During the last half year one has seen an explosion in so-called Windows backdoor programs. These are programs which utilize the design of Windows operating systems to expose vulnerabilities. The programs may be used by an intruder to take control of your PC and potentially gain access to the network.

Even though several such programs exist, those which have got the most publisity and are most wide-spread, are Netbus and Back Orifice. The former was recently released in a new version (2.0). Such programs are called Trojan horses because they pretend to do something else than they actually do.

Let us see how these programs function and how they spread.

Both Netbus and Back Orifice consist of two parts - a client and a server. The server is the program which is installed on a PC and makes that PC accessable by any person who has the client running and is able to connect to that PC.

Both these programs have been widely distributed (intentionally as well as unintentionally). They are e.g. sent as attachments to e-mails with innocent-looking file names. Back Orifice even has a plug-in which installs Back Orifice and then runs a specified program, which disguises the installation of Back Orifice. According to the news service Wired, 79% of all Australian Internet Service Providers (ISP's) were infected by Back Orifice (November 1998).

The server part of the programs runs when the PC is booted, and is not shown as a task like other programs normally do. Thus a user will not know that he is infected unless he knows exactly what to look for. The programs may be configured to listen on specified communication ports. There are programs available on the Internet which scan ranges of IP-addresses for the existence of Back Orifice and/or Netbus servers. If an intruder finds such a server she may connect to that PC and e.g.:

• Transfer files to the PC and execute these files. The PC may then be infected with malicious viruses.
• Start any application available on the system.
• Observe all keystrokes on the PC. The intruder may then learn user names and passwords which she can use to connect to the organization's network.
• Gain complete access to the file system. This enables the intruder to do almost anything on that PC, including copying password files which may be cracked and access obtained to other resources the compromized user has access to.

These bullets show only some of the options available. These programs are very powerful.

The authors of these programs claim that they are not written to be intrusion tools, but rather as either remote-control tools (which may be useful) or to demonstrate the weaknesses in the operating systems. The actual use however is so far for the most part  to gain unautorized access to another person's computer.

Netbus is available for Windows 95, 98 and NT. Back Orifice server is available for Windows 95 and 98 only; the client is for Windows 95, 95 and NT as well as some UNIX operating systems.

Newer versions of virus control programs, including Norman Virus Control, will detect these Trojan horses.

Per Olav Førland