excitement, as Web site after Web site posts updates on the upcoming release.Cult of the Dead Cow advertises BO2K as a tool for network administrators and the like. According to the group's Web site, BO2K is "a control freak's dream," a tool that gives a network administrator full control over every computer connected to the network. An administrator can install the BO client in each computer on the network and install the BO server on a central computer. The administrator can then remotely access any computer on the network and access the machine as if the administrator was sitting in front of the remote computer.The irony of the BO threat is that security providers acknowledge the potential usefulness of BO and even explain how useful BO is in their work. For example, imagine that a user calls a security consultant claiming that a virus has infiltrated and damaged the user's system. The consultant can send a copy of the BO client to the user and use the BO server to access, examine, and repair the user's computer without leaving the comfort of the consultant's cubicle.The potential misuses of BO are obvious. Because Cult of the Dead Cow releases BO's source code, an intruder can easily disguise the BO client installation program (e.g., as a setup utility for a shareware game). Once users unleash this Trojan Horse on their system, an intruder who knows the system's IP address can remotely access the computer and gain access to the user's passwords and databases, as well as complete control over the system.Microsoft and Symantec claim that the danger associated with BO is limited and that the BO server can't connect to their clients through a firewall. Bob Olsen, vice president of product management at Network-1 Security Solutions, claims otherwise. He notes that BO uses UDP, the preferred protocol for various streaming media applications such as Real Audio. Because of the difficulties involved in pinpointing the source of UDP transmissions, BO can penetrate firewalls. You can secure a network from BO by denying all UDP-based communications, a price that most network administrators and users are not willing to make. Dan Schrader, director of product marketing at Trend Micro, confirmed that BO is a potential danger, although not nearly on the order of magnitude of viruses such as Melissa or Worm.Explorer.Zip.