Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
Check out the new SourceForge HTML5 internet speed test! No Flash necessary and runs on all devices. ×
Microsoft

cDc Charges MS w/ Distributing Cracker Software 356

davidr writes "Microsoft's response to Back Orifice 2000 has been to characterize it as a hacker tool instead of a network administration tool, because it can be installed stealthily and used to monitor users without their knowledge. cDc has reponded by pointing out that Microsoft's own tool, SMS, does the same exact thing! They've called for antivirus software for SMS and challenged Microsoft to recall it. " Read this one. Its interesting. Having never used SMS (hell, I haven't really used windows in a year or so) I'll leave it up to you guys to figure out if this is true.
This discussion has been archived. No new comments can be posted.

cDc charges MS w/ distributing Cracker Software

Comments Filter:
  • by Anonymous Coward
    What doesn't work better than anything microsoft built?

    Drum Roll Please.......

    Communicator!

    (waiting patiently for Mozilla)
  • by Anonymous Coward
    --I think that cDc has a completely valid point here. One question about their announcement, tho. At the bottom, they have various other 'excerps'. I'm wondering if perhaps some of these are related to the earlier version of BO, which really was a trojan. The text doesn't seem to clearly specify. Even if that's true, the main body text seems to make the point nicely.

  • by Anonymous Coward
    I'm not very fond of SMS, but there's a significant difference between allowing a domain administrator run a remote control tool, and creating an app which circumvents NT security to allow anyone to remote control a computer. In my opinion this is CDC FUD.
  • by Anonymous Coward
    Microsoft made the mistake in attacking the stealth feature of BO2K, and cDc responded right back saying that SMS was just as bad as BO2K because it was stealthy too.

    what Microsoft should have mentioned instead were the features of BO2K that *really* made it intended to be malicious. The lockup command, password getting commands, microphone monitoring, etc.

    But the worst thing about BO was actually mentioned in the cDc article when quoting Microsoft: "And, once it's installed, it makes the system available to other people on the Internet."

    This is one key difference between SMS and BO2K. BO2K has a scanner feature (I believe another poster mentioned it), and if you scan a few subnets, you're going to see a bunch of open BO2K servers just waiting there for the hacking. SMS does not have such a scanning feature, and doesn't leave itself open over the internet.

    Also, BO2K is small, and can be easily insterted into a trojan mail macro or an activex control or a buffer overflow or whatnot. Try doing that with SMS!

    There's more that makes BO2K made for malicious activity than simply the stealth feature, folks. cDc is just FUDding microsoft here.
  • I disagree. Even the most dangerous and harmful tools are extremely useful to point two very painful but important facts: microsoft's OS's aren't secure, and people should be more careful when they download and install software.

    If someone hacks you, that should be a wakeup call that you need to improve your security. And I'm not just talking about software; policies should always be more paranoid than necessary.

    If the OS was designed better, and the user was more wary, this wouldn't be a problem at all, now would it? So don't go blaming the messenger; please kindly thank him for informing you of a problem you might not have previously been aware of. I mean, why do you think they release the source code?

    ps - I'm not even going into the topic of why a computer user should have to be an expert - s/he shouldn't, but they should know the dangers of being online and downloading and installing software.
  • Where I work everybody connects to the SMS server except my group, because we all run Linux. I don't know what SMS does, but corporate IS resents that they can't monitor us. They use it as a tool of control.

    I believe SMS also does good stuff like updating software and stuff like that, but like I said, I don't know.

  • Where I last worked, they had some remote control tools. Netfinity from (I think) IBM has the checkbox for asking a user before taking over the desktop unchecked by default. With no visible indication that RC is taking place (nothing in the systray, etc) it also is just as stealthy, although it is much less useful than last year's Back Oriface. Then the company started moving to IBM's Tivoli program. It as well requires a checkbox to ask the user before establishing a connection. So it too should be either banished or welcomed.

    It all comes down to who cDc is. They probably will never be taken as a legitimate organization, so their products will be labelled as virii/trojans...
  • Yes, but the virus still REPRODUCED on it's own, even if it was spread by infected files on disks or BBSes.
  • This is an unmistakable case of hypocrisy. Microsoft does sell this product with the knowledge that it could be used in a malicious way. What stops one from using it? Bloat, obviously. Microsoft has most likely bloated SMS to the point that it can only be used efficiently on an Enterprise size network - which is what most of these tools is meant for.

    Now, on the topic of my subject: What's in a name? SMS sounds official - and therefore (to the unknowing public) - it is. Now, think about the name "Back Orifice 2000". What does that say?

    To anyone who has heard of Back Office, it immediately strikes a fear in an IS person: Back Orifice!? Sounds like a virus already, doesn't it? The 2000 immediately says that this software is geared toward Windows 2000 and the like.

    Microsoft is using BO2K's name against it simply by including it in a sentence: "Back Orifice 2000 is a trojan horse."

    Regular people out there won't like to hear something called "Back Orifice" and most likely wouldn't use it just for the sake of the name. It's a shame that software's merits must be based upon names.

    Heck, next thing you know is that the Vatican will be denouncing the use of the GIMP because it has homosexual connotations.

  • Why? You just have to telnet (or better off, ssh) into the box you've got Samba running and manage it from the command line (or with ssh, using X11). Why port BO to Linux when it's locked up tighter than what Microsoft can do with Win-Anything at this time?



    ---
    Spammed? Click here [sputum.com] for free slack on how to fight it!
  • BO, even since the original release, has included the ability to change the port it operates on and to use a password to weakly encrypt all communcations. The only reason many BO and BO2K systems are open to anybody over the internet is because they use the default port (31337) and aren't configured to use a password.

    In my experience, a LOT of the BO infected machines (I haven't done any work with BO2K) are machines which have a c:\bo or c:\cdc directory, leading me to the conclusion that these are script kiddies who downloaded Back Orifice and then proceeded to run the executables that come with it before reading the textfile, installing the server on their own system in the process. They get what they deserve.
  • I don't know about your country, but here in Canada illegally obtained evidence is not as important as getting the person behind bars. I'm reminded of certain police officers who videotaped a drug deal in a hotel room illegally. The judge agreed it was illegal, but also agreed that putting drug dealers off the streets was more important than guarding their rights.

    Also, regardless of how you get it, if you have a warrant you're ok -- so I wouldn't be surprised to see BO[2k] being used by law enforcement agencies all over the place.

  • Well, the truth of it is that illegal evidence is not generally used, but it can be used if necessary. What generally happens is that the evidence is thrown out, but not the case - wheras in the states the entire case is thrown out the window.
  • Apple's network management tools do the piping mic input out thing, keystroke logging and the like. It's great if (like the admins at the high school where I worked w/ those Macs) you're trying to catch folks accessing porn.

