Forgot your password?
typodupeerror
Microsoft

BO2K cracked 225

Posted by Hemos
from the shut-down-the-red-lights dept.
Ford writes "The BBC is reporting that Internet Security Systems has "decoded the protocols and encryption algorithms of Back Orifice 2000 (BO2K) within 24 hours" of it's release. Microsoft has only issued only a warning, refusing to admit that there might be security vulnerabilities in WinNT. " The security agencies interviewed in the article are claiming that BO2k is child's play, and that they've already detection systems in place. I'm just waiting for the Defcon response to their claims.
This discussion has been archived. No new comments can be posted.

BO2K cracked

Comments Filter:
  • by Anonymous Coward
    http://www.ntk.net/doh/options.html

    (Thanks Virulent Memes)
  • by Anonymous Coward
    Most of the 'fanatics' in the computer operating system sphere are people ranting about smaller players like Linux. Most Windows users and advocates are just people getting things done, living their life, and trying to keep 'fanatics' from lunging at their computers.

    I don't know of anybody who attributes the success of Microsoft to the 'brilliance' of Bill Gates or any one individual within that company. They know what they're doing and how to meet the needs of a market, but the only 'gushing' I see happening occurs any time Linus Torvalds walks onto a stage.

    It's noteworthy that Linus, equally as much as the founders of Microsoft, happened to be at the right place at the right time. And also came up with nothing particularly new.

    I use Linux, OS/2, Solaris, Windows 95, Windows 98, Windows NT, Windows 2000, the BeOS, and even a little Atari ST in my daily computing life. All have merits and weaknesses. I've grown away from a tendency toward fanaticism. It doesn't reflect well on anybody to be obsessed.
  • I think what he probably meant was that taking the machine off-line
    (and locking it in a vault without a keyboard,mouse, or monitor) is
    the only way to guarantee that a machine is secure :o)

    Of course this makes said machine singularly useless...
  • by Anonymous Coward
    BO2K doesn't take advantage of any security holes in NT. It runs as a system service that accepts connections and allows the client to perform a myriad of both benign and unbenign tasks on the host machine. Of course, it has decent legitimate uses for system administrators but it is being presented in a viral fashion from a group who's objective is clearly to pull the wool over the collective eyes of the uneducated computer user and media. If CDC was truly interested in "helping" they would cease this childish, "me too" Microsoft bashing and provide the community with something new and insightful. I'm sure they're having all sorts of little rallies and pep-talks with one and other about how they're "showing some control" when they're just showing their own contempt for the rest of us professionals that know better. I am, quite frankly, offended that CDC assumes we're all so naive to believe that they're doing us a favor.

    To get straight to the meat of my post: this (BO2K) is not exposing any security hole. BO2K could be written for *NIX, BeOS, MacOS, etc.

    People seem to generally miss the most important detail of all: the only practical way to truly lock down any OS is to remove it from the network entirely and allow zero points of entry.
  • In Linux the cracker would only get the access of the user who ran the trojan.

    Sure it's possible that a Linux newbie might log in as root all the time. But what does a linux newbie have to loose anyway? The real threat is in the corporate environment, where the users are not going to be logged in as root ever. And most employees are much less likely to screw around like that on a Unix system at work anyway.

    With Linux, while the threat of a trojan is there, the possible damage is much less severe, because of the limited rights of the user.

    On the other hand, with NT, as soon as any user runs the trojan, the machine is wide open with full administrator rights for the cracker.
  • Yes, okay - I can agree with that.

    My point was that BO does not show Windows NT to be especially bad at security - BO could have been for any platform.

    But we agree, and this has been discussed enough, so I will stop here.
    --
  • by Anders (395) on Tuesday July 13, 1999 @04:01AM (#1805789)
    BO is a trojan horse. If you can get a user to run an executeable, you have him fscked. If I send someone a Linux executeable which modifies his login script to start a telnet server (modified to not require a login, of course) on some non standard (>1024) port, he has his account wide open. Anything he can do, you can log in and do as well. Is this a security flaw of Linux?

    You cannot prevent users from doing such things, under any OS. As such I think Microsoft is right that this is not really a security problem in Windows.

    Now, I do not know if BO gives administrator rights to the invader. If it does, then *that* would be a security problem. But letting people install programs is not.

    Of course, you could make users unable to run programs from $HOME at all, but that would be unacceptable in many circumstances.
    --
  • heheheh Cluely has BO....Cluly heheheh
  • That's not the point either. The encryption algorithm was not meant to be strong. The only reason you'd want a strong encryption algorithm is if you wanted to use BO2K as a legitimate remote administration tool. Needless to say, that's not the real intended purpose. As a backdoor to somebody's machine, the strength of its encryption algorithm is completely irrelevant.
  • by avm (660)
    VNC for BeOS (currently only the client) is in BeWare [be.com]. Seems to work alright...I use it to talk to several windows boxen on my internal network.
  • You could also use Unix groups for what they're intended to be used. Create a group for local users ("local" is a good name), add yourself to it, do: "chown root qwcl; chgrp local qwcl", and set the bits so that only members of that group can launch the program ("chmod 4110 qwcl").
  • BO is a trojan horse. If you can get a user to run an executeable, you have him fscked. If I send someone a Linux executeable which modifies his login script to start a telnet server (modified to not require a login, of course) on some non standard (>1024) port, he has his account wide open. Anything he can do, you can log in and do as well. Is this a security flaw of Linux?

