BO2K cracked

Ford writes "The BBC is reporting that Internet Security Systems has "decoded the protocols and encryption algorithms of Back Orifice 2000 (BO2K) within 24 hours" of it's release. Microsoft has only issued only a warning, refusing to admit that there might be security vulnerabilities in WinNT. " The security agencies interviewed in the article are claiming that BO2k is child's play, and that they've already detection systems in place. I'm just waiting for the Defcon response to their claims.

Re:So the original is cracked. BFD.

Just tried Back Orifice 2000, cool stuff!
Is this one of the new features of NT 2000 ?
:)

ISS Is Amazing!

I'm simply amazed that ISS could figure out the XOR and 3DES encryption included with BO2K.

I would have figured reading and understanding C source code was a bit out of their league.

Maybe they had some help.

-foo

Re:ISS Is Amazing!

XOR is the only crypto algorythm available in BO2K by default. Copies made for use inside the US include a plugin which adds 3DES functionality.

The 3DES key is fixed. No DH by default, although a DH plugin could easily be written.

-foo

Re:ISS Is Amazing!

You guys know what the ISS anoucement really means don't you? A hell of a lot of people are going to end up getting burned by BO2K. The clowns at ISS have just made BO2K a hell of a lot more dangerous to MS operating systems than it ever was...

Man, you coulda saved a lot of typing by just droning "Security through obscurity is good."

Re:ISS Is Amazing!

[C.Lee]

You guys know what the ISS anoucement really means don't you? A hell of a lot of people are going to end up getting burned by BO2K. The clowns at ISS have just made BO2K a hell of a lot more dangerous to MS operating systems than it ever was...

Re:ISS Is Amazing!

[sboss]

Why do people always have to put down other people? Is it human nature or what? I have met several of the guys from ISS and they all seem fairly intelligent especially in their field of work.

Maybe I am biased since I know a few of them...
Scott

Scott
C{E,F,O,T}O
sboss dot net
email: scott@sboss.net

Re:ISS Is Amazing!

[Sun+Tzu]

Well, it *did* take them 24 hours!

To select out a fingerprint only took the experts an hour. wow.

Re:ISS Is Amazing!

[duckbill]

I think the response you are seeing is b/c ISS fired the first volley. We can expect a certain amount of puffing from a company to appease their customers and ensure market share; however, ISS crossed the line into trash talking.

Comparing the time it took them to isolate a signature from source code and the time it took to write the program is kind of bush league. Insulting the authors is purely juvenile.

If your friends want to poke cDc with a stick they do so at their own peril.

Re:ISS Is Amazing!

[jovlinger]

So now americans infecting non american hosts are liable under the munitions-export rules? That'd be a bummer. Get caught playing with one of these babies and don't get out of jail forever...

anyways, about the 3des: is the secret key fixed or is there some diffie-hellman going on?

Johan

Stupid Media Hype

geezz, silly media

1) cDc released the source
2) They stated that the default source only includes XOR and DES encryption
3) there is a plug in interface, so you can add whatever encryption you want relativley easily
4) Microsoft has too many "undocumented features" in there OS's

Dangerous Child Play

They call it a stupid child play in one sentence and an extremely dangerous thing in the next, i.e. everybody should still rush and buy their antivirus products...

Sounds like they've found the ideal way to both piss off the (cr)hackers and to fool the customers.

Re:Dangerous Child Play

Well, stupid childs play is often extremely dangerous.

Re:Dangerous Child Play

[C.Lee]

I wonder how much ISS charges to perform at birthday parties for pre-schoolers and they do they provide their own cleaning service for their clown suits?

So what's the solution?

How would you solve this little problem of Trojan Horse vulnerability? Even Linux is susceptible, given a decent utility or application program to hide in that needs to be installed as root.

I can only think of one way to do it: Have the user be unable to run as a superuser entirely. To install something at root level, say a device driver, the driver install would need to be signed by a master DH key, or the OS wouldn't take it.

Frankly, this scares me. Being unable to master ones own machine? Why, that smacks of Microsoft!

Re:So what's the solution?

On a side note, http://www.phrack.com/search. phtml?view&article=p52-6 has a patch for Linux 2.0.x which allows low port bindings to be given out by running setgid 16 rather than setuid 0. They do the same thing for raw sockets and SOCK_PACKET privilege.

Re:So what's the solution?

[artg]

Do all the package maintenance tools want to run as root ? As far as I know, rpm does. What about the others ?

If there's a culture of using root access to do any significant operation on a machine, it becomes much easier to convince a user to use root for every job, and hence to run any arbitrary install script from the net as root.

Package admin should demand only as much access as is necessary ; if run as a normal user, they should install only with that user's rights (modifying ~/bin, ~/lib etc.)

Re:So what's the solution?

[Le+douanier]

yes, they is a solution: Get rid of all users ;)

(i.e. userfriendly: I found the thing that can improve your staff work environment: Get rid of your customers)

Re:So what's the solution?

[swingerman]

Properly set up group permissions and memberships can alleviate the need to log in as root most of the time. no program NEEDS to run as root unless it is opening a socket 1024 or directly accessing video hardware since there is no device file for it. Beyond that, it's all based on permissions to the files. You can set up a sysadmin group and make all administrative files in that group and make the proper people members of that group and you can access anything you need without su-ing to root. You can even manage the password file that way (though I wouldn't recommend it).

Re:So what's the solution?

[swingerman]

grrr... Darn interpretation of HTML. The phrase "opening a socket 1024" should read "opening a socket 1024"...

Cracked.

Logic will indicate that if source code is provided, the encryption algorithm is there to be decrypted.

Ummm - some stats please?

"But Graham Cluley, senior technology consultant with Sophos, said: "No-one got hit by it a year ago and we think it's going to be a complete non-issue now."

Maybe I'm being naive here but there are probably still systems that have BO sitting around somewhere just 'cos the users don't know they've been infected.

And for the more experienced users - it's a matter of pride for machine and personal hygiene that you don't mention to someone 'I have BO' or 'I had BO'.

Perhaps I've misread that paragraph - who knows - but the number hit certainly was not 0.

What with this and this company having the source code for it to write a detector with:-
Senior Technical Consultant doesn't seem that hard a job for that company.

-----------------------------------------
'Where do the omnipresent go on holiday?'
-----------------------------------------

Re:Ummm - some stats please?

I used to work for an ISP, and i'd say at least 2% of our 20,000 users had the B.O. at one time or another... Not a day went by when people wouldnt call in and ask what this strange dialog box that said "God is speaking to you" meant... Imagine how many people didnt know they had it, and just assumed because their machine decided to reboot out of no reason must be a flaw of windows (well it is a lot:)... The B.O. was definately no childs play joke, and it definately spread a LOT.. tsk tsk M$

Re:Ummm - some stats please?

This person should take NMAP and do a quick scan...he'd be surprised how many BO clients are installed on given networks.

It's almost funny to watch these security 'experts' just 'dismiss' things as being a non-issue. If I don't see it, then it must not exist! Brilliant!

Re:Ummm - some stats please?

I worked at a large up-and-coming ISP, and would estimate that 50% of our security incidents had BO associated with them ... the other half were smurf attacks, and many of those smurfs were being unleashed from BO-"enabled" clients.

From an ISP perspective, Graham Cluely is clueless.

Re:Ummm - some stats please?

[J4]

heheheh Cluely has BO....Cluly heheheh

Re:Ummm - some stats please?

[zosima]

I work for a University as a dorm network consultant, and one thing I can tell you is the original BO is still alive and well. (For the end-users, obviously.)

Microsoft ALWAYS does this.

All the self-proclaimed experts at ZDNET are always trying to show how secure NT is, and how Microsoft always responds to problems. Pure bullshit.