    Tried uninstalling SMS lately without your admin's OK? If you're on a well-secured NT box (ha!) it's not that trivial.
  • There was a BugTraq issue a few weeks ago about the lame search path that is used by Windows NT. It searches $HOME before *anything* else and so all you really need to do is put explorer.exe on the home drive and put a bo2k thread in it (well, you get the point). This can all be done easily within Word macros.

    Actually, it searches . first. It's just that . is the same as %HOME% when you first log in. Let's please be acacurate when pointing out how insecure NT is... :)

  • To play devil's advocate here... how can you call it a real democracy if you're not free to remotely inspect and control the hardware you paid for, as legal owner or under legal authority of the corporation that owns those assets?

    Democracy, voting for government action, doesn't come into this. I would call such a country a "free state for employees but not property owners."
  • . . a project that a friend of mine was working on WAY before BO . . . and it basically did the same thing . . .

    True Dat on the "Ohhs and Ahhs" . . . Some hack for fortune, some hack for fame . . . some just want to rip off other ideas and claim them as their own by using the media . . .

    my 2 centavos
  • They aren't doing it to "beat" Microsoft. They are exploiting the security problems in the OS in an effort to get Microsoft to fix them. In this case the whole analogy goes out the window since they aren't out to kick the goats off the mountain. I dunno. This analogy didn't really work well for me. Basically I agree that Microsoft has long ignored their security problems and will not even admit to having them in most cases. Given that degree of denial, I don't see any other way this group of people could influence Microsoft to fix the problems.

  • and it's not hidden away surreptitiously like BO2k.

    Umm.. SMS can be hidden too. It's not hard.

    It consists of a lot more than just remote control

    Just because BO2K doesn't do everything that SMS does, it's not legit?

    You could, with effort, seperate the remote control component out and use it alone, I guess, but it would be difficult to use without the entire SMS infrastructure.

    What difference does it make. Microsoft could sell all the components together or separate. It wouldn't matter. The remote component obviously doesn't NEED an infrastructure to work properly, or BO2K wouldn't exist. It's just a matter of how they coded it. MS doesn't know how to make anything that works independently anymore. All products must be tied together.

    Again - the difference is obvious to any but the most hardened anti-MS nerd.

    Oooh... nice one. Back up flimsy argument with an ad-hominem for good measure. Maybe this'll scare you off:

    If you don't agree with me then you are obviously an MS apologist with less mental capacity than my cat.

  • Since the government/police/other agencies are going to use these methods to watch us anyway, maybe we should just make it all legal. They can try to watch us... we can try to watch them... and we can both use whatever technical means we have available to avoid being watched. What other solution is there that's even marginally fair given the information we have that says that the police aren't obeying the current laws anyway? Why have the laws restricting us then?

  • You can't TELL me you don't know how to spell 'ethics'. If you are a college graduate... good grief, I fear the implications.
  • Well, just so you all know, we don't live in a democracy. We live in a constitutional republic that follows some democratic tenets. People seem to confuse the two quite frequently.
  • I wonder if running 'netstat -a | more' under Windows would show the opened/listen port.
  • If you were from a foreign domain that was obviously from a non-English-speaking country, I'd buy this excuse. I don't think that 'wvsc.edu' falls under that particular area, however.

    Ethics is a major class in most colleges that I know of. I just find it quite amazing that someone who is (obviously) going to college wouldn't know that.

    I'm not a "newbee" (newbie), but thanks for playing anyway.

    I'm not that anally retentive. Or maybe I am. I've never bothered to check. :p

    And I'm glad you love me so much as to reply to me. If I'm just a "newbee flamer" who isn't worth your time... I'm just so glad you care so much! ;)
  • Okay, maybe my sarcasm was uncalled for. I just happen to think 'ethics' is a rather important word. (And one that certain businesses and gov't officials need to be reintroduced to.) Were it ANY other word, I mightn't have said anything about it.

    Also, some misspellings are simple finger missteps. I've had a few of those. But actually not knowing the spelling of that particular word strikes me as rather odd.

    I'm sorry for any hurt feelings, but that's just the way I see it.
  • at http://www.anonymizer.com

  • I find being able to kill the password protected screen saver with ctrl-alt-del very funny. It is very irresponsable of MS to lull the user into a sense of security like that. It's be like a Linux distro coming with a version of login that asks for a password but doesn't check it. That and the fact that Win'9x doesn't support meaningful file permissions makes it an insecure system.

    Granted, any system can be compromised with physical access, but most make it much harder to be discreet about it.

  • To be fair, nearly any system can be compromised by booting from a floppy. The solution s are the same in all cases, a boot password (make sure the BIOS doesn't have a backdoor (most did at one time, I don't know if they still do)), or remove the floppy drive.

    For higher security needs, encrypt the filesystem (on systems that support it).

  • I use XDM all the time. Add the following to passwd:
    xdm::0:0:XDM:/root:/usr/X11R6/bin/xdm
    Just type xdm at login: and it comes up.

    If you'd rather just start X, run it nohup, and log off of the console session.

    That way, if someone kills X, they get a login: only. If they just kill the session, they get xdm login. If you want a text vc, just switch and login. The minor inconvenience is just the cost of security.

    Don't forget to set a password on LILO so people can't just boot single. Set a configuration password in BIOS and disable booting from floppy and cdrom as well.

    If you do all of the above, you guarentee that the box will have to be opened to get in. If you set up an encrypted loop device as well, even ripping the drives out and putting them on another system won't expose your data.

  • This is an interesting idea, but does it not open a whole other box of security problems adding a second root user with no passwd? (especially with networked machine)

    It does require that XDM be looked at carefully. As long as XDM is secure, the extra entry is also secure since it will just run XDM and then log back out. PAM can be configured to only allow that login from the console. If the would be cracker tries to use a well timed ^c to interrupt XDM, they might possably succeed in running X without XDM, but that doesn't buy them anything.

    I consider that line a security enhancement because it reduces the chances of forgetfully leaving a VC logged in.

    I'm not sure what to do about the powermac situation. I suppose to be safe, you'd have to remove any drive that allows removable media to boot :-(. Poaasbly someone with more powermac experiance knows a better way.

    IMPORTANT note about PC BIOS passwords: At one time, a surprising number of them had hard coded back door passwords. Tech support would give those out to users who forgot their passwords rather than telling them they must clear their CMOS. Very dumb. I don't know if that is still done or not, only that MINE doesn't have one. Only a disassembler will tell you for sure.

    The jumper these pins to clear the BIOS isn't too bad, but drian the battery with a pair of jumpers and a resister to clear the BIOS is better.