    You cannot prevent users from doing such things, under any OS. As such I think Microsoft is right that this is not really a security problem in Windows.

    This is a security flaw of Linux, just as it is for Windows NT. Theoretically these systems can be very secure, but practically they cannot -- assuming normal people use the system, add programs, etc.

    Windows NT does not have exceptionally bad security compared to other OSes. But in defense of the future of CS, trojans are a problem that needs to be solved.

    Sandboxes (as in Java) are one attempt to solve this. They aren't a very good solution, but more of a hack on underlying security problems.

    I think capability systems provide the sort of fine-grained access that is needed. Eros [eros-os.org] is an OS that attempts to do this. There are some papers online there about capabilities -- What is a Capability, Anyway? [eros-os.org] might be a place to start.

  • Does anyone have an mp3 that doesn't have psychadelic tones in the background? (Or am I doing something wrong?)

    The speech sounds interesting, but only the parts that I can understand.

  • by pb (1020)
    I would call giving every user root access a *big* security hole. (of course that doesn't apply as much with Windows NT, but...) Also, I'm sure BO2000 *is* a better remote administration tool than anything Microsoft has ever offered since XENIX. I would kill for telnet to Windows machines... (but then I'd want a *useful* CLI... :)
  • by pb (1020)
    Oh, right, that's why I don't use them. (I have used bash and some other ported UNIX utils, the GNU/DJGPP prots, and some other inferior ones) Either everything is slow and big and statically linked, or it's fast, and re-written for DOS, and has new, quirky limitations... *sigh*

    Also... what kind of an argument is that? There are millions of insecure machines on the internet that haven't been cracked or crashed because *no one has cracked them*. That doesn't mean it can't be done, it just means that we don't have enough crackers to go around. :) Don't complain, one of them might perk up and notice you...

    Heh. If they're running IIS and NT, that's almost like trying to hack your own machine. Have fun keeping it stable. Running a vanilla NT machine and not doing anything with it is easy, but I have a lot of respect for anyone who tries to use NT for heavy work *and* keep it stable. That's much more arcane than UNIX ever was...
  • by pb (1020)
    Yay, more ports to scan! ;)

    But seriously, I've seen W2000 Beta 3, and I'm not impressed. It's bloated, and it crashes more than NT ever should have. And that's saying something.
  • No joke. Sounds like a dead end situation to me - you bear all the responsibility, but have no power to remedy the situation? And the people who can remedy the situation have no responsibility? How is anyone supposed to accomplish anything that way? :)
  • But it's not in Microsoft's interest (at least from their point of view) to protect anything but their bottom line. If it won't hit them in the pocketbook, they're not going to care. So basically they're saying "Fixing these bugs we won't admit to wouldn't be profitable to us, so we're not going to admit to the fact they exist."

    How about that?
  • You guys know what the ISS anoucement really means don't you? A hell of a lot of people are going to end up getting burned by BO2K. The clowns at ISS have just made BO2K a hell of a lot more dangerous to MS operating systems than it ever was...

  • I wonder how much ISS charges to perform at birthday parties for pre-schoolers and they do they provide their own cleaning service for their clown suits?
  • Or, rather, try to run Powerpoint as a user after installing it as an admin.

  • All programs run with your rights. They effectively setuid to the user. This is *BAD* (and inherently insecure).

    Eros [eros-os.org] is immune to these flaws (which also affect all Unix systems).


  • I haven't laughed so much since zipexplorer came out. ISS have wonderful marketing spin, I mean, how difficult is it to 'crack' things when you've source (as other people have pointed out). Come on Kris, I wasn't born yesterday.

    I'm now waiting for a modified zipexplorer that includes the BO2K client, then we can all go back to installing proper email servers on our lans.

    M-Sexchange no product has never been so well named :-)

    Martin
  • There was a discussion awhile ago on NTBugTraq about the \winnt permissions. As per MS instructions only the Admin's should be able to write to \winnt and its sub-directories, but because windows apps are made to work on 9x machines as well as NT machines, you cannot do this.

    Although the above poster seems to think that he can have \winnt and its sub-directories read-only; I doubt that he has ever done this. Most apps need write access to the \winnt dir tree in order to work. Office 97 is an example of one such app.

    What this means is that you can have a secure NT machine or you can have a NT machine with Office 97, but you cannot have the \winnt dir-tree read-only and run Office at the same time.
    You can work around this security hole by installing Office 2000, or upgrading to *nix.
  • Not unless you have Admin rights.

    perl -e 'print scalar reverse q(\)-: ,hacker Perl another Just)'
  • I don't know why so many people have posted about it being possible to e-mail a trojan telnet server to a machine, running on an unnamed port. Most forms of Unix still use the olde, quaint "remote" programs, such as rlogin, which leaves the nasty hole offered by .rhosts. That would seem to be a far deadlier security hole than the prospect of running a complete server.
  • So this wouldn't cause any problems in NT?

    C:\>cd \winnt
    C:\WINNT>del *.*
  • password.. salt.. hahahah (-:
  • You really don't even have the most basic understanding of the word "server", do you?
  • Good points, and I'm glad to read an informed view on this.

