cDc Responds to Questions About Back Orifice

Omega from the Cult of the Dead Cow has written up a series of answers to questions posed in the article we ran Wed. on Back Orifice, the remote administration program that will be released on the first week of august at Defcon 6. They talk about buffer underruns and other security holes that will allow B.O. to roam free, as well as answering tons of other questions about what this is and what it will and won't do. I'm not going to taint this with opinions, because frankly I still don't know what I think about this. So read it and decide for yourself.

The following is a response from the Cult of the Dead Cow regarding their Back Orifice program. I've posted it unedited (well, I did try to HTML it a bit) for the benefit of interested readers. Read at your own risk.

________________________________________________________
                         _   _
  MEDIA RESPONSE        ((___))         MEDIA RESPONSE
     7/29/98            [ x x ]            7/29/98
                            /
                         (' ')
                          (U)

__________________www.cultdeadcow.com___________________

With regard to Slashdot's 7/28/98 article about cDc's Back Orifice application (http://www.slashdot.org/articles/980728/1320244.shtml)

• ... read about some interesting software that allows you to remotely, well, administer Windows boxes. The sad part is Microsoft will probably divert this as nothing more than a trivial attack and then throw the technology into a subsequent release of the product. But it is this sort of thing we need to keep Microsoft on their toes. Excuse the bad Latin (again), but Carpete Diem! Update Is this a hoax? It sure looks suspicious. You do need to run a client program, so it doesn't seem that evil- unless munchkins can sneak into your office under cover of darkness and add it to your startup group...

THE CULT OF THE DEAD COW was very interested to read yesterday's feedback on Slashdot regarding cDc's imminent release of BACK ORIFICE. We believe such a tool has been eagerly awaited by the user community and judging from the positive responses, it appears we're right.

We would, however, like to correct a few errors reported about Back Orifice and answer a few questions.

cDc? DON'T THEY PUBLISH TEXT FILES?

cDc enjoys publishing text-files, but there's much more to the CULT OF THE DEAD COW than that. Have you read what we've been up to in China, for instance? Check out cDc #356, or our Media List

• http://www.cultdeadcow.com/cDc_files/cDc-0356.html
  http://www.cultdeadcow.com/news/medialist.htm

IS BACK ORIFICE A HOAX?

The name is "Back Orifice", not "Back Office"; "Back Office" is, as you know, trademarked Microsoft. And yes, Back Orifice is real.

We will be demonstrating it at Defcon 6 in Las Vegas the weekend of August first, so if you're there, you'll see it with your own eyes. Depending on how quickly we recover from hang-overs, gambling debts, debauchery and Microsoft intrigues, it should be available for download from

• http://www.cultdeadcow.com

on Monday, August 3 or thereabouts.

IS IT A TROJAN HORSE?

"Let me get this straight -- if I install this Trojan cum virus on my Windows 95 or 98 system, I'm toast? What a revelation. Major security hole." -- Paul Leach, Microsoft. source: NTBugTraq

We prefer to call Back Orifice a "remote administration tool." I suppose in the most general sense, someone might call Back Orifice a "Trojan Horse," but that would be a gross over-simplification and inaccurate. Trojan Horses generally have very specific, pre-programmed goals -- usually destructive. Unlike most Trojan Horses, there is nothing inherently destructive about Back Orifice. Nelson Minar's observation that Back Orifice _resembles_ a "root-kit for Windows" would be more accurate.

Back Orifice doesn't need to be installed on the end-user's machine _by_ the end-user, contrary to what Paul Leach thinks. (Nor is his judgement about Back Orifice especially useful.)

The security holes in Windows already exist. Sir Dystic points a few of the holes in the OS in cDc #338. Dildog demonstrates in cDc #351, "The Tao of Windows Buffer Overflow",

• http://www.cultdeadcow.com/cDc_files/cDc-351/

a stereotypical security hole in a Microsoft application. In fact, borrowing the words of a well-known security expert, cDc #351 could be subtitled, "If I install a Microsoft application on my Windows 95 or 98 system, I'm toast? What a revelation."

In his file, Dildog posits a situation where one might get an e-mail with a Microsoft NetMeeting 'SpeedDial' CNF file attachment. The e-mail says, "My girlfriend and I want you to watch us fuck while you spank it! Call us soon, we're horny!" Launching the NetMeeting attachment could trigger a buffer overflow exploit which could be used to install a Trojan Horse (or anything else!) onto your system.

Zero, one of Slashdot's readers, was more succinct:

• As for getting it [Back Orifice] to install, I could go through quite an extensive list on possible ways to get it installed. future discovered bugs will open new ways to insert this application. The program itself isn't an exploit

OTHER QUESTIONS?

A few questions voiced by slashdot readers in the message forum:

Q: Tril wants to know: what happens if you try to install Back Orifice on a system that already has it?

A: As it happens, multiple instances of Back Orifice can be installed on a system and be running concurrently, each listening on different (user-configurable) ports.

Q: Bill McCarthy asks: what good would something like BO be in light of well-placed firewall security measures? Is BO something that can pierce firewalls once installed?

A: Depends on how well-placed the security measures are and what they are. Generally Firewalls are more permissive about outbound connections than they are inbound connections. So it is possible to operate BO across a firewall (depending on the circumstances) and it is also possible to install BO across a firewall (depending on the circumstances). But BO in itself isn't designed with Firewall intrusion in mind.

Q: Kent Wang heard that SMS will do the same thing [systems management]. What's the diff?

A: SMS has more (and different) features and whether it actually works as advertised is arguable. BO is free; is only about 120 Kbytes in size; and it works. You can also write your own custom plug-ins for BO: its architecture is easily extensible.

For further details or lucrative film offers, please contact:

The Deth Vegetable
Minister of Propaganda
CULT OF THE DEAD COW
veggie@cultdeadcow.com

.......................................................................

The CULT OF THE DEAD COW (cDc) is the most influential group of hackers in the world. Formed in 1984, the cDc has done everything from publish the longest running e-zine on the Internet to diddling military networks around the globe. We could go on, but who's got the time. Journalists can check out the Medialist link on our Web site for more background information. Cheerio. "cDc. It's alla'bout style, jackass."