  • BO2K doesn't require SQLServer 7.0 and NT 4.0 and all the little licenses that go with them, so it MUST be evil! ;^)
  • BO2K has functions they can pretty much only be used maliciously with are not contained in SMS. Examples, piping microphone input to a BO client, logging keystrokes, scanning for BO servers, etc. I don't know EVERYTHING SMS can do because, well, I try to avoid most Microsoft contact, but some of it is unavoidable in my job.
    SMS can scan (actually, just running the client gives the server lots of information). I'm not sure its logging functions but it also ties into network monitor (if it's installed). However, the keystroke logging is actually the most administratively beneficial component of BO2K. Being able to see just what the inputs were that caused the system to crash.... Think about it. It's also a feature enabled in some other remote admin tools. Furthermore, the microphone piping does require a mic attached to the system, yes? Also, BO hides itself by making it's executables and registry entries look like system files/keys, which makes it a pain should you decide it's time to uninstall.
    Look at Office 2000. The links it creates in your start menu aren't real shortcuts, they're like the control panel. I didn't discover this until I tried running EVWM which pulled the real name from the link rather than the short name.

    Most legit remote managment tools can be removed with a minimal effort.
    Um... Sure. Right. :)

    I'm not trying to defend MS here, but if cDc claims that BO2K is anything but a hacker tool, they're only kidding themselves.
    Just like Microsoft is kidding themselves saying SMS isn't a cracking tool.

    I want to see Gates eat a big steaming turd as much as the next guy, but I think cDc is going about it entirely the wrong way, and I think they're doomed to failure.
    Right. Sure you want Gates to "eat a big steaming turd." We believe you.

  • by bkosse ( 1219 ) on Friday July 23, 1999 @07:41AM (#1787681) Homepage

    GIF of how to turn off visibility. [webwizards.net] Notice how both permission required and visible signal are unchecked.

    All the warning you get. [webwizards.net] WUSER32 is the process (it's not visible under the Applications pane) that runs SMS.

    I don't know what SMS 2.0 behaves like as we aren't using it here yet.

  • Not if the user doesn't know SMS is there. Here's the "evil use of SMS" scenario: I'm a cracker wanting to take remote control of Joe User's computer. So I sneak into Joe's office when Joe isn't there and has forgotten to password-protect his screensaver, and I install SMS from the CD-ROM I always carry with me.

    • SMS displays an indication to the user that they are under remote control
    • SMS cannot be installed without access to SQL Server and the Domain Controller anyway. An administrator with these privileges would not need SMS!
    • SMS is a legitimate, supported product for remote installation and helpdesk functions. If you think remote access to a user workstation is a bad thing, best disable telnetd/sshd/rsh on your LAN now. Many Unix users like to criticise MS for lack of remote administration, SMS is Microsoft's answer. It can install a software package unattended and remotely - you can, for example, upgrade a thousand installations of Office to the latest version overnight, easy. You can audit machines and check whether your office in Malaysia needs more memory in their machines before deploying your latest application, all sorts of cool stuff like that. Warez k1dz hate SMS cos it finds their pirate software and the LAN admin busts them for it.
    • cDc are a self-proclaimed malicious hacker group, and released their product to other self-proclaimed hackers at a hacking event. SMS is sold to enterprise customers who legally own their own machines.
    (Yes, I'm an MCSE with SMS elective.)
  • No the point is that SMS is installed and authorized by the System adminstrators who have all legal rights to do so whereas the BO2K is not an administration tool and is installed without authorization.

    Six of one, a half-dozen of the other. BO2K can be installed and authorized by the system administrators. And SMS can be installed by unauthorized users if they have the appropriate permissions (I don't know NT very well, but surely the same permissions -- write access to the C: drive, for one -- would be required to install BO2K as to install SMS).

    Also SMS's remote control facility can be turned off by the user to prevent the admin from connecting.

    Not if the user doesn't know SMS is there. Here's the "evil use of SMS" scenario: I'm a cracker wanting to take remote control of Joe User's computer. So I sneak into Joe's office when Joe isn't there and has forgotten to password-protect his screensaver, and I install SMS from the CD-ROM I always carry with me. Or I find some excuse to be in Joe's office and I watch him type his password (you'd be surprised how slowly some people type their passwords in). Anyway, I get SMS installed and (posing as Joe, the user) check the "allow remote control" box and the "hide" box. Now Joe's computer has SMS installed on it and he doesn't know.

    Run through the scenario above, substituting BO2K for SMS. See? Not so different, are they? Both are remote-control-of-a-computer tools that don't always announce their presence. The only difference is that SMS costs quite a bit of money, while BO2K can be downloaded free of charge. Thus a lot more people will have access to a copy of BO2K than a copy of SMS.

    The point is that both SMS and BO2K can be installed by admins for legitimate purposes, or they can be installed secretly by crackers for security-breaking purposes. A rifle can be used for hunting, or it can be used to murder someone. Rifles aren't inherently evil (let's not start a gun-control flamewar here), but they can be used for evil purposes. Same principle with BO2K.
    -----

  • *sighs* I just wish that people would engage their brains before replying... :^)

    While it's true that most of the security "features" that Windoze has are not present in Linux, does not mean that a BO server couldn't be ported to Linux.

    BTW, older versions of BO command-line clients were available for Linux--is the same true now? I don't use BO because I don't care that much (don't use Windows; don't like harassing people.)
  • Funnily enough, the Microsoft BOB team went on to form Valve and create Half-Life...

    Yes, I was surprised too...

  • BO2K remains a monumental pain in the nuts for innocent Windows administrators.

    What makes you think this is the first program to do this. What CDC did *for* innocent Windows admins is shine a bright light on the problem.

    Do you really think CDC are the first to use a tool like this? Its's not. It is well known. The other tools that do this will not be found by a virus checker.

  • Or is there some technical reason to make BO2K a cracking tool and SMS not one?

    Actually, for all practical purposes, what makes SMS not a cracking tool is its cost and its bloat. The average script kiddie (obviously) could not afford a legit copy of SMS, and probably wouldn't be able to figure it out if he/she did have it. Ironically, what makes BO2k a "cracking tool" is its price and ease-of-use. I'm sure that if MS made SMS small, easy, and free, crackers would have a field-day with it, too.

  • Windows systems are all single user, and have adequate security for single user systems.

    The hell they do.
  • >Without my knowledge this would be a grave >ntrusion, certainly worth suing

    I am not sure if this applies outside of the US or not. No, it is not. The system is not yours it is the companies and they are free to do anything with it the like. They can monitor/log keystrokes, watch what you are doing, ANYTHING!
  • Arse! Don't know how that space in the URL got there. I didn't even notice it in the preview. Ho hum... The link itself works OK, just not the one you get to see!
  • Well, there's now an SMS client for Linux, too: http://www.entmag.com/dis playarticle.asp?ID=72199114226AM [entmag.com]

    My only experience of SMS was when we were evaluating Amdahl's awful A+EDM. SMS was slightly better, but both were hampered by NT's design flaws. In the end, we went for SMS for NT, and stuck with rdist for Unix. I haven't been able to check out their web site, to find exactly what features the Linux client has, but I'm betting it's run either as root, or with setuid root privileges, and I'll pretty much guarantee it'll be closed source, and users won't be able to fix the security holes that I'm sure it'll introduce...