    I think more people should do more research then reading zdnet and news.com on this subject. There are a lot of stupid posts above this one from people armed with disinformation. Quite simply, alot of them are missing the point.

    Anyone who wasn't there to hear the introduction first hand, you should check out the 41 minute MP3 of it. It's a lot more interesting then most product announcements. Here [phoz.dk] is a link to a page containing the mp3. Pay particular to the cheers from the crowd every time they mention something stupid in Windows that contributed to the program.

    Things like "remote threads". Seriously. You can start a thread of another program from your program, stick your program into it, and what do you know, explorer.exe is now also running rc5des.

    For a good laugh, listen to the undocumented Win32 call used in the 95/98 client.

    Discrediting BO2K is almost as dangerous as BO2K itself. You can't just scan for port 31337. BO2K doesn't have a default port, you have to put something in yourself. You can't just look on netstat for open TCP connections. BO2K can transport over ICMP. You can't look for a signature to the file, adding a random x=x; into it will change it.

    Sure, you say, but how many script kiddies will go changing source code? A valid point, as most script kiddies can't tell a semicolon from a mouse. However, cDc has also released (surely not coincidence) a "pkzip-lite" style program that compresses/encrypts executables to random keys. File signatures are probobly the weakest form of "integrity verification" and that I"ve ever seen. As far as watching for network transmission signatures, you'd be amazed how easy it is to write around that. The important part is that your method not need be good! All it needs to be is 1 bit different. Insert an extra byte into a header. Write a silly wrapper to make it look like http data, or a real audio stream.

    The biggest factor in this is the software's open source license, which allows all this and more to happen. BO2K is merely the first variation. Stopping it is ineffective.

    The last big part is the spreading issue. True, the clearest way to infect a computer is to send it as an email attachment. A quick modification to happy99.exe would really spice things up. IIS servers are still easy targets on the real world. You won't get www3.microsoft.com, but you will probobly get www.joesfishingshack.com or similar. Imagine if someone combines a custom BO2K with a virus that is reasonably good at spreading itself.

    Thats what I think, at least.
  • ISS (or fill in the blank with your favorite Internet Security company) said they "cracked" the encryption.

    Yay!

    But what wasn't mentioned was that the only way that they can find if BO2K is on the computer...
    is when it's on the computer. They can only find the "encrypted" stream when the connection to the victim computer is already in progress.

    So... they'll sell you their services to fix BO2K.. but only if you've already got it. There is no pre-emptive fix.
  • Hint: if the source code is available, it'll be easier to "crack". Thing is, immediately with its release, ISS would learn just how it worked.

    Which reaffirms the point that BO is meant as a means to rub Microsoft's nose in the fact that their products suck. If they wanted to be bastards, they could have kept the source to themselves.

    J.

  • I dare you to write a BO-like program that will run on MacOS, and give a remote admin control of my Mac when it's connected to a network.

    J.

  • You mean their's *another* person out there who believes that computers are tools and does not scream the mantra "...but it's the technology for the sake of technology that matters"?

    Thanks. Glad to see I'm not alone.
  • Without knowing the specific motives or history, the idea was most likely not to provide a strong cipher -- encipherment isn't inherently necessary anyway for this kind of thing.

    Or, they wanted to limit the potential for ITAR violations -- so that crackers could avoid breaking export law while busy breaking other ones.

    Or, they wanted a deliberately weak cipher so that people would latch on and improve those parts -- maybe write a tight win32 IDEA lib.

    Or, they realized that encipherment isn't an especially important part of BO2K anyway, since its emissions can be detected easily enough whether enciphered or not, so casual over-shoulder encryption was adequate.

    Or, they wanted their counterparts in the virus/security communities to waste time on the encryption stuff, as the counterparts indeed seem to have done.

    It would, in any case, be nice if those whose job it becomes to counter BO2K had taken the opportunity to note why BO2K exists, rather than to inflate their egos in a comical misassumption.


  • "Trojan horse software doesn't target technology,

    it targets the user. If BackOrifice did in fact

    exploit security vulnerabilities in Windows

    or Windows NT, Microsoft would promptly fix the

    vulnerability, and BackOrifice would be stopped."


    Uhh huh, sure. What would they do? Release a Service Pack? Offer a "free" upgrade? I think MicroSoft is too busy with it's head shoved up it's rear end to notice. If(When) a program like BO2K becomes available affecting linux, how quickly would the code be edited to stop such a thing, Trojan Horse or not? Very quickly, I say!

    --
    Dave Brooks (db@amorphous.org)
    http://www.amorphous.org
  • And as several other people have pointed out already, one could make a similar program for a UNIX box.
    It's already been done, I got a few of them running on my system right now. In the computing world they are known by these names:

    in.telnetd
    sshd

    A cracker could very easily set up a telnet server, or a ssh server on a machine he just cracked, but the machine would probably be running one already :P
  • In many respects, NT's security architecture (ACLs on everything, non-root daemons, no setUID, etc.) is STRONGER than Linux.
    If you are truly correct about the "non-root daemons" then the >3000 character IIS buffer overflow that eeye [eeye.com] found would not be possible. IIS runs with system level access, which is "root" on an NT box. That is how someone can obtain a "system level" command shell by using this expliot. I think someone else needs to "get an education about NT before talking..."
    But what would I know anyway, I'm just a stupid 20 year old college kid with a linux box and an internship at a huge corporation doing sysadmin work.
  • There is still the eeye [eeye.com] hard info. IIS would not be able to grant a "system" command prompt to a script kiddie without itself running as a "system" level service, or am I wrong? Either way, IIS has the ability to overflow into memory areas that have system level access on a machine, therefore granting a script kiddie a "system" shell on an NT box. You forgot to give me an explanation as to how this is possible.... I would sure love to know. Educate me.

