Proactive IT Security
 

Back Orifice 2000 - the new Windows backdoor program released 10 July

[Privacy issues]

Security Information  Week 28, 1999

The underground organization Cult of the Dead Cow has released a new version of its Windows backdoor program. Back Orifice 2000 was released 10 July on the yearly computer hacker and security conference Def Con in Las Vegas, Nevada, USA.

The former version of Back Orifice is discussed in our weekly security info for week 11 this year.

The new version has a lot of new functionality, such as:

  • Back Orifice 2000 is not limited to Windows 95/98 operating systems, but runs on Windows NT as well.
  • A user may configure which ports the program communicates on.
  • Modular structure, which enables new functions to be easily added.
  • The program has built-in functions which, if activated, make it difficult to detect on an infected computer.

The source code is available on the Internet. This enables the creation of different variants of the program.

Although the authors of the program claim that Back Orifice 2000 is a network administration tool for Windows operating systems, experience from other such programs, like the former version of BO and Netbus, indicates that the use has been with malicious intent for the most.

As usual the advises are:

  • Always be careful when you receive executable files
  • No not open mail attachments without checking the content with an updated virus control product.
  • Do not run executable files received through chat systems like IRC channels and ICQ without checking for potential viruses.

Ironically the CD with Back Orifice which was distributed on Def Con turned out to be infected by the dangerous computer virus CIH, also called Chernobyl. The opening page on Cult of the Dead Cow's web site shows this message (extracts):

Somehow we must have accidently infected our own Defcon CDs with CIH v1.2 TTIT (Chernobyl). It was not our plan to do this, and frankly it makes us look like idiots. (...)

Norman's virus detection files dated 12 July 1999 or later detects Back Orifice 2000.

More information about Back Orifice 2000 may be found in an excellent white paper from Internet Security Systems' X-Force (PDF format).

Per Olav Førland