  • Search freshmeat.net for it. It's called boclient.
    I use it to check my fakebo server.

    And why the port? Isn't ssh enough?
  • I would like to know if there are tools that allow me to discover if some BOFH is watching my NT box screen via some remote tool.

    Without my knowledge this would be a grave intrusion, certainly worth suing.

  • I can't believe people are just realizing this now... as soon as all the negative talk that came up about BO2K generated by M$, I was thinking "What about SMS?".

    I suspected that such stuff exists but was not aware of it being sold by Microsoft. So I am thankful to cDc, as they rose my awareness
    - Thanks, cow woreshippers!

    With the current video surveilance craze (nah, not only in Great Britain, here in Germany it started too) it is not a big surprise that they start to monitor your PC.

    Things to be watchful:

    • Did your boss donate a soundcard plus microphone to your work station?
    • What about that new web cam sitting on your monitor?

  • SMS 2.0 is not only a virus, it's a hellaciously virulent one. Like HP openview it does automatic network discovery, but unlike openview it uses the map it generates as the default list of clients that it will automatically install itself to.
    I was SMS administrator at an insurance company and tried testing it out (one server, 2 clients). It was physically connected to the rest of the network, but I denied it access to the production network by setting up a completely different subnet and not adding a route. Since SMS 1.2 couldn't find machines sometimes in its OWN subnet, I assumed I was safe. I turned on discovery (and *only* discovery) and let it run overnight. When I returned the next morning, users were complaining of crashes and odd messages. Not only had SMS 2 managed to find the production network (by trying every combination of IP addresses and thus circumventing the router) and install itself onto 700-odd machines, the client was unstable and was causing many of them to crash.
    Frantically I tried to undo what I had done. Chapter 13 or so of the Big Green SMS Beta Book titled "uninstalling clients" read simply: "this feature not yet implemented".
    So it was back to SMS 1.2. I wrote a very ugly script designed to clean out the registry (5000+ entries) and remove all the files, but like usual most clients had problems (like 2.0-induced crashes) that prevented the script from running. I ended up having to repair 300+ workstations by hand.

    Some of them are still broken actually...
  • Yes, the PC belongs to your company (usually), but it gives IS power to monitor more than just the PC's maintenance and welfare. It can read your email as you write it, and automatically extract filter and collate any document on your system. I wrote a SMS batch that scanned all txt and word documents for the word "handcuffs", and returned a copy of the document to the server with the PC owner's name attached. (to show my boss it could be done).

    There is also the issue that SMS has a tendency to install itself to the PC's of employees who dial in from home and run all administrative jobs on it as if it were corporate property. The SMS client(s) run as a domain administrator, so by logging in to the corporate domain you automatically give up all ability to stop SMS from doing its thing, short of powering off or disconnecting.

    This happens, BTW. Not hypothetical.
  • I was one of these IS people. Of COURSE it's a tool of control.

    I wouldn't be too concerned though. SMS collects a lot of information, but unless the admin knows *exactly* what he's looking for he won't find it. SMS is very difficult to administer well, it breaks frequently, it is easy to confuse, and it is VERY slow.

    If you want to hide something from SMS, get partition magic and change your partitioning slightly from week to week. Eventually SMS will fill up it's MS-SQL (slogan: "just like daddy's") database with 100-some entries on your machine and its contents and cease to be useful.

    Wow! Looks like you have 362 copies of Netscape installed!
  • If I work at a place that has SMS installed, how do I disable it (short of running Linux?)
  • Does SMS allow you to controll a PC over the internet? I'm not familiar with its features. If not then there is a HUGE difference between BO2K and SMS
    Gary
  • by Z0z ( 4050 )
    After thinking about my reply on yesterdays story of BO2K, I came to this conclusion:

    No, BO2K or any other remote admin tool do not expose any security flaws. Windows systems are all single user, and have adequate security for single user systems. (Granted of course, you don't have machines that need security running Windows 9x, since the level of security in Windows 9x is effectively NONE).

    However, single user machines have no business being attached to a network of any kind, and if you are fool hearty enough to trust sensitive data to a networked single user machine, god help you.


    P.S. Any misspellings or faults of grammar you think you detect are mearly transmition errors, and probably your fault anyway.
  • SMS allows an authorized person to control/observe your system.
    BO2K allows a script kiddie to control/observe your system.
    I think MS is right on this one.

    How many tool kits are out there to let you build trojan horse programs for SMS?

    CDC can play with words and semantics all they want. They created a hacking tool and thats that.


  • "Access this computer from the network" field to only include your local and domain accounts

    That only changes the Microsoft networking (ie, smb and others who use it's authentication like IIS/domain) and not any old port that is open on the machine.

    The wheel is turning but the hamster is dead.

  • Actually you can do a 'netstat -a' in Win9x prompt and show listening sockets.

    bo2k can be set up to run at different times of the day. Netstat won't help you out there unless you repeatedly run it.

    The wheel is turning but the hamster is dead.

  • For detection, Download and run the program WinTOP. This is the Windows equivalent of the Unix TOP program, which shows all processes listed in order of used processor time...It ought to be able to track the resources being used by BO2K.

    That won't work. If a "process" like bo2k is running as a thread under some other program (like EXPLORER.EXE, for example...) then it will not show up on any process task you care to use.

    For removal, you should be able to find BO2K's registry entry in RegEdit, under HKEY Local Machine>Software>Microsoft>Windows>Run or a similar directory either under windows her, or under the HKEY current user.

    That will catch the default install of bo2k, but that is not the only way it can function. There are several other attacks (like the one above coupled with the default search path of Windows NT which searches $HOME before anything else).

    The only reliable way of seeing if someone is monitoring you is to run a network snooper on some other machine on the same non-switched subnet as your machine. That only works if you can guarantee the security of the auditing machine (like turn off *all* network services on a Linux box and just have it snoop your NT machine's traffic). With that kind of setup you can see all the connections your machine is making and recieving.

    The wheel is turning but the hamster is dead.

  • by ink ( 4325 ) on Friday July 23, 1999 @08:33AM (#1787706) Homepage
    Actually, it can even hide itself without showing WUSER32 in the process list. It can run as a separate thread inside some other executable (welcome to the wonderful world of "I'm not a process I'm a thread").