    And for your info, I can lock down any box and build firewalls with the best of them.
  • Unless the linux user is running that shell script as root, it wouldn't happen.

    -Richard, barbarian geek.
  • Actually, I got a CD from cDc that had CIH on it.
  • by zosima (8652)
    Have you checked out VNC [att.com]? It was actually designed for remote access, and I know there is a windows server and I am almost positive there is a Be client [maybe BeDepot, it isn't up on the vnc download site](though it will work in a java-enabled browser, anyways). It might be a better solution with all the coding taken care of for you.
  • I work for a University as a dorm network consultant, and one thing I can tell you is the original BO is still alive and well. (For the end-users, obviously.)
  • (lots of people run NT everyday with Administator access)

    Or, like me, they give themselves Administrator rights on their user accounts.

    Why? Because I can't 'su' to Administrator to do administrative tasks. I would have to log myself out, log in as Admin., and then log back in as myself. That's idiotic, and it's the difference between being fully multi-user and Windows NoThanks.

    And even if I did leave myself as a regular user, I would still need to have write access to the Windows\System (or is it System32? I forget, but it doesn't make much difference) directory in order to run M$ Office (note: RUN, not 'install')! This too is idiotic.

  • You don't have to reboot; you only have to logout.

    Of course, this is no less inconvenient than a full reboot if you only want to tweak a setting for the sake of some application you're running to see how that app behaves with the change. It's idiotic, really.

  • Beethoven, with Interix in NT4 I can have the same 'window' logged in as any user as I want. I think there is even a utility in the NT4 resource kit wich allows you to 'su' to another user without having to log off. I don't know this for certain, and unlike the majority of others here, i don't like to comment on things which I don't know what I'm talking about.
    Furthermore, in Windows 2000 (I'm running release-candidate 1 on my windows box as we speak) allows you to run any (from wht I can see) application as whatever user you want (assuming you have the access and password that is).
  • >Crackers often reason that
    >they are performing a service
    >in breaking into Websites and
    >networks because they expose security flaws.

    Oh so true...The best way to fully be safe from a "virus" is to be immune to it and what better way to be immune to it than to have recovered from an attack of the "virus".

    I think Microsoft should start paying these people...maybe then they would release a safer W2K.
  • Does BO2K exploit any security vulnerabilities in Windows or Windows NT?

    No. Programs like BO2K could be written for any operating system; this one just happens to have been written to run on Windows and Windows NT. On any operating system, if you choose to run a program, it can do whatever you can do.

    This is, IMO, the one lie that more than any other keeps Windows in control of the OS market. People's only exposure is to an OS that runs everything as root and requires users to buy new anti-virus software every month, so they imagine that's the way things have to be.

    Not so. Linux and *nix are fundamentally more secure than Windows, because they make adequate use of the hardware security feature known as memory protection. When a Linux user runs a program downloaded from who-knows-where, s/he runs it as non-root. (except maybe "make install", which is a weak point, IMHO) In contrast, W98 doesn't even try to be secure, and even under NT, users typically run every process with administrator privilege.

  • NT is memory protected, agreed. But I am talking about typical use.

    User: Help! It says I need administrator privilege to install foo/uninstall foo/do something useful.

    Admin: Hmm, that's funny. You're supposed to be able to do that.

    User: But I can't! Come and look at it.

    (user repeats steps with admin watching)

    Admin: Well, I guess I'll give you administrator rights to your own machine...

  • Note that if Linux ever starts getting used on the desktop, I wouldn't be suprised to see people give the users root authority too.

    True, but at least in Linux you can have a root window open for the occasional admin task and do the rest of your work as non-root. NT required you to "log off and log back in as another user" last time I checked. The quick workaround is, of course, to stay logged in as admin.

  • Wow, that must have been a HUGE difficulty, considering the source is available (get it at this site [www.hlz.nl])
  • "ISS cracking abilities are viewed as childs play!"
  • Well, I'm not suggesting it's better to run stuff on NT than Linux or BSD -- but they are out there if you're stuck on NT.

    Re: the BBC -- sure there are loads of uncracked boxes out there, but don't you think bbc.com would make a rather prestigious trophy ?

    BTW www.zpok.demon.co.uk is hosted by Demon -- I'm pretty certain they're not using NT.

  • Well, that's the ftp server -- I was referring to the HTTP server.
    ...

    Hmmm, Netcraft seems to be down at the mo ... but telnet on :80 says 'apache 1.3 (Unix).'

    Interesting, because it definitely USED to be IIS / NT. No, really, it was !!

  • OK netcraft.com reappeared ...

    www.bbc.com is on SunOS. This is Boston Business Computing.

    www.bbc.co.uk is on ... Solaris / Apache. I was wrong ...

