Slashdot Mirror

The cDc apologized about a week ago for a virus that got on the BO2K CDs they passed out at Defcon. Anyone who installed it should check their systems for Chernobyl. Check out cDc news. Maybe this doesn't prove that open-source programs are more likely to have trojans in them. But a smaller, less formal operation would be more likely, I think, to have this sort of accident happen to it than a big software firm, e.g., M$.

Both Microsoft and the fools that published this article base their derogatory comments about BO2K on the fact that it can be hidden from the user. For example, here is a quote from Microsoft:

"Remote control software is not malicious in and of itself; in fact, legitimate remote control software packages are available for use by system administrators. What is different about BO2K is that it is intended to be used for malicious purposes, and includes stealth behavior that has no purpose other than to make it difficult to detect."

For the record, BO2K is a perfectly legitimate remote admin tool. It just happens to be open source. It can be used for malicious purposes just like any other tool.

Microsoft says that BO2K is a "malicious hacker tool" (sic) because it can be concealed. They conveniently overlook the fact that their remote administration tool, SMS (Systems Management Server) can be concealed just as well.

On Monday, July 19, Cult of the Dead Cow Communications publicly challenged Microsoft to recall all copies of SMS and to petition virus scanner makers to include signatures for SMS in their products.

Conversely, the Cult of the Dead Cow claims that "Unfortunately for Microsoft, Back Orifice 2000 could bring pressure on the software leviathan to finally implement a security model in their Windows operating system. Failure to do so would leave customers vulnerable to malicious attacks from crackers using tools that exploit Windows' breezy defenses."

I don't think the B02k installation procedure requires the recipient/installer to be root/Administrator for the payload to be delivered.

"BackOrifice does NOT take advantage of any secret OS backdoors, and operates just like ANY internet server."

That is precisely the problem. Without using any back doors, only an idiotically open API, BO is able to do far more than any userland app should be able to.
From the cDc website:

"It uses documented calls built into Windows to do such things as:

Reveal all cached passwords. This includes passwords for web sites, dialup connections, network drives and printers, and the passwords of any application that stores user passwords in the operating system. (This Windows feature was implemented apparently so the user won't be inconvenienced by having to remember his passwords every time he uses his computer.)

Create shares hidden to the user and list the passwords of existing shares.

Make itself mostly invisible. Back Orifice does not appear in the control-alt-delete list of running programs, and can only be killed by a low level process viewer which Windows 95 does not ship with. To their credit, Windows 98 does ship with a process viewer, but it is not installed by default. "

Do you know what "Back Orifice" is? It's a trojan program that compromises the (already laughable) "security" of an MS windoze box, and allows you to do pretty much _anything you want_ to it. Think of it as an unwanted "virtual network computing" connection.

If you've ever got a email from a "friend" on a 'doze box that included a really "cool" animation of a girl in a santa suit stripping or whatever, in the form of an executable file, and the executable was curiously large (not that most windoze people bother looking), and you ran the program, then your box is probably already compromised.

check out

www.cultdeadcow.com

www.l0phtcrack.com

Hmm, after voting for my favorite RFC, now i need a site where I can vote for my favorite cDc text...

Oh come on, Ed Muth is easy to rebut. The Cult of the Dead Cow did a much better job in their Ed Muth rebuttal (on an unrelated topic).

I have read the cDc for over 4 years and their stuff keeps on getting better and better.
Although my favorite is still cDc #329

(quoted from the file, all emphases are mine)

Human Rights in China are naturally a Chinese problem requiring a Chinese solution. Xioa Qiang is part of that solution and so are Lin Hai and Wang Youcai. Hacktivists can support their agendas by getting informed, giving some time, and staying involved until the problem is solved. It won't happen overnight. But hackers have a lot of stamina for harsh bug fixes when they believe in the program. That's what I thought when I contacted Lemon Li.

***

The last time I got in touch with the Hong Kong Blondes Chief Technical Officer it was mostly to bid her au revoir and God-speed. And to ask her to drop 5000 copies of Back Orifice -- the cDc's network administration tool for Windows -- into China. I wasn't exactly sure what I was going to use them for but the opportunity for deployment was too delicious to pass up. According to Microsoft, Back Orifice is no threat to the marks, rather, the users of their operating system. But in our experience they are just whistling into the abyss. Having this application dropped onto your hard drive is like giving your PIN number, your house keys and your lover's nude photos to a stranger, only worse. My sincere wish is that the Win9x OS install base in China includes legions of Communist Party officials, corrupt bureaucrats and nasty high school vice-principals. I'm sure that we'll find out soon enough.

Part of the fun is not really knowing what will happen. When Sir Dystic first programmed Back Orifice and released it at Defcon last summer no one could have predicted its impact. To date approximately three hundred thousand copies of the program have been downloaded from the CULT OF THE DEAD COW Web site. And given the state of trading and copying that goes on the Net, we're probably looking at a number closer to one million copies in total. Zowie. Right after the release there was nothing so pathetic as the phalanx of PR flacks stumbling out of Redmond pooh-poohing Back Orifice. It was one stinking performance. At first Back Orifice was no threat. Then there was something to it but Windows users had nothing to fear. Then it was something else. They never had a clue how to contain the damage. Bill Gates probably didn't have enough money to get good help after blowing his whole PR budget on reinventing himself as Ozzie Nelson on his way to an anti-trust suit. Still, it was amusing.

To be honest, Back Orifice was not developed to take on Beijing. It was developed to show that Microsoft security sucked. But we couldn't be happier that the Reds and Redmond have cosied up so nicely. And the more that Back Orifice is deployed, the more use it will be. There are a number of plug-ins for the program in development that will expand upon its already robust abilities. And there's the Windows NT version waiting in the wings. But why tell all now? It would be more fun to wait for the Chinese make an official complaint to Washington. Or to watch them close down Microsoft Research, Beijing for being a party to their demise. Not that we're complaining, but it does seem astounding that China would put so much faith in Microsoft to help them develop their computing infrastructure. You'd think a little more attention to security issues would ... hmm, I'd better keep it to myself.

Not to slag on OXblood, he's my favorite writer in cDc. But there's a touch of inconsistency between the cDc's condemnation of cyberwarfare and this file.

J.