    There was a BugTraq issue a few weeks ago about the lame search path that is used by Windows NT. It searches $HOME before *anything* else and so all you really need to do is put explorer.exe on the home drive and put a bo2k thread in it (well, you get the point). This can all be done easily within Word macros.

    Another thing that bugs me: A user can do this and under certain circumnstances the process is kept alive between logins. AND, as if that weren't enough: it registers itself as a startup program (all users have the ability to do this on a default NT install) and as soon as the Administrator logs in...

    Microsoft has a lot of work to do in order to make NT safe for multiple-user workstations.

    The wheel is turning but the hamster is dead.

  • All in all a relevant post, but I want to point out that IBM once shipped copies of OS/2 with a virus on the CD.

    This whole incident made us look a little TOO much like "professional" software developers for my taste.
  • A little clarification...

    Back Orifice, and Back Orifice 2000, can NOT attach to another executable fro a "stealthy" delivery on their own. In order to install an "out of the box" BO2K client, you have to click on the icon for the bo2k server, which then installs and begins running.

    A third party (Brian Enigma of netninja.com) has produced a series of plugins which allow this functionality, but they are neither developed nor endorsed by the Cult of the Dead Cow.
  • >1. It's called Back Orifice. "Yes sir, I'd like to submit an expense report for...umm... Back Orifice"

    A couple of points here: first of all, it's free, so it seems unlikely that anybody would have to submit an expense report for it, unless they really WERE doing something nefarious, like embezzling. Second, you can feel free to call it BO2K if it makes you feel better about using it to administer a network. From what we hear, that's what Pat Robertson called it, and if it's clean enough for him, I would imagine it's clean enough for anybody. We chose a name like Back Orifice partly because we believe that if you are developing free, useful software entirely as a hobby, and you know you're going to get blasted by critics no matter what you do then, well, you're allowed to have some fun once in a while.

    >2. The cDc claims that both that BO2K is a legitimate remote network administration tool, and that it is releasing BO2K to force Microsoft to plug (intrinsic design-related) security holes in NT. That's a contradiction. Imagine the press release for pcAnywhere 2000: "This version contains all kinds of all-new features, primarily designed to force Microsoft to plug security holes." And maybe Symantec will rename itself the Cult of the Norton Commander (cNc).

    While I do like the idea of Cult of the Norton Commander, I don't honestly see a contradiction. If you read our press releases and bo2k.com, you will hopefully see a slightly different take on things. We believe that an operating system should be robust and secure enough that a powerful and useful tool such as bo2k will not be an enormous security threat. Every feature of bo2k has administration uses, and the program itself is extremely efficient and modular, things that I've always been taught are a hallmark of good software design. However, because of this very effectiveness, the bloated hulk that is Windows is unprepared to deal with the control users have been given. We developed bo2k because people should have it, and because they shouldn't be scared of it; if they are, maybe that will make people think about the real issues involved.

    >BO2K has *only* a stealth mode, and stealth seems to have been a major design consideration. (Correct me if I'm wrong here, I didn't actually download it as I don't want to be sifting through my registry to get rid of it.)

    Okay, I'll correct you. You are 100% wrong about this. BO2K by default has stealth mode OFF, and will show up in the process list just like any other application. And as far as that crack about sorting through your registry to get rid of it, there is a function in the client - shutdown server - which can very easily be used to completely uninstall the server from the machine it is running on. No need to hunt through the registry or anything else.

    BO2K IS just a useful program for remote administration. The fact that it can be portrayed as anything else, by us or by anyone, is a sad comment on the current state of operating system and application security, at least as far as Microsoft operating systems are concerned.

    - Tweety Fish
  • Given what we have to say, I think a lot of people would suggest that not taking us seriously is done at your own peril.

    I am astonished at the number of people who claim to know our motives, age, and level of commitment to what we have to say through no more facts than what we choose to call ourselves.

    I can only pray that, should you get a life-threatening illness, the doctor who recommends the drugs that could save you doesn't have a silly name.
  • Before you talk with such certainty, check the urls supplied in our press release. There is, in fact, an option to install SMS silently, I believe it's install /i.

    As far as requiring Windows NT, a login to a domain controller, and a SQL server login... well, no, we don't require any of those, because we don't think that people should have to buy NT, a machine to act as PDC, OR SQL Server in order to effectively administer their network. We think it should be FREE.
  • Why run remote admin tools stealtily?

    Hmm... work situations come to mind.

    User is suspected of doing bad things with PC at work. Install BO and watch undetected what he/she is doing. Why undetected? Say user is pretty knowledgable about his work system, and has subverted previous attempts at this kind of thing...

    Granted, I don't want to work in a place like that. As far as network traffic goes, it is easy enough to monitor what people do via the net unobtrusively, so that doesn't really count...

    The "keyboard" watching stuff is pretty easy. Every keystroke in Windows generates a "message", that Windows then routes to the appropriate application. It is not too hard to watch this global message queue for keyboard messages. You can do it from Word, Access, Excel, VB or Powerpoint, in fact (it's a couple of API calls). It shouldn't be too hard, then, either, to write a little net app that blasts these messages to the net for clients to listen for...
  • I think the "client" is the software that "enables" the system to be managed by an SMS server.

  • Following the links of the cDc posting, to the 'interview' with Garms of MS, they classify any trojan as software that can damage the system in any way. The nature of trojans require some social engineering, of course, to install.

    By it's own definition, MS is guilty of the distribution of the largest trojan ever made.

    When was the last time you had Windows eat itself?
    Wipe a drive lately? Lose some documents?
  • here in Canada illegally obtained evidence is not as important as getting the person behind bars

    This was the case in America for a long time...completely making the 4th amendment (against unreasonable search and seizure) worthless. The cops could kick down your door, and if they found something illegal all they would get would be a "bad cop" slap on the wrist.

    Today, if evidence is obtained illegally, it must be thrown out.

    Of course, there are exceptions. If the police officers were "acting in good faith", they get to use whatever they found.

    -Richard.

    Disclaimer: I am not a lawyer and all that.
  • I've heard that the only sane way to
    install MS Word in a networked environment
    is to use SMS, and that this is achieved
    with secret API calls. Can anyone confirm
    this?
  • Yes - that's why I was asking!
  • Well...

    If your NT orkstation is attached to a domain, then domain admins can still play with your services. And your "admins" need to have their heads smacked for not having NTFS and leaving things like the sms.ini file open for putzs (putzes?) to play with.
  • *cough*

    echo if exist c:\sms.flg goto alreadydone >> login.bat
    echo net start service \"SMS Client\" >> login.bat
    echo copy c:\boot.ini c:\sms.flg >> login.bat
    echo :alreadydone >> login.bat

    Ah, that brings back memories of netware login scripts...
  • Ahhh I must say Veggie must have had some fine corn whiskey this last weekend to have such a brilliant stroke of vision.