    But the point remains the same ... the same Netcraft app [netcraft.com] shows a bunch of high profile large corporations running IIS / NT ... even Windows 98 ?!?! (Gillette) ... so these must all be easy meat for crackers, right ? ... and then all their MIS people would be fired, and replaced with Unix hackers ...

    I'm no fan of NT OR IIS -- I'm just saying that it's not impossible to make them reasonably secure.

  • telnetd (and lots lots more ports of 'real' software) are available for NT and possibly '9x as well. Certainly bash. csh and tcsh are available; so is X11R6.4 ... no, really ! Performance sucks of course. There's a short & incomplete list here [demon.co.uk].

    BTW if NT is so ludicrously insecure, how come www.bbc.co.uk [bbc.co.uk] has never been cracked ? They seem to use IIS as well as NT ...

  • Ok the easiest way to have it installed is via a user running it from email. Remember that NT has been a victim of the good old buffer overflow exploit of late as well.

    I have heard of BO being installed via the outlook exploit under 95. Ok so even if this was done under NT then you still get user rights. However what if I installed it on someones IIS server using the recent buffer overflow exploit, or again using the ftp exploit. These will give me access under the user System.

    Again these have been patched, but I would be very suprised indeed if the last buffer overflow for a service runnning under NT had been found.

    Ice Tiger
  • Erm no this is not true, remember what one reads in a paper must be true. :)

    BTW I suppose BO2K might be installable via an activex component, another secure microsoft feature. Oh yes before anyone points out about signatures and such, dodgy activex coponents have been used in the past by legitimate developers and then they get signed under that developers id.

    Ice Tiger
  • I thought this was the legal basis for the whole software industry. The software companies take no responsibility for their products at all, yet at the same time the end user has no rights that would resemble ownership of the product: can't modify, limited use, etc. Seems like a double whammy to me.

    Aw crap! Now I sound like an open source advocate!
  • ...source that is, :)
  • by jscott (11965)
    the orginal BO include telnet functionality (a bit sketch tho) not sure about bo2k yet...
  • by jscott (11965)
    I'm may be a lowly temp, but i do a lot of user support/configs. To me the og ob was _very_ useful (at times) I only hope bo2k is better and more stable. Although I don't think anyone else (sysadmin) around here would agree :)

  • The MS resource kit SU works fine (although only for command lines, as far as I can tell).

    However, MS SU is not part of the OS, and requires installing it as a service. So the average NT workstation probably will never have this capcity, unless MS gets a clue and bundles it with Win2000.
    --
  • Running MS Office under a "secure" NT install is fairly well documented. Look around a bit.
    --
  • This isn't a flaw in NT, it's a flaw in the NT admin.

    True, sadly, most NT Workstations seem to be set up with local administrative authority for the users.

    I don't know if this is done to make the transition from Win9x easier, or to just reduce the workload of technicians, or because admins don't consider desktop security that important (after all, you could just steal the hard drive!) -- but in any case, it's a pretty stupid approach. Hopefully BO will get people to rethink this.

    Note that if Linux ever starts getting used on the desktop, I wouldn't be suprised to see people give the users root authority too.


    --
  • Ok, I'm seeing alot of disinfo about BO2K here. So let's address a few right here: 1. Breaking BO2K's Crypto: Of course he broke BO2K's crypto - the Generic, straight from the 'box' crypto is XOR encryption - which is simple to 'break'. That said, inseide the US, you can download a plug-in that will allow BO2K to use 3DES. Sophos did not crack 3DES. Even if he did, the plugin architecture allows a programmer to add any encryption scheme they wish, and BO2K will use it fore all of it's transfers. 2. Detecting of BO2K Well - to detect BO2K in one configuration, all IIS had to do is look at the threads, and it will show up. This could be what they are discussing as easily detectable. However it is also possible to get BO2K to hide quite effectivly by having it hop between threads, and use whatever ports it wants to. IIS could also be referring to the fact that BO2K uses the same registry key every time - and it does so on purpose which leads into point 3.. 3. BO2K is a virus BO2K is not a virus. Not even remotly. At worst it's a Trojan, but it is no more a Trojan then other packages like say PC Anywhere (and another one that I can not remember the name of - it starts with an S) Interestingly, some other 'remote admin' packages can also be installed over the net, or given as a 'trojan', or even be run as a hidden process. BO2K has many of the same features as similar packages, and has the same ability to be used for admin, as well as cracking. 4. BO2K is bad BO2K is what you make of it. It's a tool. it can be used in many ways - some bad, some good. It really has some very useful features. Those features again can be used as you see fit. I am not affiliated with the cdc, these views come from seeing their presentation of BO2K at defcon.
  • Oops - yep I meant ISS.

    On your first point - Exactly - XOR 'encryption' sucks, it might as well be plaintext

    As far as communication - I'm not really sure - but the program can communicate in more then one way - if they wrote a program to find it on UDP, just set it to TCP. If that doesn't work it can be set to ICMP. BO2K is quite impressive, and if ISS thinks they have a fool proof detection scheme, it is my guess that they have not hit all the bases.