Whenever a security flaw or bug has been found in Windows, Microsoft has ALWAYS downplayed or outright denied it. ActiveX was shown to be a huge security hole, and microsoft responded with FUD, lies and bullshit. The SMB password block was sliced and diced with ease and Microsoft responded with silence.

But hey, the ZDNEtters will just cover the bullshit with whipped cream and Windows fanatics will continue to gush about how Bill Gates is so 'brilliant'.

Re:Microsoft ALWAYS does this.

Most of the 'fanatics' in the computer operating system sphere are people ranting about smaller players like Linux. Most Windows users and advocates are just people getting things done, living their life, and trying to keep 'fanatics' from lunging at their computers.

I don't know of anybody who attributes the success of Microsoft to the 'brilliance' of Bill Gates or any one individual within that company. They know what they're doing and how to meet the needs of a market, but the only 'gushing' I see happening occurs any time Linus Torvalds walks onto a stage.

It's noteworthy that Linus, equally as much as the founders of Microsoft, happened to be at the right place at the right time. And also came up with nothing particularly new.

I use Linux, OS/2, Solaris, Windows 95, Windows 98, Windows NT, Windows 2000, the BeOS, and even a little Atari ST in my daily computing life. All have merits and weaknesses. I've grown away from a tendency toward fanaticism. It doesn't reflect well on anybody to be obsessed.

Re:Microsoft ALWAYS does this.

[mikfer]

You mean their's *another* person out there who believes that computers are tools and does not scream the mantra "...but it's the technology for the sake of technology that matters"?

Thanks. Glad to see I'm not alone.

Re:Microsoft ALWAYS does this.

[Felius]

I use Linux, OS/2, Solaris, Windows 95, Windows 98, Windows NT, Windows 2000, the BeOS, and even a little Atari ST in my daily computing life. All have merits and weaknesses. I've grown away from a tendency toward fanaticism. It doesn't reflect well on anybody to be obsessed.

Aahhhh.. A soulmate. :)

Really guys, the level of fanaticism indulged in by a very vocal portion of fooOS users looks nutty and immature from the inside - Imagine how it looks to the people you're trying to convert.

If you can't understand what someone sees as the good points of their favourite OS (and they all have them or they wouldn't exist), then you'll have a hard time convincing them of any of the bad points.

F.

--
make clean; make love --without-war

More media distortion

Yay, another sad attempt to discredit cDc while making a big deal out of BO2K in the same breath. cDc's CDs were NOT infected with CIH, what happened was that some smart guy took his CD and decided to burn copies at DEFCON, and HE was infected with CIH. Perhaps if the media actually tried to get their facts right and stopped editorializing their supposedly objective news, I'd start taking them seriously.

Re:More media distortion

No, you'd never take them seriously. They don't have a total obsession with the subject which leads them to dig in as deeply as you do regarding the subject.

However, they didn't publish this news item for your benefit, so whatever....

Re:More media distortion

[ToiletDuk]

Actually, I got a CD from cDc that had CIH on it.

Re:More media distortion

[Obscure+Images]

I'm sorry to say fool, that I was there handing out CDs, our official CD's and there were no virus infected files on it. I scanned it on my own machine, installed, scanned again, nothing. If you got a legitimate release CD what did it say on the sleeve and on the disc itself. Each distributed CD was signed and written on by a member of cDc. Tell us who signed your disc and what they wrote.

I'm not surprised to see ISS running around telling lies about cDc, hell they lie about themselves. They claim not to hire hackers, yet they employ hackers. Christopher Rouland had Loki, an ISS employee, hand deliver a message of "Piss on him" to Tfish for our now famous response to ISS' attempted purchase of a prerelease version of BO2k.

Liars and cheats can do what they need to do to keep the fear levels high and sell their products, but cDc doesn't play that game. The official cDc distribution of BO2K is exactly what it claims to be: a legitimate remote administration tool. ISS has been sending out misinformation about BO2k since well before its release. I've read claims from ISS stating that BO2k is buggy which was why the release was delayed. That isn't true. They claimed to do intensive analysis of the product and defeated it's defenses. That isn't much of a task when you have the fully commented sourcecode sitting right in front of you. It makes it so simple that even ISS' "X-Farce" can hax0r the code.

The answer is simple. If you would like to use BO2K for its intended purpose and would like a guaranteed virus-free distro, download it only from the source: www.bo2k.com It's as simple as that.

Re:More media distortion

[AtlantaPenguin]

Sorry to say so, but we have an original CD that was thrown out to the crowd at DEFcon, and it was infected with CIH. (I worked this weekend various BO2K related items @ ISS)

I really could give a shit about the virus. It does l0pht (these guys are in both cDc and the so-called white knights of hackers) more harm than ISS or anyone else who got an infected CD.

We may lose a few machines (I doubt), but the credibility of their intention with this "Remote Administration Tool" just went in the trashcan.

We heard from people who are friends with the Cow that the virus was purposefully put there.

Don't think their isn't some degree of media distortion from everyone involved. Starting with cDc.

The point they have proved is that they can easily divert everyone's attention away from the real security issues of Windows NT on a silly trojan.

It is an exercise in social engineering, or using other security holes to get trojans onto the system.

And this is released under Open Source. So any hacker group can try and bring the world of Windows to its knees with a new trojan mutation for the next year.

BO2K has very little to do with Windows security.

It is very easy to feel smug and comfortable and take pot shots at the cDc/M$/ISS press releases.

Security is something we all constantly need to be aware of; With the amount of Open Source software that is being developed and released, and the breakneck speed of Red Hat distributions, there are a number of security holes in Linux that could easily be exploited by a "Remote Administration Tool", even though the Unix/Linux model doesn't raise too many eyebrows in regard to security.

Re:More media distortion

[Reid+Fleming]

You're a fucking liar.

Re:More media distortion

[Reid+Fleming]

WE FUCKED UP. Somehow we must have accidently infected our own Defcon CDs with CIH v1.2 TTIT (Chernobyl). It was not our plan to do this, and frankly it makes us look like idiots. We have received reliable reports from people possessing some of our CDs that they scan positive for the Chernobyl virus. We have gone back to the development and CD burning machinery and none of them test positive for any virus. So we're just totally stumped on this one. Nevertheless, we accept total responsibility for this problem. If you have an infected CD, we suggest that you destroy it or render it unusable in some other way. Then pull down the latest BO2K distribution from http://www.bo2k.com. The online packages appear to be free of viruses. Also, it has been rumored that we INTENTIONALLY infected these CDs for reasons unknown. This is a lie. The whole thing is a fucking mystery to us; we don't know how the virus got onto our CDs. Obviously it's our fault, but we didn't intend to hand out infected CDs with our personal signatures scrawled across them in Sharpie marker. Sorry for infecting anybody with the Defcon binaries. Time to clean your systems NOW. P.S. Also, I am personally sorry for calling somebody a "fucking liar"; I took strong offense at the allegation that we had INTENTIONALLY placed Chernobyl on the CDs.

Re:The BO2K Debacle & The Truth

You're overlooking how it manages to call a thread from another process and tunnel into it to hide itself. That's a serious problem all by itself. Please go back and do some research next time before you open your mouth.

Re:telnet

Windows 2000/NT5 will come with a telnet server out of the box on all versions. Lots of neat WSH scripts too (someone told me a leaked internal build have a version of vi with it)

It's not anything new of course but a step in the right direction

What this really means.

What this whole debacle shows is that the so-called security experts have disabled a trojan horse, instead of pushing to have the bugs and holes the trojan EXPLOITS fixed.

Interesting philosophy. It ensures that the 'antivirus community' and other self-proclaimed experts will continue to have a cash flow.

I thought the whole point of Back Orifice was to showcase the insecurities in Windows, and to hopefully get Microsoft to address them. Disabling the trojan and NOT addressing the security problems is akin to sweeping the whole thing under the rug. Or, it's like addressing the hole in the side of the boat with a bucket. Patch the hole, you have no NEED for the bucket (but that would mean no more 'antivirus community').

