BO2K cracked

Ford writes "The BBC is reporting that Internet Security Systems has "decoded the protocols and encryption algorithms of Back Orifice 2000 (BO2K) within 24 hours" of it's release. Microsoft has only issued only a warning, refusing to admit that there might be security vulnerabilities in WinNT. " The security agencies interviewed in the article are claiming that BO2k is child's play, and that they've already detection systems in place. I'm just waiting for the Defcon response to their claims.

Trojan horses are hard to protect against

BO is a trojan horse. If you can get a user to run an executeable, you have him fscked. If I send someone a Linux executeable which modifies his login script to start a telnet server (modified to not require a login, of course) on some non standard (>1024) port, he has his account wide open. Anything he can do, you can log in and do as well. Is this a security flaw of Linux?

You cannot prevent users from doing such things, under any OS. As such I think Microsoft is right that this is not really a security problem in Windows.

Now, I do not know if BO gives administrator rights to the invader. If it does, then *that* would be a security problem. But letting people install programs is not.

Of course, you could make users unable to run programs from $HOME at all, but that would be unacceptable in many circumstances.
--

Re:get an education about NT before talking...

This isn't a flaw in NT, it's a flaw in the NT admin.

True, sadly, most NT Workstations seem to be set up with local administrative authority for the users.

I don't know if this is done to make the transition from Win9x easier, or to just reduce the workload of technicians, or because admins don't consider desktop security that important (after all, you could just steal the hard drive!) -- but in any case, it's a pretty stupid approach. Hopefully BO will get people to rethink this.

Note that if Linux ever starts getting used on the desktop, I wouldn't be suprised to see people give the users root authority too.


--

Facts from the con

Ok, I'm seeing alot of disinfo about BO2K here. So let's address a few right here:

1. Breaking BO2K's Crypto:
Of course he broke BO2K's crypto - the Generic, straight from the 'box' crypto is XOR encryption - which is simple to 'break'. That said, inseide the US, you can download a plug-in that will allow BO2K to use 3DES. Sophos did not crack 3DES. Even if he did, the plugin architecture allows a programmer to add any encryption scheme they wish, and BO2K will use it fore all of it's transfers.

2. Detecting of BO2K
Well - to detect BO2K in one configuration, all IIS had to do is look at the threads, and it will show up. This could be what they are discussing as easily detectable. However it is also possible to get BO2K to hide quite effectivly by having it hop between threads, and use whatever ports it wants to. IIS could also be referring to the fact that BO2K uses the same registry key every time - and it does so on purpose which leads into point 3....

3. BO2K is a virus
BO2K is not a virus. Not even remotly. At worst it's a Trojan, but it is no more a Trojan then other packages like say PC Anywhere (and another one that I can not remember the name of - it starts with an S) Interestingly, some other 'remote admin' packages can also be installed over the net, or given as a 'trojan', or even be run as a hidden process. BO2K has many of the same features as similar packages, and has the same ability to be used for admin, as well as cracking.

4. BO2K is bad
BO2K is what you make of it. It's a tool. it can be used in many ways - some bad, some good. It really has some very useful features. Those features again can be used as you see fit.

I am not affiliated with the cdc, these views come from seeing their presentation of BO2K at defcon.

Just wondering...

I guess it wouldn't have mattered in this case, since BO2K is GPL'd, but I wonder: If the software lobbies manages to ram through all their proposed laws that would illegalize reverse engineering, will virus writers be able to sue anti-virus companies that crack their code?

Summary

Below is my summary of the article....

Sophos cracked BO2K. Errr wrote a detector for it. We don't know the difference though. But they figured out the protocols and encryption schemes. Ohhh buzzwords.
Those nasty cDc'ers didn't like Rouland and he showed them. He asked for a copy which is completely sensible as he's a good guy, but they don't like him. We won't mention that he wanted a copy before everyone else.
We think this will allow them to control other computers. But we aren't sure what control it gives you, so we'll just blather on. Oh and insult them. They're kids. They are even infected.
But not to worry any one M$ is right on top of it. They even issued gasp a warning.
Its a toy but ISS warned the program could easily be used to delete files, reconfigure machines, steal passwords and redirect network traffic, without a user or administrator's knowledge.
Isn't it amazing what toys can do now.

Pardon the sarcasm.
-cpd

"Decode" a GPL program?

Pretty easy when they give you the source. Sheesh. Next thing you know they'll "decode" how OpenBSD implements IPSec.

I rather think the Cult's point is still made.

Re:BO2K is not a big deal

One could not write a program that would do what BO does on every Linux box it was run on, it would have to run as root. Only newbies are logged in as root all the time, and within 24 hours of something like BO being released for Linux there would be a patch/detection/fix released and sysadmins would know to use it. NT admins do not tend to have the level of security awareness the *nix admins do. Sending a secretary a electronic greeting card will get BO installed on most networks. After that she forwards the file to a few of her friends and guess what, security comprimised. It might be a little harder to get upper management to run a program but I doubt it.

I know your solution is to install a detector on every machine, but this is open source, it will mutate beyond detection very quickly. MS downplayed the initial release of BO, and the cDc responded with this release, maybe the unwashed masses will finally see that MS products are full of security holes, don't even get me started on VBA. It is the, dumbass users as you call them, that make up the majority of the computer market, what makes you think you are so much better than they are. Frankly your comment about that disgusts me, I suppose you have never gotten a virus. I am an admin, but I don't feel that I am high and mighty compared to my users, get real, without users I wouldn't ahve a job.

I cannot agree with the tactics used to prove MS's security flaws, but at least someone is pointing them out, and they are using a big red pointer to do it. If NT security was not screwed to begin with then this problem wouldn't exist. There is a reason that there are not many programs like this and viruses for Linux, it is very hard to do. There are plenty of cracking tools, but most sysadmins know what to watch for. I'll bet at least 50% of the NT admins out there have believed MS's FUD about this and are telling their users there is no problem. So no, the cDc is not asking MS to fix the users, how about fixing the things that allow this prgram to do this to begin with. I am going to lower myself to your level now and say this, it's people like you that allow MS to continue to produce buggy software with swiss cheese like security holes. ( I was going to call you something insulting, but I decided that I couldn't bear to lower myself all the way to your level) Have a nice day.

Re:"Microsoft hit by Cult of the Dead Cow"

"True to the hacker's word, anyone curious enough to log into the cult's website will find his or her computer automatically infected with a virus."

How true is this?

Completely true. Only, it's an old virus called "Good Times". Tell all your friends. ;)