  • by HunterD (13063) <legolas@@@evilsoft...org> on Tuesday July 13, 1999 @07:54AM (#1805851) Homepage
    Ok, I'm seeing alot of disinfo about BO2K here. So let's address a few right here:

    1. Breaking BO2K's Crypto:
    Of course he broke BO2K's crypto - the Generic, straight from the 'box' crypto is XOR encryption - which is simple to 'break'. That said, inseide the US, you can download a plug-in that will allow BO2K to use 3DES. Sophos did not crack 3DES. Even if he did, the plugin architecture allows a programmer to add any encryption scheme they wish, and BO2K will use it fore all of it's transfers.

    2. Detecting of BO2K
    Well - to detect BO2K in one configuration, all IIS had to do is look at the threads, and it will show up. This could be what they are discussing as easily detectable. However it is also possible to get BO2K to hide quite effectivly by having it hop between threads, and use whatever ports it wants to. IIS could also be referring to the fact that BO2K uses the same registry key every time - and it does so on purpose which leads into point 3....

    3. BO2K is a virus
    BO2K is not a virus. Not even remotly. At worst it's a Trojan, but it is no more a Trojan then other packages like say PC Anywhere (and another one that I can not remember the name of - it starts with an S) Interestingly, some other 'remote admin' packages can also be installed over the net, or given as a 'trojan', or even be run as a hidden process. BO2K has many of the same features as similar packages, and has the same ability to be used for admin, as well as cracking.

    4. BO2K is bad
    BO2K is what you make of it. It's a tool. it can be used in many ways - some bad, some good. It really has some very useful features. Those features again can be used as you see fit.

    I am not affiliated with the cdc, these views come from seeing their presentation of BO2K at defcon.

  • Why do people always have to put down other people? Is it human nature or what? I have met several of the guys from ISS and they all seem fairly intelligent especially in their field of work.

    Maybe I am biased since I know a few of them...
    Scott

    Scott
    C{E,F,O,T}O
    sboss dot net
    email: scott@sboss.net
  • Ok, your statement is just plain wrong. For once microsoft is actually being honest. BO2K is not about security problems with NT. The same thing is possible under linux, look at vnc, it does esentially this, except it doesn't try to hide the fact from you.

    Also, NT doesn't run everything as "root" and it does have memory protection. Actually NT has a better security model than linux (ACLs vs, uid/gid and the lack of setuid (although i consider that a bad thing)). From what I understand that will be changing, but for the moment it's true.
  • Not if the winnt directory is set to read only for ordinary users, as it should be.
  • >True, sadly, most NT Workstations seem to be
    >set up with local administrative authority
    >for the users.


    In our shop, the main reason for user as local administrator is because there is no super-user command and no multiple virtual consoles. It's a mjor pain in the ass to have to log off and close all open programs and documents in order to effect some minor tweak or configuration change.

    -matt
  • couldn't be bothered writing 'su' and then a lengthy password every time he wants to play Quake

    chmod 1777 /usr/local/games/quake/id1 cat >/usr/local/bin/squake <<EOF #!/bin/sh cd /usr/local/games/quake exec ./squake "$@" EOF chmod 755 /usr/local/bin/squake

    You'll probably want to do the same for the "hipnotic" and "rogue" directories, and make similar wrappers for the other quake binaries. Shame on id for not writing a better installation script.

  • couldn't be bothered writing 'su' and then a lengthy password every time he wants to play Quake

    chmod 1777 /usr/local/games/quake/id1
    cat >/usr/local/bin/squake <<EOF
    #!/bin/sh
    cd /usr/local/games/quake
    exec ./squake "$@"
    EOF
    chmod 755 /usr/local/bin/squake

    You'll probably want to do the same for the "hipnotic" and "rogue" directories, and make similar wrappers for the other quake binaries. Shame on id for not writing a better installation script.

    (Sorry about the first one. I honestly thought the Preview button was on the left, not the right, and clicked Submit too fast.) :(

  • Just an aside. I was flipping through my video feeds and happened upon Pat Robertson announcing to his techno-illiterate hordes that "hackers" had released a new "virus" this weekend in Las Vegas (Sin City) called "BO2K". Pat seemed to think this was one more confirmation that the sky is falling, or whatever. To be honest, I was too busy laughing my guts out to pay close attention to his rant.

    I did find it interesting that the acronym BO2K was never translated for the breathless masses.

    Apparently "Back Orifice" is too naughty a phrase for good christians. Or maybe the just don't admit to their existance.
  • User: Help! It says I need administrator privilege to install foo/uninstall foo/do something useful.

    Admin: Hmm, that's funny. You're supposed to be able to do that.

    User: But I can't! Come and look at it.

    (user repeats steps with admin watching)

    Admin: Well, I guess I'll give you administrator rights to your own machine...



    This isn't a flaw in NT, it's a flaw in the NT admin.
  • Woohoo! The world is safe, unless someone manages to get their hands on the source code and come up with a variant.
    The report is quite sanctimonious, reflecting Rouland's attitude (I suppose). Dissing crackers in such a manner, though, is just inviting trouble.
  • "instead of pushing to have the bugs and holes
    the trojan EXPLOITS fixed."

    The only bugs and flaws trojan horses exploit
    are human. What does cDc expect Microsoft to do
    to prevent something like BO2K? Close off all
    network connections?

    -WW

    --
    Why are there so many Unix-using Star Trek fans?
    When was the last time Picard said, "Computer, bring
  • Anyone know if this will compile under BeOS? I mean, is there any code in here that would throw BeOS for a loop? I just want to remotely administer my windoze box from across the room...