--an anonymous Frobozz

Re:What this really means.

"I thought the whole point of Back Orifice was to showcase the insecurities in Windows, and to hopefully get Microsoft to address them."

Get them to address insecurities? That is hardly the goal. The goal is for these clowns to get themselves as much press as possible by completely overselling something that is really quite simplistic (the fact that the media is giving these guys press is RIDICULOUS), and to garner some friends in the psycho anti-Microsoft movement. It has NOTHING to do with trying to increase security in MS Products, as the fundamental principles they are "exploiting" hold true of any operating system that is network capable.

Re:What this really means.

[William+Wallace]

"instead of pushing to have the bugs and holes
the trojan EXPLOITS fixed."

The only bugs and flaws trojan horses exploit
are human. What does cDc expect Microsoft to do
to prevent something like BO2K? Close off all
network connections?

-WW

--
Why are there so many Unix-using Star Trek fans?
When was the last time Picard said, "Computer, bring

Re:Security?

Instead of killing, how about getting off your ass and looking around. There have been plenty of telnetd programs for NT around for years.

It's "practical" to take machines off-line?

Yeah, right, let's give up on networking entirely. Not only that, turn off the computer, disconnect its power supply, and lock it in a bank vault.

Saying things like "taking computers off the network is the only reliable way to make them secure" is just refusing to address the issue.

Re:It's "practical" to take machines off-line?

I think what he probably meant was that taking the machine off-line
(and locking it in a vault without a keyboard,mouse, or monitor) is
the only way to guarantee that a machine is secure :o)

Of course this makes said machine singularly useless...

BO2K

I'm unimpressed by the whole issue. This program is more like PC Anywhere than a virus. If someone gets infected with this stuff it's most likely because the end user is nieve, not because their NT software sucks. God knows there's plenty of holes in MS's work...this isn't one of them.

Re:Security?

Telnet servers have been available forever for NT (as is just about every other UNIX type tool). Indeed Windows 2000 Server includes a secure telnet server and Terminal Server.

Re:Trojan horses are hard to protect against

Check out www.thirdpig.com. They have a version of linux with security granted to processes running instead of users.

Re:The problem is more severe in Windows

"On the other hand, with NT, as soon as any user runs the trojan, the machine is wide open with full administrator rights for the cracker."

Is this anti-Microsoft "FUD"? I've yet to see anywhere that this product achieves a higher security than the installing user, and if it did it would be an OS hole and would be patched pronto.

Re:Security?

You can get telnet for NT. And a bash or csh prompt as well. Just purchase and bolt on the third party POSIX API called Interix. For awhile I was leaving an NT box at home connected to the 'net through my Earthlink home account, and using Telnet and FTP to access it from work. Interix also comes with GCC, and if you buy the expensive version, the Exceed X server, an X11 implementation, and Motif. I've run X apps on my NT box from an X desktop on my Linux box.

Re:what's the fscking deal?

Unless the NT user is running 'that shell script' with Administrator access, it wouldn't happen. (lots of people run NT everyday with Administator access)

Re:what's the fscking deal?

You're supposed to be the hacker. You tell us.

Re:The problem is more severe in Windows

In NT the cracker only gets the access of the user who ran the trojan. It's possible to run NT at a non-administrator level. Sadly, many users aren't aware of that.

What Back Orfice is really accomplishing is that the IS people at many companies are getting a clue now and locking down their NT workstations. An unfortunate here at my place of work who runs NT can't even install a Quicktime player now, because he doesn't have Administrator access to the machine on his desk. Thanks, BackOffice authors, you're making the world a friendlier place.

BO2K is not a big deal

BO2K does some--interesting things which compromise the security of the machine, but as the article very rightly points out, it depends on user (un)knowingly running the program on the target machine. And as several other people have pointed out already, one could make a similar program for a UNIX box. So what is the cDc asking Microsoft to fix? Dumbass users? If they created a remote security exploit, that would be far more intriguing.

Re:BO2K is not a big deal

and within 24 hours of something like BO being released for Linux there would be a patch/detection/fix released

I saw this was released on January 26, 1998 and still no magical "fix" released. That is even worse than BO because it hides itself from detection. *BSD has a little more protection because when the system security level is raised, modules can't be loaded. Once someone has root/administrator on your system (NT, Linux, or any of the better systems :) ), it is time for a re-install. Or maybe you can believe that module really isn't a big threat because you didn't see it on CNN or slashdot.

Sending a secretary a electronic greeting card will get BO installed on most networks

Anyone who clicks on an attachment is vulnerable to this. Pine has an interesting feature where messages can download and execute code, without the user's permission! A patch was released several months ago and was at least applied to the redhat rpm so most people should be ok... for now. It isn't a buffer overflow either but rather stupid programming.

It is the, dumbass users as you call them, that make up the majority of the computer market

Exactly. And as linux becomes more popular, these users will make up a higher percentage of Linux users. What's going to prevent these users from running every single attachment that they do now? Oh, maybe because the Linux system is sooo secure, there will be a message that pops up and says this attachment may do bad things and it shouldn't be run unless they trust the sender...

BO2k can easily take over Win9x boxes. The only defense against it are virus checkers (the core logic won't change that much even with the source) or doing the best thing and telling users not to run attachments. NT however is in exactly the same boat as Linux. BO2k can't do a thing to the system unless it is running as administrator (or a user with admin rights) just like that linux kernel mod. can't do a thing unless it is loaded as root.

Re:BO2K is not a big deal

[Drew+M.]

And as several other people have pointed out already, one could make a similar program for a UNIX box.
It's already been done, I got a few of them running on my system right now. In the computing world they are known by these names:

in.telnetd
sshd

A cracker could very easily set up a telnet server, or a ssh server on a machine he just cracked, but the machine would probably be running one already :P

Re:BO2K is not a big deal

[flesh99]

I can't believe you actually think that most users don't have admin rights under NT, wake up and smell the FUD, NT Admins are at best lazy. I am trying to get the policy changed at work to where users don't have admin rights when logged in normally. I work for one of the largest companies in the world, and they pay out the ass for these so called admins, you know the ones who decided to give all users admin rights with their normal login so their jobs would be easier.

Not having taken the time to read the entire link you posted, It states it affects 2.0.x kernels, easy fix upgrade the kernel, end of story. You don't even realize what NT is like in a production environment. However I can't thenk of a way to allow a user to do simple thing like install software on thier workstation without giving them admin access, on our linux boxes the user d/ls the software and then calls us, we remotley install it for them in a matter of a few minutes usually. No end user has root access to their workstation because we were smarter than that when we wrote the standard, it's still in test phase but it is working very well.

I can see a plugin that attches itself to a commonly used file once the end user runs the infected file, so that it is almost sure to be run by the NT admin. Bang infected with admin access, NT is full of holes, not all of them are security but those are the ones we can try to get MS to fix.

BO2k has helped us convince upper management to fast-track Linux standards at work, and that is a good thing. But to say that Linux doesn;t have holes is FUD, they are just easier to keep plugged. I would get my head out of MS's ass if I were you and wake up and see the threat that is here. Denying a threat exists only propogates the problem, and people like you are the reason MS keeps releasing crap, because you believe they can do no wrong. Read the whole thread, Linux users/admins have no problem disscussing security flaws in Linux, and how to fix them, MS users/admins shove their heads in the sand and ignore the problem. MS shall perish becuase the world will get tired of being force feed their crap.

