Back Orifice 2000 not to be feared

LAS VEGAS -- Back Orifice 2000 is not something to be feared. It is not a virus.

LAS VEGAS -- Back Orifice 2000 is not something to be feared. It is not a virus. It is not a Trojan horse. It is a remote administration tool.


BO2K -- the Cult of the Dead Cow's (cDc) much anticipated follow-up to Back Orifice -- is quite possibly one of the most full-featured remote admin tools on the market today.

Combined with the aid of the new plug-in BOPeep, the tool -- which works on Windows 9x and NT machines -- enables system administrators to disable both the keyboard and mouse of the remote machine, and begin controlling it from their own PC.

Sys admins can even fire up a video window of the remote PC so they can see what's on the monitor -- similar to PC Anywhere or VNC functionality.

BOTool, a plug-in shortly to be released by L0pht Heavy Industries, another hacker group, will allow the client to view and edit the file system and registry of the remote machine in a interface similar to the Windows file manager and regedit programs.

Among many other features, BO2K comes with a built-in proxy server and a Web server. The U.S. version comes with 3DES strong encryption, but the international version uses a weaker encryption scheme.

According to cDc's DilDog (cDc members are only identified by their handles), BO2K was written from the ground up with security in mind. Strong encryption ensures all data and text will be transferred securely to prevent someone sniffing your password while you're remotely administering a PC.

BO2K weighs in at only about 115KB in size and utilizes only about 2MB of RAM. It is no CPU hog, either. Not only that, according to DilDog, the file transfer speed in BO2K is faster than any remote admin tool against which it was benchmarked.

The price is right
What do you expect to pay for something like this? $40? $60?

Nope. Try $0.

Besides being free, B02K is also open source, so if you'd like to strip out or add functionality, go right ahead, just make your code available. But if you'd rather not dive into source code, there's also the option of just writing a plug-in to pop in.

Adding to the package is BO2K's customized setup. The original Back Orifice installed itself automatically as soon as it was run. BO2K launches, of all things, a Wizard to configure the setup.

No longer is there a default port and password -- in BO2K you must assign it a port and password, or it won't run.

That means there won't be a widespread epidemic of script kiddies scanning the entire net for port 31337, looking for people infected with BO2K.

Software doesn't kill data ...
"But it can run hidden, that's evil!" you say? It can run hidden, this is true, but this time around it can also run visible if you so choose.

Many other software packages out there have the same option, and they even call it a feature. Believe it or not, some people even like it.

There are dozens of software packages out there that, if installed with malicious intent, allow an attacker to do just as much damage as BO2K could, if used improperly.

You won't see many of those programs being killed by anti-virus software, and it's a shame that there's almost a sure bet Back Orifice 2000 will.

If common sense is used, you won't need to worry about BO2K or any other software being run maliciously on your machine. Just remember, software doesn't kill data -- people do.

Drew Ulricksen is ZDNN's operations specialist. He attended DEF CON 7.