http://www.bindview.com/security/advisory/bo2k_a.html Back Orifice 2000 (BO2K) Technical Advisory Issue date: July 14, 1999 Contact: Scott Blake Issue Cult of the Dead Cow http://www.cultdeadcow.com/ released their remote control program/trojan named Back Orifice 2000 (BO2K) on July 10. Although the program could have various legitimate uses, the ability to log keystrokes, list passwords, lock the system up in a busy loop and perform various procedures to deter its detection, are likely to be used for less ethical purposes. The program includes the following functionality, plus the ability to load arbitrary plugins in order to add other extensions: * File compression/expansion, directory creation/deletion/listing, file search/delete/view/rename/copy, attribute changing, file transfer, message display, keystroke logging, network share listing/manipulation, multimedia capture/emission, plugin loading/execution, process list/kill/spawn, registry examination/manipulation, address resolution, server shutdown/restart, ping, version query, reboot, system lockup, list passwords, return system info, display/manipulate/forward TCP/IP connections and view/manipulate files and services by acting as an HTTP server. The program has no built-in mechanism to propagate itself and therefore needs to be transmitted and executed as any other program, perhaps via email attachments, IRC, or plain social engineering. By default, the program is configured to listen on UDP port 54321 and TCP port 54320 using NULL authentication and XOR encryption with a blank key. However, the program will not bind to these ports without being configured with the bo2kcfg program first. This will allow the ports, protocol, authentication type, encryption type and key to be easily changed and fixed into the server executable. At this time, it is also possible to set various stealth parameters which will hide the program from process table viewers, as well as many other parameters. Detection Anti-virus vendors have, or will be, publishing signatures for attributes of the default programs bo2k.exe, bo2kcfg.exe, bo2kgui.exe, bo3des.dll, bo_peep.dll, etc., however, due to the availability of the source, it is anticipated that these signatures will need regular updating to deal with modified distributions. When the program uses TCP connections (the default), it will always be possible to detect that a port is listening, though not necessarily produce any response from it. The detection of an unexpected port may provide a clue that BO2K is installed, but it may also be installed on an innocuous port. When using UDP, it may also be detectable due to the lack of ICMP port unreachable messages. In either case, if the default NULL authentication is used a response will be issued even if the encryption key is incorrect. Encryption is performed by default using a trivially decrypted XOR mechanism or a stronger 3DES mechanism. It should be stressed that most forms of detecting the file signatures, port probes or network traffic will likely be rendered less effective as the source code is modified to avoid published detection mechanisms. Solution The best solution is to ensure that the program is prevented from being installed in the first place. This can be assisted by running anti-virus tools, but also requires vigilance in preventing the downloading and execution of unknown programs. Security scanners such as BindView's HackerShield have been updated with detection modes for known incarnations of BO2K, and AV tools will be able to used to locally detect and clean these. As a service to the community, BindView has released a free, stand-alone tool with source code, to determine whether the BO2K executable can be found on your computer. You may download this from http://www.bindview.com/security/advisory/bo2K.html BO2K Availability The main site through which the GPL sources and binaries will be made available is http://www.bo2k.com. If this site is unavailable, pre-release versions are available on the internet from several sites such as http://phoz.dk/bo2k/ BindView Development 3355 WEST ALABAMA * 12th FLOOR * HOUSTON , TEXAS * 77098 * USA * PHONE: 713.561.4000 FAX: 713.881.9200 * INTERNET: webmaster@bindview.com * COMPUSERVE: GO BINDVIEW