    My shower curtain is proud to be "Owned by the cDc".

    ---
    Openstep/NeXTSTEP/Solaris/FreeBSD/Linux/ultrix/OSF /...
  • There are several methods of removing Bo, NetBus, etc, but nothing yet for BO2K as far as I know, nothing for SMS either. I believe if in the permissions in User Manager on your box, if you have local admin rights, you change the "Access this computer from the network" field to only include your local and domain accounts, that'll keep the weenies out, but any NT admin who has the smallest clue can change it back on you via remote registry changes or SMC.

  • by forkboy ( 8644 ) on Friday July 23, 1999 @07:40AM (#1787722) Homepage
    Yes, both can be used as remote administration tools, but there are a few primary differences. BO2K has functions they can pretty much only be used maliciously with are not contained in SMS. Examples, piping microphone input to a BO client, logging keystrokes, scanning for BO servers, etc. I don't know EVERYTHING SMS can do because, well, I try to avoid most Microsoft contact, but some of it is unavoidable in my job. Also, BO hides itself by making it's executables and registry entries look like system files/keys, which makes it a pain should you decide it's time to uninstall. Most legit remote managment tools can be removed with a minimal effort.

    I'm not trying to defend MS here, but if cDc claims that BO2K is anything but a hacker tool, they're only kidding themselves. I want to see Gates eat a big steaming turd as much as the next guy, but I think cDc is going about it entirely the wrong way, and I think they're doomed to failure.


    Wow, did I just play devil's advocate for M$? What IS this world coming to?

  • It would probably cause an access violation. I don't believe Bill has discovered pipes yet.
  • by chromatic ( 9471 ) on Friday July 23, 1999 @09:26AM (#1787727) Homepage

    I believe all that command does is actually execute OUTLOOK.EXE.

    --
    QDMerge [rmci.net] -- data + templates = documents.
  • I wonder how many law enforvement agencies use Back Orifice to assist them in their investigations...
    -- ----------------------------------------------
    Vive le logiciel... Libre!!!
  • by Knight ( 10458 ) on Friday July 23, 1999 @07:25AM (#1787734)
    Microsoft needs to take a true stand on the issue. Either hidden remote control software is malicious or it is not. If they claim BO2K is malicious, they need to pull SMS from the shelves, because their functionality is nearly identical. I don't think it really matters what a person thinks of cDc, or what they are doing. It's a simple matter of blatant hypocrisy, and, in my opinion, they are breaking the law by slandering a competing product. If cDc had the money, they could probably win a lawsuit.
    ---------------------------------------- ---------------
    If you need to point-and-click to administer a machine,
  • Like most people, I laughed. I even downloaded the word document (I'll be sure to scan it before using it).
    This does show Microsoft to be hypocrites, but that's hardly news to anyone.
    One thing to remember, though, is that this doesn't make CDC angels.
    BO2K is, to all intents and purposes, a cracker tool. It has valid uses, but the vast majority of people who download it are not sysadmins. BO2K remains a monumental pain in the nuts for innocent Windows administrators.
    I'm not against CDC or BO2K; that doesn't mean we should paint CDC as saints.
  • The reason its not considered a remote admin tool is not the fact thats its "stealthy" but has the ability to do serious damage to an endusers computer.

    Ever hear of file sharing? Windows NT will let you share all the drives and files on a system. It's not stealthy, since you get this little hand holding the object that's shared.

    So, is file sharing a hacking tool? I could secretly go to your computer and share everything on it, then go back to my computer and delete everything on your computer, or change it slightly, or just watch how it changes over time.
  • I know this because I worked on the SMS team for 3.5 years from well before 1.0 shipped to a year before 2.0 shipped. They were very concerned about admins using the software to do things the user did not want them to do.

    If what you say is true, then the SMS team is TRULY one messed up group. The WHOLE POINT of being a sysadmin is that I am responsible for the network. It goes down, I get nailed. It stays up 24/7/52, I get a nice bonus. My job - my paycheck - my ability to feed my family depends on my control of the network . If SMS were TRULY an admin tool, its programmers would be concerned not with users, but that maybe I can't do everything I want to on my network. They'd put a menu option somewhere labeled "Wipe MBR of and reboot remote system NOW!"

    Real power tools don't have blade guards and safety locks. They assume that trained professionals will use them and will be responsible for their use. A chainsaw can be used to murder people, but that doesn't make lumberjacks murderers. Unless you're a tree-hugger :)
  • ...Outlook can't crash NT...
    It's funny because it's true. Ahahaha.

    [Actually Outlook CAN crash NT. But it's funny because most MS nerds THINK it's true!]

    P.S. Outlook can't crash NT the same way that a cat can't crash your car. Put a cat into a box to take it to the vet to be neutered and then don't tape the lid down and drive down the road at 55 mph and tell me Outlook can't crash NT.
  • yeah - that's like ignoring cancer until it goes away - it happens eventually - you die...
  • OK, kid, before you get too carried away with your own brilliance, tell me why practical geneticists - the people who develop new breeds of animals and new varieties of plants - cross offspring with parents and with each other when trying to get a trait to breed true. I took the original poster to mean "They are increasing one trait, but they are doing it through inbreeding, so eventuallky they will be a bunch of musclebound hemophiliac morons".
  • Obviously I wasn't clear. In replying to the previous poster, I simply meant to point out an error in the previous poster's logic, who said something to the effect that BO2K is inherently bad because it lets you damage a computer. My point was that file sharing also lets you damage a computer. BO2K is just a tool. A powerful, potentially dangerous tool, one that can be used for illegal and unethical purposes, but still a tool.

    The simple act of sitting at someone else's computer and deleting a file without permission is potentially a crime and could certainly subject you to civil penalties.
  • I have used SMS for a corporation before-They pushed the install to all the machines, and yes they could control the machines with/without the users knowledge...BUT, one thing we always had to do was call the person up to have them manually activate all the services the first time (after that it saved the config)...I'm not really sure how this can be compared as the same thing. Also, the SMS software had to be installed, and without admin access to the domain-there was no way to do this unless we wanted to step around to each of the 750 machines on the network....So yes, SMS and BO2K do have similiar working features...with the exeption of how they are implemented (and in my book that is a big exception)...
  • >>Also, BO hides itself by making it's executables and registry entries look like system files/keys, which makes it a pain should you decide it's time to uninstall. Most legit remote managment tools can be removed with a minimal effort.


    Actually, there is a fairly easy way to remove the registry entries w/ bo2k. It's an option when you disconnect from the server, to delete the installation. The bo2k site is very informative, you might actually look at the product before you start making comments on it.

