Back Orifice 1.20 patched
|
· Overview ·
|
Overview |
|
Vendor Notes: |
which allows the client software to monitor, administer, and perform other network and multimedia actions on the machine running the server. To communicate with the server, either the text based or gui client can be run on any Microsoft Windows machine. To install, the server the server simply needs to be executed. When the server executable is run, it installs itself and then deletes itself. This is useful for network enviroments where the server can be installed on a machine simply by copying the server executable into the Startup directory, where it will be installed, then removed. Once the server is installed on a machine, it will be started every time the machine boots. To upgrade a running copy of Back Orifice remotely, simply upload the new version of the server to the remote host, and use the Process spawn command to execute it. When run, the server will automatically kill any programs running as the file it intends to install itself as, install itself over the old version, run itself from its installed position, and delete the updated exe you just ran. Before installation, several aspects of the server can be configured. The filename that Back Orifice installs itself as, the port the server listens on, and the password used for encryption can all be configured using the boconf.exe utility. If the server is not configured, it defaults to listening on port 31337, using no password for encryption (packets are still encrypted), and installing itself as " .exe" (space dot exe). The client communicates to the server via encrypted UDP packets. For successful communication, the client needs to send to the same port the server is listening on, and the client password must match the encryption password server was configured with. The port the client sends its packets from can be set using the -p option with both the gui and text clients. If packets are being filtered or a firewall is in place, it may be necessary to send from a specific port that will not be filtered or blocked. Since UDP communication is connectionless, the packets might be blocked either on their way to the server or the return packets might be blocked on their way back to the client. Actions are performed on the server by sending commands from the client to a specific ip address. If the server machine is not on a static address, it can be located by using the sweep or sweeplist commands from the text client, or from the gui client using the "Ping..." dialog or by putting a target ip of "1.2.3.*". If sweeping a list of subnets, when a server machine responds the client will look in the same directory as subnet list and will display the first line of the first file it finds with the filename of the subnet. The commands currently implemented in Back Orifice are listed below. Some of the command names differ between the gui and text clients, but the syntax is the same for almost all commands. More information for any of the commands can be displayed in the text client by typing 'help command'. The gui sets the label of the two paramater fields to a description of the arguments each command accepts when that command is selected from the 'Command' list. If a piece of required information was not supplied with the command, the error 'Missing data' will be returned by the server. The functions of this trojan are:
|
Alias: |
Back_Orifice.2000 trojan [Eset], Backdoor.BO.a, Backdoor.BO.a2, Backdoor.BO.a2 [Kaspersky], Backdoor.BO2K.11.a [Kaspersky], Backdoor.BO2K.13.d, Backdoor.BO2K.b, Backdoor.BO2K.cfg, Backdoor.BO2K.client, Backdoor.BO2K.config [Kaspersky], Backdoor.BO2K.plugin.Hijack, Backdoor.BO2K.server [Kaspersky], Backdoor.BO2K.workspace [Kaspersky], Backdoor/BO2K!Server [Computer Associates], Backdoor/BO2K.11.Server [Computer Associates], BackOrifice, Bck/BO2K.Srv.A [Panda], BO, BO2K/Config.srv [Panda], BO2K/Workspace [Panda], Orifice2K [McAfee], security risk or a "backdoor" program [F-Prot], Trojan, W32/Bo2K.139264 [F-Prot], Win32.BackOrifice2000.10 [Computer Associates], Win32.BO2K.server.11 [Computer Associates], Win32/BO.C trojan [Eset], Win32/BO2K.11 trojan [Eset], Win32/BO2K.Config trojan [Eset], Win32/BO2K.Workspace trojan [Eset] |
Category: |
RAT: A Remote Administration Tool, or RAT, is a Trojan that when run, provides an attacker with the capability of remotely controlling a machine via a ""client"" in the attacker's machine, and a ""server"" in the victim's machine. Examples include Back Orifice, NetBus, SubSeven, and Hack'a'tack. What happens when a server is installed in a victim's machine depends on the capabilities of the trojan, the interests of the attacker, and whether or not control of the server is ever gained by another attacker -- who might have entirely different interests. Infections by remote administration Trojans on Windows machines are becoming as frequent as viruses. One common vector is through File and Print Sharing, when home users inadvertently open up their system to the rest of the world. If an attacker has access to the hard-drive, he/she can place the trojan in the startup folder. This will run the trojan the next time the user logs in. Another common vector is when the attacker simply e-mails the trojan to the user along with a social engineering hack that convinces the user to run it against their better judgment. Backdoor: A secret or undocumented means of getting into a computer system, or software that uses such a means to penetrate a system. Some software has a backdoor placed by the programmer to allow them to gain access to troubleshoot or change the program. Software that is classified as a "backdoor" is designed to exploit a vulnerability in a system, and open it to future access by an attacker. Trojan: Any program with a hidden intent. Trojans are one of the leading causes of breaking into machines. If you pull down a program from a chat room, new group, or even from unsolicited e-mail, then the program is likely trojaned with some subversive purpose. The word Trojan can be used as a verb: To trojan a program is to add subversive functionality to an existing program. For example, a trojaned login program might be programmed to accept a certain password for any user's account that the hacker can use to log back into the system at any time. Rootkits often contain a suite of such trojaned programs. |
Variants: |
|
Similar Pests: |
RAT · Backdoor · Trojan |
Origins |
|
Group: |
Cult of the Dead Cow |
Vendor: |
Cult of the Dead Cow Communications. Various support tools have other authors, such as BeeOne, Daniel Roethlisberger, J.C. Febrero etc. Original bo unix client:
OMEGA |
By This Group: |
|
Programming Language: |
C++ |
Date of Origin: |
Variants from July, 1995 to July, 2004 |
Distribution |
|
Prevalence: |
|
Clot Factor: |
The "Clot Factor" is a measure of how much a pest "gums up" a machine by adding registry entries, files, and directories. As more objects are placed in a machine, manual removal becomes more difficult and more error-prone. |
Growth: |
|
Operation |
|
Platform: |
Windows 9x. |
Default Port: |
31337 More info about ports. |
Storage Required: |
|
ScreenShot: |
|
Back Orifice 1.20 patched
BO 1.20 Russian
Back Orifice 2000
BO Client by BeeOne
BO Client 1.3 Beta 3 by BeeOne
BO Client 1.41 by BeeOne
BoFacil 1.2 BO Client
Risks |
|
Detection Issues: |
Difficult to detect by design. May hide from process list. May install with variable names in variable locations. |
Detection and Removal |
|
Automatic Removal: |
|
Research |
|
More Info: |
|
Research By: |
|
Last Revised: |
April 25, 2005 |
PestPatrol detects this.