Back Orifice
History
Back Orifice, written by Sir Dystic of the Cult of the Dead Cow forrelease at DefCon VI in 1998, is an example of a software Trojan. Once a
user has run a program with the Back Orifice Trojan attached, their
Windows 95 or 98 machine is subject to remote monitoring and control
by a BO server. At DefCon VII in 1999, cDc released an updated version
on the Trojan, BO2k, with full Windows NT support.
Overview
Using tools such as silkrope, the Back Orifice Trojans can be hidden or
streamed into legitimate binaries, thereby increasing the likelihood of a
user inadvertently installing them. By exploiting bugs in Outlook and
Explorer, there is even the potential to automatically run and install the
Trojan on target systems. Since bo2k is fully configurable in both code
and port configuration, the potential for tunnelling the remote control
through a firewall or other perimeter security device is also greatly
increased. Consider the common misconfiguration of Checkpoint
Firewall-1 to allow bi-directional TCP and UDP port 53 traffic through
to all hosts.
Use of the Exploit
In the sample network, the remote access client is a remote worker
using either an infected home PC or laptop. Although the company’s
perimeter security may be adequate, as a remote worker, the host is
considered trusted. Since this machine can be controlled through a
Trojan, it is possible to access all the same resources on the target
network.
Example
The scans of the remote host have revealed a number of open ports,
including the default BO2k port. Therefore a BO client will be installed
on the attacking machine and attempts to contact the BO server on the
remote workstation, made. If successful, the corporate network can be
examined through Back Orifices features from the same level of trust as
the remote worker.
No comments:
Post a Comment