  • Thats evidently the way our company thinks also. We need to spend $1500 and 3 weeks per license for compilers because we are not allowed to download free compilers from the 'net.

    If its free, it can't nearly be as good as something you could pay copious amounts of $$$ for. Productivity be damned, we want to waste money.

    If the company managers/CEOs/and government officials were in charge from the beginning, I'm surprised we ever climbed down from that first tree.

  • I started with Office 95 and wasn't noticed until last year.

    Damn thats impressive, I think the cDc needs to look into hooking up with you, definate asset!

    (note: this was intended simply as satire, not meant to insult HiThere, or any or persons dead or alive, except your mom)
  • A couple of reasons why BO2K is NOT a legitimate remote network administration tool.

    1. It's called Back Orifice. "Yes sir, I'd like to submit an expense report for...umm... Back Orifice"

    2. The cDc claims that both that BO2K is a legitimate remote network administration tool, and that it is releasing BO2K to force Microsoft to plug (intrinsic design-related) security holes in NT. That's a contradiction. Imagine the press release for pcAnywhere 2000: "This version contains all kinds of all-new features, primarily designed to force Microsoft to plug security holes." And maybe Symantec will rename itself the Cult of the Norton Commander (cNc).

    Also, it's quite obvious that use as a cracking tool was a consideration in the design of BO2K. While SMS and other remote administration systems do have "Stealth modes", BO2K has *only* a stealth mode, and stealth seems to have been a major design consideration. (Correct me if I'm wrong here, I didn't actually download it as I don't want to be sifting through my registry to get rid of it.)

    Still, it is NOT a trojan. Trojans don't have install programs. I think anti-virus programs scanning for it is a bit of a joke. For that matter, I think anti-virus programs should stick with viruses (which, of course, BO2K is not by definition) - the only true protection against trojans is to be careful what software you run.

    BO2K is certainly a useful program for remote administration. It's small, fast, etc. But claiming that it's just a useful little open source administration tool is engaging in a Microsoft-style bending of facts. For those of you who still claim this, think about who most of the future users of BO2K will be. Will they be script kiddies and people who just want to try it out, or will they be sysadmins of large networks? If it will very rarely be used to administer large networks ("Help Desk? I'm having trouble with Word." "OK, just let me Orifice into your system. Our custom BUTTplugs should help with this one") but rather used by the kind of people who haven't yet mastered the concept of digits being used in numbers and letters being used in words, and as such think that the program is l33t, then it isn't a legitimate remote administration tool.
  • No the point is that SMS is installed and authorized by the System adminstrators who have all legal rights to do so whereas the BO2K is not an administration tool and is installed without authorization.

    Wow. Thats some crystal ball you have there.

    What keeps SMS from being installed covertly? And what keeps anyone from using BO2K as you claim SMS is intended to be used for? I can think of several benefits, the primary one being that while SMS is commercial, closed source software, BO2K is free and open! Modify it the way you want, use it the way you want.

    To say that nobody will use BO2K for legitimate things is silly. To say that nobody has ever used SMS for nefarious purposes is equally silly. To claim that you know exactly who, when, and how an admin will use a piece of software is just downright foolhardy. I can definately see small companies on tight budgets who need remote Windoze administration capability taking advantage of a free program like BO2K.

    A question for you. You say that "BO2K is not an administration tool". Can you tell me precisely what aspect of its design precludes its use as an administration tool?
  • I was testing SMS on our NT box because we were contemplating utilizing it for administration. I installed the client on one box to see how it would be. Lo and behold.. the next day.. it had installed itself on ALL of our computers. It had gone in and made changes to my login.bat script own its own. This was TOTALLY not cool.
  • by blixco ( 28719 ) on Friday July 23, 1999 @07:34AM (#1787800) Homepage
    I actually got busted this morning for running NetBus on my system...NAV had picked it up and notified my admins, who use both SMS and PC Anywhere to "spy" on our systems. The really funny thing: as local administrator, I can uninstall NetBus Pro (actually has an uninstall routine) but I cannot uninstall SMS.

    Hrm. Wonder which one acts more like a virus.
  • We need only look to animals to understand this phenomenon. It is the ritualistic king of the hill. In terms of the analogy, let's go with billy goats. They wander in herds. And think of Microsoft as being a pack of unsavory billy goats, at the top of the mountain. They are big goats, and genetically they are becoming more and more superior (through inbreeding ...), and claiming more of the terrain around them.

    Nature provides two forces against these kings of the hill: better billygoats, who can sneak past the big buggers, and the slow grinding away of the hill upon which they sit, which is so difficult to climb because of a steep monopoly. These may be thought of as Linux and the erosion of the computer operating system monopoly mountain-peak. Together, the mountain is getting harder to defend against something like Linux, and the faster, nimbler billygoats are winning more of the battles for the hilltop.

    The inevitable conclusion is undetermined as of yet; the smaller, nimbler billygoats may yet force the hefty one off the top, the hefty kings of the hill may yet defend their mountain, or while the dual continues against each other, the mountain may just dissappear, and we all buy appliances.

    To make the analogy more fun, we must look at what happens to the hefty billygoats. They do not control one mountain; they have a say in several mountains -- from software through to webTV to all kinds of fertile grazing lands. These mountains do not all dissappear, and so the hefty billygoats, with their limited company immortality, can cling to many unconnected lands.

    One can see the faults in the billygoats at the top of the hillside, where they are forced to give way to things like Apache for MSN and HotMail. They are not superior. Just in greater numbers, and more aggressive. Outside of the analogy, one might think that the sun shines brighter on the Microsoft soil, because their lands are so fertile. It's more likely that it's fertilized with perfume-smelling dung to bring the birds and the bees. It's still dung, though, where it would not normally be fertile land.

    SMS vs BO2K arguments are one field on the mountain range that must be debated. BO2K does not possess the awe of the Open Source billygoats, but does have the potential to offset the balance in yet another area controlled by a bloated pack of oversized goats.

    Packs of animals are forced to maintain a certain size to compete. Microsoft is well beyond this size, and, outside the analogy, their interdependancy may be the end of them.

    The lesson? Polygomy and inbreeding will not necessarily lead to better goats.

  • I have a great idea. Since BO2K is open source, why not port it to Linux to run SMS capabilities from a Samba server? Sounds like a great project to me, if only I could program.....