    - - - - - - - - - - - - - - - - -
    I run BeOS. The rules don't apply.
  • They cracked the encryption algorithm that it used. That's different. They probably tried to write their own. Figures, kids think they can come up with their own uncrackable algorithm...
  • > Now I doubt it would apply to viruses, as you would get nailed to a wall for it.

    Of course, if you're already in the slammer for the next 20 you might as well try to drum up some income in case you can't get a job as a security consultant when you get out.

  • > You wanna install BO while you're at it?

    No, if he'd wanted that he would have used the eeye method and installed it himself.

  • > Lust tried Back Orifice 2000, cool stuff!

    Whose machine did you try it on?

    I've sure clicked on a lot of sites that were down over the last couple of days.

  • by Black Parrot (19622) on Tuesday July 13, 1999 @04:40AM (#1805867)
    I guess it wouldn't have mattered in this case, since BO2K is GPL'd, but I wonder: If the software lobbies manages to ram through all their proposed laws that would illegalize reverse engineering, will virus writers be able to sue anti-virus companies that crack their code?

  • Actually,I think the oldest cDc member (in age, not membership) is someting over 60.

    The youngest is 20.

    And there's everything in between. For the most part the cDc guys are yer average white twenty-somethings (go figure) ..

    I don't think it's right to lump all of them together as teenagers with delusions of grandeur, sure, some sort of fit that description (the ones that claim the hacker profile...) but the original guys aren't REALLY like that at all.

    They are just some weird guys who released wizardry docs as text files when they were in Jr. High. oh, and some other stuff about rabbits.

    Personally I prefer the text file aspect of cDc, the hacker part is a bit silly.

  • by schporto (20516) on Tuesday July 13, 1999 @03:53AM (#1805869) Homepage
    Below is my summary of the article....

    Sophos cracked BO2K. Errr wrote a detector for it. We don't know the difference though. But they figured out the protocols and encryption schemes. Ohhh buzzwords.
    Those nasty cDc'ers didn't like Rouland and he showed them. He asked for a copy which is completely sensible as he's a good guy, but they don't like him. We won't mention that he wanted a copy before everyone else.
    We think this will allow them to control other computers. But we aren't sure what control it gives you, so we'll just blather on. Oh and insult them. They're kids. They are even infected.
    But not to worry any one M$ is right on top of it. They even issued gasp a warning.
    Its a toy but ISS warned the program could easily be used to delete files, reconfigure machines, steal passwords and redirect network traffic, without a user or administrator's knowledge.
    Isn't it amazing what toys can do now.

    Pardon the sarcasm.
    -cpd
  • One bookmark:

    http://www.microsoft.com/security/bulletins/bo2k .asp


    Kaa
  • I'm sorry to say fool, that I was there handing out CDs, our official CD's and there were no virus infected files on it. I scanned it on my own machine, installed, scanned again, nothing. If you got a legitimate release CD what did it say on the sleeve and on the disc itself. Each distributed CD was signed and written on by a member of cDc. Tell us who signed your disc and what they wrote.

    I'm not surprised to see ISS running around telling lies about cDc, hell they lie about themselves. They claim not to hire hackers, yet they employ hackers. Christopher Rouland had Loki, an ISS employee, hand deliver a message of "Piss on him" to Tfish for our now famous response to ISS' attempted purchase of a prerelease version of BO2k.

    Liars and cheats can do what they need to do to keep the fear levels high and sell their products, but cDc doesn't play that game. The official cDc distribution of BO2K is exactly what it claims to be: a legitimate remote administration tool. ISS has been sending out misinformation about BO2k since well before its release. I've read claims from ISS stating that BO2k is buggy which was why the release was delayed. That isn't true. They claimed to do intensive analysis of the product and defeated it's defenses. That isn't much of a task when you have the fully commented sourcecode sitting right in front of you. It makes it so simple that even ISS' "X-Farce" can hax0r the code.

    The answer is simple. If you would like to use BO2K for its intended purpose and would like a guaranteed virus-free distro, download it only from the source: www.bo2k.com It's as simple as that.
  • How? Tell me how NT's security model is stronger than a Unix security model.
  • The shell script would have to be run as root though, otherwise it wouldn't be able to edit /etc/inetd.conf. inetd also needs to be restarted for the change to take effect.

    I suggest if anyone is really worried about it that you get yourself a copy of tripwire and figure out how to use it properly.

  • Do all the package maintenance tools want to run as root ? As far as I know, rpm does. What about the others ?

    If there's a culture of using root access to do any significant operation on a machine, it becomes much easier to convince a user to use root for every job, and hence to run any arbitrary install script from the net as root.

    Package admin should demand only as much access as is necessary ; if run as a normal user, they should install only with that user's rights (modifying ~/bin, ~/lib etc.)


  • "Trojan horse software doesn't target technology, it targets the user. If BackOrifice did in fact exploit security vulnerabilities in Windows or Windows NT, Microsoft would promptly fix the vulnerability, and BackOrifice would be stopped."

    Does this mean (as we knew all along) that Microsoft is more interested in maintaining the integrity of their technology than the interests of their users?

    Sounds like a really easy joke here, but I'm interested how else I could interpret this statement. Please reply if you know ....