Re:BO2K is not a big deal

[flesh99]

One could not write a program that would do what BO does on every Linux box it was run on, it would have to run as root. Only newbies are logged in as root all the time, and within 24 hours of something like BO being released for Linux there would be a patch/detection/fix released and sysadmins would know to use it. NT admins do not tend to have the level of security awareness the *nix admins do. Sending a secretary a electronic greeting card will get BO installed on most networks. After that she forwards the file to a few of her friends and guess what, security comprimised. It might be a little harder to get upper management to run a program but I doubt it.

I know your solution is to install a detector on every machine, but this is open source, it will mutate beyond detection very quickly. MS downplayed the initial release of BO, and the cDc responded with this release, maybe the unwashed masses will finally see that MS products are full of security holes, don't even get me started on VBA. It is the, dumbass users as you call them, that make up the majority of the computer market, what makes you think you are so much better than they are. Frankly your comment about that disgusts me, I suppose you have never gotten a virus. I am an admin, but I don't feel that I am high and mighty compared to my users, get real, without users I wouldn't ahve a job.

I cannot agree with the tactics used to prove MS's security flaws, but at least someone is pointing them out, and they are using a big red pointer to do it. If NT security was not screwed to begin with then this problem wouldn't exist. There is a reason that there are not many programs like this and viruses for Linux, it is very hard to do. There are plenty of cracking tools, but most sysadmins know what to watch for. I'll bet at least 50% of the NT admins out there have believed MS's FUD about this and are telling their users there is no problem. So no, the cDc is not asking MS to fix the users, how about fixing the things that allow this prgram to do this to begin with. I am going to lower myself to your level now and say this, it's people like you that allow MS to continue to produce buggy software with swiss cheese like security holes. ( I was going to call you something insulting, but I decided that I couldn't bear to lower myself all the way to your level) Have a nice day.

Re:BO2K is not a big deal

[DaveKempe]

So what is the cDc asking Microsoft to fix? Dumbass users?
Plenty of them around! - No reason not to help out i spose.

Re:Childs Play

It says that youths can hack together trojans, and that if they can get inexperienced users to run them, they can gain illegal access to computer systems.

Re:Just wondering...

Can minors sue anybody?

I can see all the virus writers surfacing all over the place to claim ownership of their little critters, in order to sue their victims. Not.

It would be fun to witness, though.

Re:So the original is cracked. BFD.

That is probably EXACTLY what the company wants to do. When you take away the profit motive, you loose your BEST ally for controling and manipulating people. The next best idea is to play on peoples egos and emotions.

Re:An actual quote from MS's PR machine:

One way you could interpret this statement is that it is in the interest of Microsoft's customers for Microsoft to protect the integrity of their technology.

Bet you never thought of that possiblity.

Re:Quite funny stuff, actually..

I know a 30 year old who contributed to the cDc
when he was in high school in Lubbock. See 'Scarfing' article in cDc archives.

'Course it's silly, but he's still a hacker and
now on to much bigger projects than scarfing!

-kabloie

this may be an accomplishment!

i dunno, ISS may have accomplilshed something major here. However, we must ask the question: How well does cDc comment their source code?

While i have not yet seen the source code myself, and thus have no way of knowing for sure, if it is badly commented then ISS may have had to have had experts spend upward of twenty minutes looking at the source code to figure out what it will .do when compiled!

So stop laughing

Re:this may be an accomplishment!

[johnnyw]

Any decent programmer need not read comments. COme to think of it, any decent programmer need not any source code at all. Anyone who has read bugtraq has seen Dr. Mudge's uncanny ability to second-guess developer's programming decisions and reconstruct one or two likey code fragments that would result in the particular vulnerability in question.
Dr. Mudge, BTW is a cdc member and decidedly NOT a teenager with "nothing better to do"

Getting back on topic. A Coward here seems to be missing the point. The point is not how well BO is written, what the source is doing, and wether or not some "expert" can read a code listing. The issue that ISS is pressing is that BO2k can be detected with thier flagship IDS product. In "reverse engineering" bo2k, iss can now see it's traffic on a network and alert the ISO, staff, or whoever runs their software that it is present.
Keep in mind that ISS is in the business of selling software and keeping customers. These press releases are more marketing hype than hard technical accomplishments. Otherwise ISS would be patting the hacker community on the back rather than denying it's roots and berateing the people that gave them their technology, initial support, and reason for existance.

I apologize for bringing mudge up (sorry> :)).... He is a true prodigy. He is another Erdos, only this time human :). When asked to describe what the quintessential programmer is.... I can only think of him

thank you for your time
-jcw

Get these guys to write a real article!

I say we email as many writers as possible to get them to do some research on how pervasive BO really is.

Its a giant undisclosed secret about how many BO servers there are out there.

Call up some ISPs, get some numbers and then publish it. Win yourself a journalism award!

The _Real_ Hack

BO2K is largely a non-issue (well, until people start installing it on random web servers as a payload for IIS buffer overflows, but since Microsoft products are so secure and all NT web servers have up-to-date service packs and patches, that's impossible, right? Right?)

The real hack is that cDc managed to get practically everyone in security and tech media as worked up about it as they did through what's essentially a product announcement. That they did it with no advertising budget is even more impressive. Heck, anyone who can get a major media to put out a serious story about something called 'back orifice' is doing well in my books.

It's funny, but I almost suspect that the whole thing was a big plot to generate more beer money by having more media folk show up at Defcon...

c. [cpb -at- acm =dot= org]

Re:The _Real_ Hack

Exactly. They are almost on par with Joey Skaggs. Read the one about "A Cathouse for Dogs".

Re:The _Real_ Hack

[DaveKempe]

Im starting to think the whole BO thing and the CDC are some sort of post modern hacking job. They create a program, or throw a spanner int eh works and sit back and laugh while all the PR types and any one else with a vested interest in the works run around makig a big fuss. It is pretty funny to see the big jokes that can be made at the expense of the big shots and media types. Many an artist would kill for the kind of publicity they are getting, and the point made in one way can be seen to be art - well depending on your point of view of course :-P
Im thinking that it is some sort of big joke that different people take seriously in different degrees - if i was the artist i would just sit back and laugh.
Of course there are serious issues.. buti can see some laughs coming from the creators with most of this hype.

Re:The _Real_ Hack

[Reid+Fleming]

It's funny, but I almost suspect that the whole thing was a big plot to generate more beer money by having more media folk show up at Defcon...

Thanks for the kind words. However, in all fairness, we should point out that the media who partook of the cDc's alcohol drank free of charge.

Re:what's the fscking deal?

That's just the first 1024 (or some number around there) ports. Anything above that can be opened by a user.

get an education about NT before talking...

that was the most FUD-filled dribble I've seen in years. you've got a quarter tank of knowledge and an overflow of arrogance making statements like that.

in many respects, NT's security architecture (ACLs on everything, non-root daemons, no setUID, etc.) is STRONGER than Linux.

NT is a memory protected OS....

Re:get an education about NT before talking...

Just because you're "a stupid 20 year old college kid with a linux box and an internship at a huge corporation doing sysadmin work." doesn't mean you're full of expert knowledge about NT.

I work for an international internet network provider. Does that mean I know all abotu routing? No, because I could work in the finance dept.

Get your credentials straight before you go around trying to brag...

Re:get an education about NT before talking...

> Just because you're "a stupid 20 year old
> college kid with a linux box and an internship
> at a huge corporation doing sysadmin work."
> doesn't mean you're full of expert knowledge
> about NT.

It's called s-a-r-c-a-s-m, which DOESN'T require an expert knowledge in language, only a sense of humour.

> Get your credentials straight before you go
> around trying to brag...

Like you talking about your large international ISP? Pluuueeeezeee.... better get your own act together first before you pop off and PWT (Post without Thinking)

Re:get an education about NT before talking...

A security paper released by Bruce Schneier of Counterpane Systems, and Mudge, from L0pht Heavy Industries covers the new version of Microsoft PPTP. The paper says that while the VPN product, that ships free with NT, is better than a previous version it still has serious problems.

