New Back Orifice promises NT break-ins

Computer security firms are bracing for a serious flare-up of hacker activity come Sunday afternoon. With great fanfare at a Las Vegas trade show, the hacker group Cult of the Dead Cow will release a new version of its Back Orifice tool.

Computer security firms are bracing for a serious flare-up of hacker activity come Sunday afternoon. With great fanfare at a Las Vegas trade show, the hacker group Cult of the Dead Cow will release a new version of its Back Orifice tool. The software, which makes it easy for computer intruders to hijack Windows-based PCs connected to the Internet, will be freely available on the Net. Much mischief is expected to follow -- as is a "fix" from the Cult itself.

The first version of Back Orifice, so named to poke fun at Microsoft's Back Office product, was released in August last year at the annual hacking trade show called DEF CON. This year's show starts Friday, with the release of Back Orifice 2.0 as the marquee event.

Back Orifice usually arrives at a victim's computer as an e-mail attachment. Once the victim is tricked into opening the attachment, the software secretly installs itself and turns the victim's computer into a "client." Then, anyone with the other half of the Back Orifice software (the administrator tool) can control the victim's PC from anywhere on the Internet. The hacker can then stealthily do anything to the victim's machine that the victim could do -- even delete all the hard drive's contents.

Back Orifice is at the centre of one of the key debates in the security industry -- while the Cult maintains it produced the software to reveal security flaws in Microsoft products, and ultimately make them safer, Microsoft says that's just a cover to legitimise hacking. (Microsoft is a partner in MSNBC.)

The tool has been a rage among hackers -- the Cult says it has been downloaded 300,000 times. And even though all anti-virus packages now detect the program, security firm ICSA Inc. says there are "tens of thousands" of machines that are currently infected, unbeknownst to their users. Peter Tippett, chief technologist at ICSA, said he knows of individual networks where hundreds of machines are currently compromised.

According to the Cult, Back Orifice 2.0 has several enhancements. Chief among them, it now works on the Windows NT operating system. It also employs stronger encryption, which will reportedly make it harder to detect. And it is open source -- meaning it will be "radically polymorphic," as hackers extend it and create their own new variations of the program.

Anti-virus software companies plan to spend the weekend analysing the new software and creating a defence that they can spread to clients. That's expected to take 24 to 48 hours. "It's good that it's being released on a Sunday," said Dan Takata of Data Fellows. "We'll have time to play with it. Monday's when I assume a lot of people will test it." For that reason, software vendor Internet Security Systems Inc. asked Cult members for a pre-release version of the software. That way, clients could be protected before the product is released and a flurry of hacking followed.

The Cult's sarcastic reply: "We will gladly provide you with the software you desire if and only if you will, in exchange, grant us one million dollars and a monster truck."

"That shows they have no other intent than maliciousness," said Jason Garns, Microsoft's lead product manager for Windows NT security. "Unfortunately, they view this as being a game."

But Cult members say there are several good reasons not to give anti-virus vendors a leg up on Back Orifice. Chief among them -- Sir Dystic, who authored the first version of Back Orifice, is working on what might be called a competitive product: a security software package that will protect users from Back Orifice and many other security threats. The group declined to offer more details.

"We did think about giving it to all the AV vendors," said a group member identifying himself as Tweety Fish. "But it's a method of defence we don't support." Anti-virus software only reacts to known security threats; since Back Orifice is open source, many variants are expected, so the group believes most AV software will be ineffective anyway.

"We will be releasing tools at DEF CON or in the near future which we believe will provide a much more robust method of protecting your system than what the AV vendors can do today," Tweety Fish said. Also, if virus protection defeated Back Orifice immediately upon release, the tool would get no media attention. "It would dilute our press message," said Reid Fleming, who wrote the sarcastic e-mail to ISS.

That message, according to media-savvy Cult members, is that Windows NT is fundamentally flawed.

Cult members describe Back Orifice as a remote administration tool, useful for network administrators to update software on user desktops. But software companies say that's a smokescreen, and point out that the tool runs secretly, in the background. The Cult counters by saying Microsoft, trying too hard to simplify operating system administration, has created security holes. Windows shouldn't allow a program to run secretly in the first place, the Cult says. "If Microsoft wasn't so committed to hiding the real workings of desktop machines from users, it wouldn't be a problem," Tweety Fish said. "Microsoft is taking a complex problem of network and server security and trying to simplify it without acknowledging the consequences of that."

Still Microsoft's Garns points out that ill-intentioned "remote administration tools" can be designed to attack any operating system and have existed for the Unix operating system for 20 years. "There's nothing fundamentally unique about what's happening here. It does not take advantage of any security vulnerability in Windows NT. It attacks people, not technology," he said. "It was not created for the benefit and benevolence of users."

Chris Rouland of ISS agrees the program was clearly designed with ill intentions. "It offers live video capture of the screen.... We understand you can even remotely fake a blue screen so the computer looks like it's crashed, but you can keep operating in the background," Rouland said. "It sounds like it's going to be a pretty malicious piece of code."

It is not yet known how Back Orifice will spread, though it most likely will be hidden inside one of several programs that will be e-mailed as an attachment. There are likely to be several variations, so virus companies urge Net users to exercise the standard caution when opening e-mail attachments. Users should also update their anti-virus software after detection for Back Orifice 2.0 is included, probably Monday or Tuesday.