  • if you ftp to www.bbc.co.uk you get:

    Connected to www.bbc.net.uk.
    220 www2.thny.bbc.co.uk FTP server (SunOS 5.6) ready.
  • by rhdwdg (29954) on Tuesday July 13, 1999 @03:42AM (#1805890) Homepage
    Pretty easy when they give you the source. Sheesh. Next thing you know they'll "decode" how OpenBSD implements IPSec.

    I rather think the Cult's point is still made.
  • Microsoft has only issued only a warning, refusing to admit that there might be security vulnerabilities in WinNT.

    To me, this is more serious than the BO2k release itself. Denial of any problems makes it very hard to solve them.

    (I'd love to go into the 'you shouldn't even be able to install such tools under a proper or well-protected OS' thread, but then I'm not really feeling like Mr. Unix Snob this particular morning.)

    -fester

    ps.. SECOND POST.. MUAHAHAHA *spak*

  • And which division of MS do you work for ?
    After the original release of BO and the way MS downplayed it, and now BO2k, it doesn't really matter if they are "a bunch of sad teenagers with serious delusions of grandeur" now does it. they've even released it under the GPL, for God's sake! which means it will be mutated and changed in ways that MS and the "anti-viral community" cannot even begin to keep up with. Yes Linux has security flaws, and they are fixed usually within 24 hours of being reported. The effect this could have is frightening, however I think that most of us out here that still have to use MS product are aware of the security threats and take precautions to minimize the risk. Linux is easier to lock down than NT and any sysadmin worth his salt is the only one who even knows the root password. It is much harder to hack a root password from a user account on Linux than it is to send someone an e-greeting card with BO attached. I don't think this is being overplayed by Linux advocates, I do know for a fact it is being played down to the point of being dangerous by MS advocates. The cDc is forcing MS to notice them and by doing that they just might be able to force MS to fix some flaws in their OS. IMHO this is a "Good Thing" I don't think any of the Linux users that have a decent IQ are getting cocky about NT, the fact is, it is less secure, more unstable, and frankly uglier than Linux. (OK uglier is an opinion not a fact) Oh and from the looks of it (just look around on /.) most of the anti-social lamers seem to be part of this side of the fight, I have to disagree with the terrorist type tactics some of them use, but overall they are pretty amusing. I am sorry if it seemed I was ranting, oh and back to the original question, which MS division did you say you worked for ?
  • by flesh99 (32039) on Tuesday July 13, 1999 @06:07AM (#1805898)
    One could not write a program that would do what BO does on every Linux box it was run on, it would have to run as root. Only newbies are logged in as root all the time, and within 24 hours of something like BO being released for Linux there would be a patch/detection/fix released and sysadmins would know to use it. NT admins do not tend to have the level of security awareness the *nix admins do. Sending a secretary a electronic greeting card will get BO installed on most networks. After that she forwards the file to a few of her friends and guess what, security comprimised. It might be a little harder to get upper management to run a program but I doubt it.

    I know your solution is to install a detector on every machine, but this is open source, it will mutate beyond detection very quickly. MS downplayed the initial release of BO, and the cDc responded with this release, maybe the unwashed masses will finally see that MS products are full of security holes, don't even get me started on VBA. It is the, dumbass users as you call them, that make up the majority of the computer market, what makes you think you are so much better than they are. Frankly your comment about that disgusts me, I suppose you have never gotten a virus. I am an admin, but I don't feel that I am high and mighty compared to my users, get real, without users I wouldn't ahve a job.

    I cannot agree with the tactics used to prove MS's security flaws, but at least someone is pointing them out, and they are using a big red pointer to do it. If NT security was not screwed to begin with then this problem wouldn't exist. There is a reason that there are not many programs like this and viruses for Linux, it is very hard to do. There are plenty of cracking tools, but most sysadmins know what to watch for. I'll bet at least 50% of the NT admins out there have believed MS's FUD about this and are telling their users there is no problem. So no, the cDc is not asking MS to fix the users, how about fixing the things that allow this prgram to do this to begin with. I am going to lower myself to your level now and say this, it's people like you that allow MS to continue to produce buggy software with swiss cheese like security holes. ( I was going to call you something insulting, but I decided that I couldn't bear to lower myself all the way to your level) Have a nice day.
  • by _Sprocket_ (42527) on Tuesday July 13, 1999 @06:30AM (#1805904)
    "True to the hacker's word, anyone curious enough to log into the cult's website will find his or her computer automatically infected with a virus."

    How true is this?

    Completely true. Only, it's an old virus called "Good Times". Tell all your friends. ;)

  • What ISS did was pretty trivial. The "detection" system simply looks at the properties of the network connection. When testing IDS systems at a client site, I found that certain systems, which I can not elaborate on, could not "see" connections if certain operations were carried out on the packets that make up the connection prior to their transission. This effectivly serves as verification of of Timothy Newsham and Thom Ptacek's excellent paper on problems with IDS software.
    Here is the URL, thus absolving me from being accused of inventing this idea myself :)
    http://www.nai.com/media/ps/nai_labs/ids.ps

    Enjoy
    -johnny waters, former Information Security Professional (Being a Dillitante is not so bad)

"All my life I wanted to be someone; I guess I should have been more specific." -- Jane Wagner

Working...