Re:get an education about NT before talking...

[Drew+M.]

In many respects, NT's security architecture (ACLs on everything, non-root daemons, no setUID, etc.) is STRONGER than Linux.
If you are truly correct about the "non-root daemons" then the >3000 character IIS buffer overflow that eeye found would not be possible. IIS runs with system level access, which is "root" on an NT box. That is how someone can obtain a "system level" command shell by using this expliot. I think someone else needs to "get an education about NT before talking..."
But what would I know anyway, I'm just a stupid 20 year old college kid with a linux box and an internship at a huge corporation doing sysadmin work.

Re:get an education about NT before talking...

[Drew+M.]

There is still the eeye hard info. IIS would not be able to grant a "system" command prompt to a script kiddie without itself running as a "system" level service, or am I wrong? Either way, IIS has the ability to overflow into memory areas that have system level access on a machine, therefore granting a script kiddie a "system" shell on an NT box. You forgot to give me an explanation as to how this is possible.... I would sure love to know. Educate me.

And for your info, I can lock down any box and build firewalls with the best of them.

Re:get an education about NT before talking...

[Noke]

Beethoven, with Interix in NT4 I can have the same 'window' logged in as any user as I want. I think there is even a utility in the NT4 resource kit wich allows you to 'su' to another user without having to log off. I don't know this for certain, and unlike the majority of others here, i don't like to comment on things which I don't know what I'm talking about.
Furthermore, in Windows 2000 (I'm running release-candidate 1 on my windows box as we speak) allows you to run any (from wht I can see) application as whatever user you want (assuming you have the access and password that is).

Re:get an education about NT before talking...

[Beethoven]

NT is memory protected, agreed. But I am talking about typical use.

User: Help! It says I need administrator privilege to install foo/uninstall foo/do something useful.

Admin: Hmm, that's funny. You're supposed to be able to do that.

User: But I can't! Come and look at it.

(user repeats steps with admin watching)

Admin: Well, I guess I'll give you administrator rights to your own machine...

Re:get an education about NT before talking...

[Beethoven]

Note that if Linux ever starts getting used on the desktop, I wouldn't be suprised to see people give the users root authority too.

True, but at least in Linux you can have a root window open for the occasional admin task and do the rest of your work as non-root. NT required you to "log off and log back in as another user" last time I checked. The quick workaround is, of course, to stay logged in as admin.

Re:get an education about NT before talking...

[IntlHarvester]

The MS resource kit SU works fine (although only for command lines, as far as I can tell).

However, MS SU is not part of the OS, and requires installing it as a service. So the average NT workstation probably will never have this capcity, unless MS gets a clue and bundles it with Win2000.
--

Re:get an education about NT before talking...

[IntlHarvester]

This isn't a flaw in NT, it's a flaw in the NT admin.

True, sadly, most NT Workstations seem to be set up with local administrative authority for the users.

I don't know if this is done to make the transition from Win9x easier, or to just reduce the workload of technicians, or because admins don't consider desktop security that important (after all, you could just steal the hard drive!) -- but in any case, it's a pretty stupid approach. Hopefully BO will get people to rethink this.

Note that if Linux ever starts getting used on the desktop, I wouldn't be suprised to see people give the users root authority too.


--

Re:get an education about NT before talking...

[maphew]

>True, sadly, most NT Workstations seem to be
>set up with local administrative authority
>for the users.

In our shop, the main reason for user as local administrator is because there is no super-user command and no multiple virtual consoles. It's a mjor pain in the ass to have to log off and close all open programs and documents in order to effect some minor tweak or configuration change.

-matt

Re:get an education about NT before talking...

[Sancho]

User: Help! It says I need administrator privilege to install foo/uninstall foo/do something useful.

Admin: Hmm, that's funny. You're supposed to be able to do that.

User: But I can't! Come and look at it.

(user repeats steps with admin watching)

Admin: Well, I guess I'll give you administrator rights to your own machine...



This isn't a flaw in NT, it's a flaw in the NT admin.

Re:get an education about NT before talking...

[austad]

How? Tell me how NT's security model is stronger than a Unix security model.

Re:get an education about NT before talking...

[Keeper]

The MS su.exe can run interactive software as well, though it does need to be started from the command line.

...except in corp environments...

where standard procedure is to run it in your corp user account...

Re:what's the fscking deal?

You do not need to run daemons via inetd.

Anyways, this isn't the point of the conversation! The point is not to discuss the technical issues of a similar utility but to discuss the fact it can be done at all and if such a utility constitutes the title "security hole."

I vote no.

Re:"Decode" a GPL program?

What point - that if some idiot runs an unknown program on his NT machine it could be dangerous? Wow - revolutionary.

How many idiots out there still use 'xhost' based X authentication? Yeah - Unix is and has been a paragon of security these last 25+ years (I'm being as sarcastic as possible).

Re:Just wondering...

I'm sure there will be a clause or two to allow for the reverse engineering of 'harmful' software. The question is, isn't MS software synonomous with harmful? Heh, they're all hypocrites I tell you...

Computers as tools...

In short, maybe for you...but, I see it as a LOT more than "just a tool"

Re: NT more secure

Hmmm. What about the C2 security rating? There are real Un*x systems with this rating. Only a company like Mindcrap can claim to do this with NT, and the witnesses must consume LSD.

And that LANMAN backwards compat. is a real NT security feature, too. (for the impaired, this is sarcasm)

http://www.attrition.org/gallery/other/mugshots/ bgates.jpg

Cannot even download IE under NT!!!!!

Here at the local community college the computer lab is populated by 50% PCs and 50% Macs. The PCs used to run 95 but h4x0rz kept messing 'em up. So now they run NT workstation. So I wanted to take advantage of the school's fast net connection and zip drives on every machine to download IE with everything (150MB). Go to MS site. Download, not IE, but a 500K app that downloads IE (and uploads God knows what about your PC to MS). Tried to run app. No go. Some shit about 'illegal access' or 'not enough rights' or whatever the fuck the error was I don't care (how is typing on a keyboard 'illegal'? Is US and local law codified into OSes now?). Went to a mac, EZ download. No problems. I suppose this is MS's fault on their IE download site. But why does MS need superuser rights on people's machines just to download IE, and there's no other way to get IE from MS without running their app. What's up with that?When making machines secure makes them useless for real work, your security is fucked up.However, other students doing ordinary things have also run up against NT stubbornness and the security is prevent work from getting done. Guess what? The school is getting ready to toss NT out into the dumpster. Way to go MS.

Re:Cannot even download IE under NT!!!!!

What! You're complaining about too much security? You wanna install BO while you're at it? Did you miss the whole point of this thread? Has it occurred to you that the admins are actually doing their job properly there.

Re:Cannot even download IE under NT!!!!!

[Black+Parrot]

> You wanna install BO while you're at it?

No, if he'd wanted that he would have used the eeye method and installed it himself.

How about this???

Modify the PATH= in the .bashrc to put ~/bin as the first directory and drop a wrapper for su in their bin directory. Instant root access. The moral of the story: don't run code you don't trust. You are an idiot to think your operating system can protect you from stupidity.

Spelling flame

If someone gets infected with this stuff it's most likely because the end user is nieve

Elvis Costello's keyboard player uses NT? :-)

Re:what's the fscking deal?

Or just have the program not only be a telnet daemon but also watch the keyboard buffer scanning for 'su' until it finds the password... then store it accessable to the user account that telnet is running from.

It's really not too hard to subvert any OS if you've got the user's help.

hitchhiker

Re:Can you say Service Pack?

What exactly would this service pack do? Not allow programs to listen on incoming ports? Disable them from running in the background? How about issue advisories against Laplink and PC Anywhere while they are at it.