    Wiggles (the pathetic Linux luser)
  • by AaronW ( 33736 ) on Friday July 23, 1999 @08:28AM (#1787819) Homepage
    BO2K may have legitimate uses, but it seems to be most widely used for breaking into other computers or causing trouble. I'm running a Perl script called booby (available at http://members.home.com/lazyx/booby [home.com]. This script simulates a BO infected system and logs all activity. BO seems to be a favorite for script kiddies. As a cable modem user I see a lot of BO activity. Here's some recent log entries (IP address and host name have been X-ed out):

    Jul 21 21:56:04: xxxxxxxxxx.xxxxxx.xx.wave.home.com(24.xxx.xxx.xx): 1641 >>proclist
    Jul 21 21:56:05: ...reply sent
    Jul 21 21:56:22: xxxxxxxxxx.xxxxxx.xx.wave.home.com(24.xxx.xxx.xx): 1641 >>lockup
    Jul 21 21:56:22: ...reply sent
    Jul 21 21:56:29: xxxxxxxxxx.xxxxxx.xx.wave.home.com(24.xxx.xxx.xx): 1641 >>info
    Jul 21 21:56:30: ...info sent
    Jul 21 21:56:39: xxxxxxxxxx.xxxxxx.xx.wave.home.com(24.xxx.xxx.xx): 1641 >>passes
    Jul 21 21:56:39: ...passwords sent
    Jul 21 21:57:00: xxxxxxxxxx.xxxxxx.xx.wave.home.com(24.xxx.xxx.xx): 1641 >>reboot
    Jul 21 21:57:00: ...reply sent
    Jul 21 21:57:07: xxxxxxxxxx.xxxxxx.xx.wave.home.com(24.xxx.xxx.xx): 1641 >>passes
    Jul 21 21:57:08: ...passwords sent
    Jul 21 21:57:11: xxxxxxxxxx.xxxxxx.xx.wave.home.com(24.xxx.xxx.xx): 1641 >>reboot
    Jul 21 21:57:12: ...reply sent
    Jul 21 21:57:28: xxxxxxxxxx.xxxxxx.xx.wave.home.com(24.xxx.xxx.xx): 1641 >>proclist
    Jul 21 21:57:29: ...reply sent
    Jul 21 21:57:38: xxxxxxxxxx.xxxxxx.xx.wave.home.com(24.xxx.xxx.xx): 1641 >>lockup
    Jul 21 21:57:38: ...reply sent
    Jul 21 21:57:42: xxxxxxxxxx.xxxxxx.xx.wave.home.com(24.xxx.xxx.xx): 1641 >>lockup
    Jul 21 21:57:42: ...reply sent
    Jul 21 21:57:43: xxxxxxxxxx.xxxxxx.xx.wave.home.com(24.xxx.xxx.xx): 1641 >>lockup
    Jul 21 21:57:43: ...reply sent
    Jul 21 21:57:46: xxxxxxxxxx.xxxxxx.xx.wave.home.com(24.xxx.xxx.xx): 1641 >>info
    Jul 21 21:57:47: ...info sent
    Jul 21 21:57:59: xxxxxxxxxx.xxxxxx.xx.wave.home.com(24.xxx.xxx.xx): 1641 >>proclist
    Jul 21 21:58:00: ...reply sent
    Jul 21 21:58:12: xxxxxxxxxx.xxxxxx.xx.wave.home.com(24.xxx.xxx.xx): 1641 >>prockill 4291797281
    Jul 21 21:58:13: ...reply sent
    Jul 21 21:58:16: xxxxxxxxxx.xxxxxx.xx.wave.home.com(24.xxx.xxx.xx): 1641 >>proclist 4291797281
    Jul 21 21:58:17: ...reply sent

    As you can see, no useful tool would have commands like "lockup". I have seen more malicious attempts than this as well, such as one person who often launches DOS ping attacks against other users from BO infected machines.

    As much as I hate Micro$loth, I must agree with them on this one. If there were a BO without all of the malicious features then perhapse it would be taken seriously, but with the stealth features and the crash features I think it's main purpose is fairly clear (at least to the script kiddies).

  • Umm... your comment assumes that you made the mistake of using Micros~1's I'll fated Domain setup. (it's going away when the vapour clears from Windows 2001's inActive Directory)

    Can't we all agree to us LDAP and get on with enterprise computing architecture? (forgot -- there's no MSLDAP, Visual LDAP, or DirectLDAP-DNS-for-datacenters yet ;)

    Oh, by the way, what about VNC? If an email attachment started a VNC server and set the password, would that make vnc a virus?

    I couldn't live without VNC to tame Windows boxes. If anti-virus software started uninstalling VNC, I'd find new anti-virus software.

    What if vnc development forked and one branch was driven by some teenagers who were branded as hackers? Does vnc become a bad tool?
  • You have a couple options that would work with the original Back Orifice, and ought to work with BO2K...

    For detection, Download and run the program WinTOP. This is the Windows equivalent of the Unix TOP program, which shows all processes listed in order of used processor time...It ought to be able to track the resources being used by BO2K.

    For removal, you should be able to find BO2K's registry entry in RegEdit, under HKEY Local Machine>Software>Microsoft>Windows>Run or a similar directory either under windows her, or under the HKEY current user.

    Anyone who knows differently, please post a correction.

    Email: MattTC(at)Yahoo(dot)com
  • On my NT Workstation box, I can see SMS client - the prcess has SMSAPM32.exe and smss.exe listed, as well as a Systems Management icon under Control Panel. However, this visibility is probably due to my adminstrator access, both locally, and in the domain.

    One interesting thing to note about SMS, though - we applied SP 1 to it, and a previously unknown bug appeared (something to do with a certain configuration), where the client began to cause errors on seemingly random machines.

    We're now in the process of removing the client.

    Ahh, how I love Open Source...


    PinkFreud
  • Either Microsoft has to admit that they have the same program and recall it...or anti-virus software has to scan for it...if either of the 2 happen people are going to be laughing for days....

    But Microsoft will probably ignore the problem until it goes away
  • This is obviously just a ploy by cDc to legitimize a trojan horse app, that in 99% of all cases will be used to break into an unsuspecting user's machine.

    I have been involved in dozens of SMS rollouts. SMS is a network analysis tool, that has the capability to remote control client workstations on the network.

    In order for SMS to do this, you must install the SMS Client on a machine in the same Windows NT domain. This installation process will *not* run in the background, and will pop up several boxes to the user. Once the client is installed, the client configuration app must be opened, and the machine must be set to allow remote control. You also have the option of a dialog box show up informing you that someone is connected.

    Along with these settings, every user that logs on to a network that is SMS aware, knows that the client is installed, because it pops and SMS configuration dialog box during every logon.

    This remote control feature of SMS is used primarily for network admins that need to remote control servers than client desktops. In fact, out of all the installations I have done, the only machines that have this option turned on are the servers.

    BTW, the SMS Admin tool that allows you to connect to the clients requires Windows NT, a valid logon to the Windows NT Domain that you want to administer, and a SQL server logon with appropriate rights to administer SMS.

    How many checks like this does BO2K do?

    Regards,
    eg

Doubt is not a pleasant condition, but certainty is absurd. - Voltaire

Working...