 cDc Responds to Questions About Back Orifice |
Posted by
CmdrTaco
on Thursday July 30, @04:29AMfrom the stuff-to-read dept.
Omega from the Cult of the Dead Cow has written up a series of answers to questions posed in the article we ran Wed. on Back Orifice, the remote administration program that will be released on the first week of august at Defcon 6. They talk about buffer underruns and other security holes that will allow B.O. to roam free, as well as answering tons of other questions about what this is and what it will and won't do. I'm not going to taint this with opinions, because frankly I still don't know what I think about this. So read it and decide for yourself.
The following is a response from the Cult of the Dead Cow regarding their Back Orifice program. I've posted it unedited (well, I did try to HTML it a bit) for the benefit of interested readers. Read at your own risk.
________________________________________________________
_ _
MEDIA RESPONSE ((___)) MEDIA RESPONSE
7/29/98 [ x x ] 7/29/98
/
(' ')
(U)
__________________www.cultdeadcow.com___________________
With regard to Slashdot's 7/28/98 article about cDc's Back Orifice application (http://www.slashdot.org/articles/980728/1320244.shtml)
-
... read about
some interesting software that allows you to
remotely, well, administer Windows boxes. The sad
part is Microsoft will probably divert this as nothing
more than a trivial attack and then throw the
technology into a subsequent release of the product.
But it is this sort of thing we need to keep Microsoft
on their toes. Excuse the bad Latin (again), but
Carpete Diem! Update Is this a hoax? It sure looks
suspicious. You do need to run a client program, so it
doesn't seem that evil- unless munchkins can sneak
into your office under cover of darkness and add it to
your startup group...
THE CULT OF THE DEAD COW was very interested to read yesterday's feedback on Slashdot regarding cDc's imminent release of BACK ORIFICE. We believe such a tool has been eagerly awaited by the user community and judging from the positive responses, it appears we're right.
We would, however, like to correct a few errors reported about Back Orifice and answer a few questions.
cDc? DON'T THEY PUBLISH TEXT FILES?
cDc enjoys publishing text-files, but there's much more to the CULT OF THE DEAD COW than that. Have you read what we've been up to in China, for instance? Check out cDc #356, or our Media List
IS BACK ORIFICE A HOAX?
The name is "Back Orifice", not "Back Office"; "Back Office" is, as you know, trademarked Microsoft. And yes, Back Orifice is real.
We will be demonstrating it at Defcon 6 in Las Vegas the weekend of August first, so if you're there, you'll see it with your own eyes. Depending on how quickly we recover from hang-overs, gambling debts, debauchery and Microsoft intrigues, it should be available for download from
on Monday, August 3 or thereabouts.
IS IT A TROJAN HORSE?
"Let me get this straight -- if I install this Trojan cum virus on my Windows 95 or 98 system, I'm toast? What a revelation. Major security hole." -- Paul Leach, Microsoft. source: NTBugTraq
We prefer to call Back Orifice a "remote administration tool." I suppose in the most general sense, someone might call Back Orifice a "Trojan Horse," but that would be a gross over-simplification and inaccurate. Trojan Horses generally have very specific, pre-programmed goals -- usually destructive. Unlike most Trojan Horses, there is nothing inherently destructive about Back Orifice. Nelson Minar's observation that Back Orifice _resembles_ a "root-kit for Windows" would be more accurate.
Back Orifice doesn't need to be installed on the end-user's machine _by_ the end-user, contrary to what Paul Leach thinks. (Nor is his judgement about Back Orifice especially useful.)
The security holes in Windows already exist. Sir Dystic points a few of the holes in the OS in cDc #338. Dildog demonstrates in cDc #351, "The Tao of Windows Buffer Overflow",
a stereotypical security hole in a Microsoft application. In fact, borrowing the words of a well-known security expert, cDc #351 could be subtitled, "If I install a Microsoft application on my Windows 95 or 98 system, I'm toast? What a revelation."
In his file, Dildog posits a situation where one might get an e-mail with a Microsoft NetMeeting 'SpeedDial' CNF file attachment. The e-mail says, "My girlfriend and I want you to watch us fuck while you spank it! Call us soon, we're horny!" Launching the NetMeeting attachment could trigger a buffer overflow exploit which could be used to install a Trojan Horse (or anything else!) onto your system.
Zero, one of Slashdot's readers, was more succinct:
-
As for getting it [Back Orifice] to install,
I could go through quite an extensive
list on possible ways to get it installed.
future discovered bugs will open new ways to
insert this application. The program itself isn't
an exploit
OTHER QUESTIONS?
A few questions voiced by slashdot readers in the message forum:
Q: Tril wants to know: what happens if you try to install Back Orifice on a system that already has it?
A: As it happens, multiple instances of Back Orifice can be installed on a system and be running concurrently, each listening on different (user-configurable) ports.
Q: Bill McCarthy asks: what good would something like BO be in light of well-placed firewall security measures? Is BO something that can pierce firewalls once installed?
A: Depends on how well-placed the security measures are and what they are. Generally Firewalls are more permissive about outbound connections than they are inbound connections. So it is possible to operate BO across a firewall (depending on the circumstances) and it is also possible to install BO across a firewall (depending on the circumstances). But BO in itself isn't designed with Firewall intrusion in mind.
Q: Kent Wang heard that SMS will do the same thing [systems management]. What's the diff?
A: SMS has more (and different) features and whether it actually works as advertised is arguable. BO is free; is only about 120 Kbytes in size; and it works. You can also write your own custom plug-ins for BO: its architecture is easily extensible.
For further details or lucrative film offers, please contact:
The Deth Vegetable
Minister of Propaganda
CULT OF THE DEAD COW
veggie@cultdeadcow.com
.......................................................................
The CULT OF THE DEAD COW (cDc) is the most influential group of hackers in the world. Formed in 1984, the cDc has done everything from publish the longest running e-zine on the Internet to diddling military networks around the globe. We could go on, but who's got the time. Journalists can check out the Medialist link on our Web site for more background information. Cheerio.
< Quicky Avalanche | Pentagon vs. Crypto >
| Slashdot Login |
| Related Links |
| Features |
|
Slashdot has posted several stories covering the news from the terrorist attacks on September 11, 2001. Here they are, in sequence: World Trade Towers and Pentagon Attacked, 9:12 AM 2001-09-11 (all times EDT) Update: 2001-09-13 12:00 by michael: |
| This discussion has been archived. No new comments can be posted. |
| cDc Responds to Questions About Back Orifice | Login/Create an Account | Top | Search Discussion |
| The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way. |
We are each only one drop in a great ocean -- but some of the drops sparkle!