And if you don't believe there are any trojans for linux, I've got a program I'd like you to run...

crack

Righto. Packets with 4 byte length followed by
that length data are tagged BO2K. The Xor
encryption is apparently sent such that
key is easy to pick too. Src mods will
make that moot...

Re:Quite funny stuff, actually..

And you're what.. 16 years old?

Wake up and smell the coffee, friend. The cDc is a lot more savvy than you imagine, since you .. and most others.. seem to think they are 14 years old or so. ;)

Go to defcon. Meet 'em. Then talk about them. You might be surprised to find out that they are being silly on purpose. :-) And that they likely don't actually release the really nasty stuff.

Same for NT

Unless the linux user is running that shell script as root, it wouldn't happen.

Unless the NT user is running the back orifice installer as Administrator, it wouldn't happen.

Understand the point now? There's no security hole in NT here.

Wrong

Back Orifice exposes no security holes in NT. It relies on "social engineering" to infect a machine - that is, to get a naive user to run an untrustworthy executable. Any general purpose OS is vulnerable to this sort of exploit, including all Unix variants.

The whole point of Back Orifice is to give its creators publicity. And it looks like we're all falling for it.

Re:Fixing Quake

setuid Quake has numerous problems. I don't know if they have all been addressed but do not make anything from idsoftware setuid without restricting access to only a trusted group of users (like the other poster said). Search through the Bugtraq archives on securityfocus.com and you will find several problems with Quake. Basically, any user could read any file on the system or execute code as root.

Huh? Can't you read?

Sorry, but I see nothing at all wrong with this quote. The "flaw" Back Orifice uses is to get the naive user to run untrusted code. There's nothing Microsoft can do to fix this. They're saying that if there was a bug or security hole here that they could fix, they would fix it. But there's no bug here. This same exploit would work against Linux or any other Unix.

Re:Can you say Service Pack?

If(When) a program like BO2K becomes available affecting linux, how quickly would the code be edited to stop such a thing, Trojan Horse or not? Very quickly, I say!

Sorry, but linux has no magical defense against trojan horses. No operating system that lets users run arbitrary programs does (Hint: that's every general purpose OS in the world today).

Oh, and if MS is "too busy with it's head shoved up it's rear end to notice" than how come they noticed this thing and commented on it? I think it's someone else who has misplaced their head.

SWOOSH!

Since you seem to have totally missed the above AC's point, let me translate.

ISS pointed out some holes in BO2K which make it easy to detect. Since BO2K is open source, it is easy to fix those holes. ISS just made BO2K stronger.

I love open source.

Re:Facts from the con

You can start a thread of another program from your program, stick your program into it

Yeah, because on Unix it's absolutly impossible to modify argv[] to mess with the process table.... hehe. For anyone who doesn't believe me, watch all those sendmail processes on a busy mail server.

That speech is pretty funny too. The best thing about all this publicity is it will make the job of a legitimate hacker (not as in justified, but as in corporate espionage or an ex-employee bent on vengeance) that much harder because now everyone will know not to open attachments, virus scanners will be updated, etc...

Re:Can you say Service Pack?

What exactly would this service pack do?

How about:

Allowing the equivalent of "su" so users aren't always logged in as admin.

Throwing out the innefectual user based security model in favor of an application based security model with certificates for new applications from trusted vendors, and a sand box model for applications from unknown vendors.

Nah, just ignoring the problem is better. Besides, I like the look inside my box -- why would I need to look out side of it?

He's rewriting the story!

Contributors to a discussion on the Slashdot Weblog pointed out that the code had been made simple to analyse anyway as it was "open source" and the hackers had made their point.

NO NO NO! He's not understanding the facts! AHHH!

Re:The BO2K Debacle & The Truth

Um, maybe you better read up on argv[] modification under Unix. Also, any program running as root under Unix has full read/write access to any process. *BSD is slightly more secure becuase of system security levels but you are grasping for straws trying to claim that having full unrestricted access on Linux is somehow less dangerous than having full unrestricted access on NT.

The Microsoft Mess in a nutshell(book pending ;p)

Memory protection? It steals the memory that an administrator level program uses, and sets itself up as a mean trojan. I know this is going on deaf ears, but seriously, there is
a) no "fix" to BO unless microsoft fixes the problems
b) BO isn't just going to die no matter what. There is signifigant interest in something like this. ergo people will code for it
c) it's not all a bad thing. I actually wouldn't mind administering a network with it. It's kinda like network administrator for the mac, on crack
d) Microsoft doesn't "do" security - it wants to be compatible more than it wants to be secure
e) Microsoft split from the standard OS, unix, and messed up royally. If they did a good job of re-implementing the time tested functionalilty of UNIX, then I would be fine with them, and pay the user licence fees for NT
f) The code is a mess. It just feels good to code for UNIX, and somewhat the Mac(although the newer stuff screws it up) because they are clean interfaces. No spagetti code, thank you.

Re:what's the fscking deal?

My understanding was that even if a regular user on the box installed BO2K, the client could use it to gain Administrator access.

That's different from someone running a malicious program as root.

uber-boff

From what I understand, the network traffic can be encrypted and the port numbers are configurable; so, this thing could be setup to behave like https:// and could initiate from the inside net. The IDS (intrusion detection system), application level/layer 4 filtering folks are going to have a field day. Nailing BO2K down is going to be like nailing invisiable jellow to a titanium wall with styrofoam nails using a 20lb sledgehammer. I'll put my money on Network Flight Recorder to come out with a solution first based upon typical https:// transaction patterns.

Re:"Decode" a GPL program?

They have a point? I Don't particularly understand the point of Back Orifice getting all this press saying it exploits security holes in Windows...I mean...It's just like getting someone who has root on a unix server to run some dumb program that has a huge backdoor, and that's been done before.

Hidden Settings

http://www.ntk.net/doh/options.html

(Thanks Virulent Memes)

The BO2K Debacle & The Truth

BO2K doesn't take advantage of any security holes in NT. It runs as a system service that accepts connections and allows the client to perform a myriad of both benign and unbenign tasks on the host machine. Of course, it has decent legitimate uses for system administrators but it is being presented in a viral fashion from a group who's objective is clearly to pull the wool over the collective eyes of the uneducated computer user and media. If CDC was truly interested in "helping" they would cease this childish, "me too" Microsoft bashing and provide the community with something new and insightful. I'm sure they're having all sorts of little rallies and pep-talks with one and other about how they're "showing some control" when they're just showing their own contempt for the rest of us professionals that know better. I am, quite frankly, offended that CDC assumes we're all so naive to believe that they're doing us a favor.

To get straight to the meat of my post: this (BO2K) is not exposing any security hole. BO2K could be written for *NIX, BeOS, MacOS, etc.

People seem to generally miss the most important detail of all: the only practical way to truly lock down any OS is to remove it from the network entirely and allow zero points of entry.

The problem is more severe in Windows

[ryder]

In Linux the cracker would only get the access of the user who ran the trojan.

Sure it's possible that a Linux newbie might log in as root all the time. But what does a linux newbie have to loose anyway? The real threat is in the corporate environment, where the users are not going to be logged in as root ever. And most employees are much less likely to screw around like that on a Unix system at work anyway.

With Linux, while the threat of a trojan is there, the possible damage is much less severe, because of the limited rights of the user.

On the other hand, with NT, as soon as any user runs the trojan, the machine is wide open with full administrator rights for the cracker.

Re:The problem is more severe in Windows

[BVD]

There was a discussion awhile ago on NTBugTraq about the \winnt permissions. As per MS instructions only the Admin's should be able to write to \winnt and its sub-directories, but because windows apps are made to work on 9x machines as well as NT machines, you cannot do this.

Although the above poster seems to think that he can have \winnt and its sub-directories read-only; I doubt that he has ever done this. Most apps need write access to the \winnt dir tree in order to work. Office 97 is an example of one such app.

What this means is that you can have a secure NT machine or you can have a NT machine with Office 97, but you cannot have the \winnt dir-tree read-only and run Office at the same time.
You can work around this security hole by installing Office 2000, or upgrading to *nix.

Re:The problem is more severe in Windows

[Matts]

Not unless you have Admin rights.

perl -e 'print scalar reverse q(\)-: ,hacker Perl another Just)'

Re:The problem is more severe in Windows

[shani]

So this wouldn't cause any problems in NT?

C:\>cd \winnt
C:\WINNT>del *.*

Re:The problem is more severe in Windows

[Dictator+For+Life]

You don't have to reboot; you only have to logout.

Of course, this is no less inconvenient than a full reboot if you only want to tweak a setting for the sake of some application you're running to see how that app behaves with the change. It's idiotic, really.

Re:The problem is more severe in Windows

[choo]

Not if the winnt directory is set to read only for ordinary users, as it should be.

Re:The problem is more severe in Windows

[puppet]

Under NT, the program also runs with same rights as the user running it. It would not give full access to the system unless the user is logged in as Administrator.

Re:The problem is more severe in Windows

[swingerman]

Ahem...unless the user is also in the Administrators or Domain Admins group. Since Windows has no DECENT su command equivalent, many Administrators put their account in the Administrators and/or Domain Admins groups to make it easier to administer their systems without a reboot.

Re:The problem is more severe in Windows

[swingerman]

DOH! I know you don't have to reboot. I was half-thinking of changing network settings. :) It's still pretty da#n inconvenient to have to log out and log back in, esp. if you want to do things as yourself, too.

Re:Trojan horses are hard to protect against

[Anders]

Yes, okay - I can agree with that.

My point was that BO does not show Windows NT to be especially bad at security - BO could have been for any platform.

But we agree, and this has been discussed enough, so I will stop here.
--

Trojan horses are hard to protect against

[Anders]

BO is a trojan horse. If you can get a user to run an executeable, you have him fscked. If I send someone a Linux executeable which modifies his login script to start a telnet server (modified to not require a login, of course) on some non standard (>1024) port, he has his account wide open. Anything he can do, you can log in and do as well. Is this a security flaw of Linux?

You cannot prevent users from doing such things, under any OS. As such I think Microsoft is right that this is not really a security problem in Windows.

Now, I do not know if BO gives administrator rights to the invader. If it does, then *that* would be a security problem. But letting people install programs is not.

Of course, you could make users unable to run programs from $HOME at all, but that would be unacceptable in many circumstances.
--

Re:Trojan horses are hard to protect against

[Ian+Bicking]

BO is a trojan horse. If you can get a user to run an executeable, you have him fscked. If I send someone a Linux executeable which modifies his login script to start a telnet server (modified to not require a login, of course) on some non standard (>1024) port, he has his account wide open. Anything he can do, you can log in and do as well. Is this a security flaw of Linux?

You cannot prevent users from doing such things, under any OS. As such I think Microsoft is right that this is not really a security problem in Windows.

This is a security flaw of Linux, just as it is for Windows NT. Theoretically these systems can be very secure, but practically they cannot -- assuming normal people use the system, add programs, etc.

Windows NT does not have exceptionally bad security compared to other OSes. But in defense of the future of CS, trojans are a problem that needs to be solved.

Sandboxes (as in Java) are one attempt to solve this. They aren't a very good solution, but more of a hack on underlying security problems.

I think capability systems provide the sort of fine-grained access that is needed. Eros is an OS that attempts to do this. There are some papers online there about capabilities -- What is a Capability, Anyway? might be a place to start.

Re:Trojan horses are hard to protect against

[CelestialScum]

I was just wondering, from what I have seen at Bugtraq and similar places, the number of ways to crack Admin access once being able to log onto a NT box is quite big.
Since BO gives you access as a user if installed (after all, the old BO was able to be wrapped into install-shields, undetected), you should be able to upload the hack to the server, and execute it to gain Admin access. Then reinstall the BO server from Admin user, and voila.
Maybe I am just being ignorant on NT's behalf, but I don't see Linux having the same number of availiable security holes once you actually have access to the server, and it's storage medium.
I mean one of the more crazy ones were just making a symlink as a user to a certain dir/file (I have forgot the exact details) and then re-login and you would be Admin. I find this, well, rather disturbing. I guess (hope?) they have closed this one off by now.
If you rely on having just trusted access to your server, what kinda security is that ? The internal security must be as good as the external one, if not, it's kinda mute point :)
Just my 0.2c on this.

Re:Thats not the point

[Trepidity]

That's not the point either. The encryption algorithm was not meant to be strong. The only reason you'd want a strong encryption algorithm is if you wanted to use BO2K as a legitimate remote administration tool. Needless to say, that's not the real intended purpose. As a backdoor to somebody's machine, the strength of its encryption algorithm is completely irrelevant.

VNC for BeOS

[avm]

VNC for BeOS (currently only the client) is in BeWare. Seems to work alright...I use it to talk to several windows boxen on my internal network.

Re:Fixing Quake (was Re:what's the fscking deal?)

[sterwill]

You could also use Unix groups for what they're intended to be used. Create a group for local users ("local" is a good name), add yourself to it, do: "chown root qwcl; chgrp local qwcl", and set the bits so that only members of that group can launch the program ("chmod 4110 qwcl").

Re:Facts from the con

[Ian+Bicking]

Does anyone have an mp3 that doesn't have psychadelic tones in the background? (Or am I doing something wrong?)

The speech sounds interesting, but only the parts that I can understand.

Security?

[pb]

I would call giving every user root access a *big* security hole. (of course that doesn't apply as much with Windows NT, but...) Also, I'm sure BO2000 *is* a better remote administration tool than anything Microsoft has ever offered since XENIX. I would kill for telnet to Windows machines... (but then I'd want a *useful* CLI... :)

Re:Security?

[pb]

Oh, right, that's why I don't use them. (I have used bash and some other ported UNIX utils, the GNU/DJGPP prots, and some other inferior ones) Either everything is slow and big and statically linked, or it's fast, and re-written for DOS, and has new, quirky limitations... *sigh*

Also... what kind of an argument is that? There are millions of insecure machines on the internet that haven't been cracked or crashed because *no one has cracked them*. That doesn't mean it can't be done, it just means that we don't have enough crackers to go around. :) Don't complain, one of them might perk up and notice you...

Heh. If they're running IIS and NT, that's almost like trying to hack your own machine. Have fun keeping it stable. Running a vanilla NT machine and not doing anything with it is easy, but I have a lot of respect for anyone who tries to use NT for heavy work *and* keep it stable. That's much more arcane than UNIX ever was...

Re:Security?

[Cally]

Well, I'm not suggesting it's better to run stuff on NT than Linux or BSD -- but they are out there if you're stuck on NT.

Re: the BBC -- sure there are loads of uncracked boxes out there, but don't you think bbc.com would make a rather prestigious trophy ?

BTW www.zpok.demon.co.uk is hosted by Demon -- I'm pretty certain they're not using NT.

Re:Security?

[Cally]

telnetd (and lots lots more ports of 'real' software) are available for NT and possibly '9x as well. Certainly bash. csh and tcsh are available; so is X11R6.4 ... no, really ! Performance sucks of course. There's a short & incomplete list here.

BTW if NT is so ludicrously insecure, how come www.bbc.co.uk has never been cracked ? They seem to use IIS as well as NT ...

Re:Security?

[Le+douanier]

"BTW if NT is so ludicrously insecure, how come www.bbc.co.uk has never been cracked ? They seem to use IIS as well as NT ... "

Sorry but Netcraft return:
www.bbc.co.uk is running Apache/1.3.1 (Unix) on Solaris

not NT nor IIS

Re:telnet

[pb]

Yay, more ports to scan! ;)

But seriously, I've seen W2000 Beta 3, and I'm not impressed. It's bloated, and it crashes more than NT ever should have. And that's saying something.

Re:An actual quote from MS's PR machine:

[demon]

No joke. Sounds like a dead end situation to me - you bear all the responsibility, but have no power to remedy the situation? And the people who can remedy the situation have no responsibility? How is anyone supposed to accomplish anything that way? :)

Re:An actual quote from MS's PR machine:

[demon]

But it's not in Microsoft's interest (at least from their point of view) to protect anything but their bottom line. If it won't hit them in the pocketbook, they're not going to care. So basically they're saying "Fixing these bugs we won't admit to wouldn't be profitable to us, so we're not going to admit to the fact they exist."

How about that?

Try to install Off95 without admin rights.

[bkosse]

Or, rather, try to run Powerpoint as a user after installing it as an admin.

Re:Try to install Off95 without admin rights.

[IntlHarvester]

Running MS Office under a "secure" NT install is fairly well documented. Look around a bit.
--

NT has a setuid

[bkosse]

All programs run with your rights. They effectively setuid to the user. This is *BAD* (and inherently insecure).

Eros is immune to these flaws (which also affect all Unix systems).

No need to write it.

[bkosse]

Go download it.

Haven't laughed so much since..

[martin]

I haven't laughed so much since zipexplorer came out. ISS have wonderful marketing spin, I mean, how difficult is it to 'crack' things when you've source (as other people have pointed out). Come on Kris, I wasn't born yesterday.

I'm now waiting for a modified zipexplorer that includes the BO2K client, then we can all go back to installing proper email servers on our lans.

M-Sexchange no product has never been so well named :-)

Martin

Security flaws

[jd]

I don't know why so many people have posted about it being possible to e-mail a trojan telnet server to a machine, running on an unnamed port. Most forms of Unix still use the olde, quaint "remote" programs, such as rlogin, which leaves the nasty hole offered by .rhosts. That would seem to be a far deadlier security hole than the prospect of running a complete server.

Re:Security flaws

[sporty]

That's the great thing about Unix design, you can easily get rid of the basic service and replace it with something else that is just as functional if not more.

Because of PAM, you don't need to use <sarcasm> the "stupid password file" which is so "insecure" since it's a file on a filesystem </sarcasm>. Hell.. if I wrote a program in pc assembler, i'm quite sure moving the needle over the right part of the disk and reading the bytes where the root password is, is NOT the hardest of things, providing that one knows assembler *grin*.

The moral fo teh story is that *nix has more ability for possibilities while NT is more about using MS's possibilties for lowerlevel functionality.

Re:Downplayed (was Re:This was inevitable....)

[Spruce+Moose]

password.. salt.. hahahah (-:

Re:Oh, whatever.

[dangermouse]

You really don't even have the most basic understanding of the word "server", do you?

Re:Facts from the con

[Squash]

Good points, and I'm glad to read an informed view on this.

I think more people should do more research then reading zdnet and news.com on this subject. There are a lot of stupid posts above this one from people armed with disinformation. Quite simply, alot of them are missing the point.

Anyone who wasn't there to hear the introduction first hand, you should check out the 41 minute MP3 of it. It's a lot more interesting then most product announcements. Here is a link to a page containing the mp3. Pay particular to the cheers from the crowd every time they mention something stupid in Windows that contributed to the program.

Things like "remote threads". Seriously. You can start a thread of another program from your program, stick your program into it, and what do you know, explorer.exe is now also running rc5des.

For a good laugh, listen to the undocumented Win32 call used in the 95/98 client.

Discrediting BO2K is almost as dangerous as BO2K itself. You can't just scan for port 31337. BO2K doesn't have a default port, you have to put something in yourself. You can't just look on netstat for open TCP connections. BO2K can transport over ICMP. You can't look for a signature to the file, adding a random x=x; into it will change it.

Sure, you say, but how many script kiddies will go changing source code? A valid point, as most script kiddies can't tell a semicolon from a mouse. However, cDc has also released (surely not coincidence) a "pkzip-lite" style program that compresses/encrypts executables to random keys. File signatures are probobly the weakest form of "integrity verification" and that I"ve ever seen. As far as watching for network transmission signatures, you'd be amazed how easy it is to write around that. The important part is that your method not need be good! All it needs to be is 1 bit different. Insert an extra byte into a header. Write a silly wrapper to make it look like http data, or a real audio stream.

The biggest factor in this is the software's open source license, which allows all this and more to happen. BO2K is merely the first variation. Stopping it is ineffective.

The last big part is the spreading issue. True, the clearest way to infect a computer is to send it as an email attachment. A quick modification to happy99.exe would really spice things up. IIS servers are still easy targets on the real world. You won't get www3.microsoft.com, but you will probobly get www.joesfishingshack.com or similar. Imagine if someone combines a custom BO2K with a virus that is reasonably good at spreading itself.

Thats what I think, at least.

ISS is making media hype

[HBK-4G]

ISS (or fill in the blank with your favorite Internet Security company) said they "cracked" the encryption.

Yay!

But what wasn't mentioned was that the only way that they can find if BO2K is on the computer...
is when it's on the computer. They can only find the "encrypted" stream when the connection to the victim computer is already in progress.

So... they'll sell you their services to fix BO2K.. but only if you've already got it. There is no pre-emptive fix.

Maybe they shoulda just released a binary :P

[J.+FoxGlov]

Hint: if the source code is available, it'll be easier to "crack". Thing is, immediately with its release, ISS would learn just how it worked.

Which reaffirms the point that BO is meant as a means to rub Microsoft's nose in the fact that their products suck. If they wanted to be bastards, they could have kept the source to themselves.

J.

Oh, whatever.

[J.+FoxGlov]

I dare you to write a BO-like program that will run on MacOS, and give a remote admin control of my Mac when it's connected to a network.

J.

Re:Thats not the point

[aqua]

Without knowing the specific motives or history, the idea was most likely not to provide a strong cipher -- encipherment isn't inherently necessary anyway for this kind of thing.

Or, they wanted to limit the potential for ITAR violations -- so that crackers could avoid breaking export law while busy breaking other ones.

Or, they wanted a deliberately weak cipher so that people would latch on and improve those parts -- maybe write a tight win32 IDEA lib.

Or, they realized that encipherment isn't an especially important part of BO2K anyway, since its emissions can be detected easily enough whether enciphered or not, so casual over-shoulder encryption was adequate.

Or, they wanted their counterparts in the virus/security communities to waste time on the encryption stuff, as the counterparts indeed seem to have done.

It would, in any case, be nice if those whose job it becomes to counter BO2K had taken the opportunity to note why BO2K exists, rather than to inflate their egos in a comical misassumption.

Can you say Service Pack?

[db]

"Trojan horse software doesn't target technology,

it targets the user. If BackOrifice did in fact

exploit security vulnerabilities in Windows

or Windows NT, Microsoft would promptly fix the

vulnerability, and BackOrifice would be stopped."

Uhh huh, sure. What would they do? Release a Service Pack? Offer a "free" upgrade? I think MicroSoft is too busy with it's head shoved up it's rear end to notice. If(When) a program like BO2K becomes available affecting linux, how quickly would the code be edited to stop such a thing, Trojan Horse or not? Very quickly, I say!

--
Dave Brooks (db@amorphous.org)
http://www.amorphous.org

Re:what's the fscking deal?

[Richard]

Unless the linux user is running that shell script as root, it wouldn't happen.

-Richard, barbarian geek.

VNC

[zosima]

Have you checked out VNC? It was actually designed for remote access, and I know there is a windows server and I am almost positive there is a Be client [maybe BeDepot, it isn't up on the vnc download site](though it will work in a java-enabled browser, anyways). It might be a better solution with all the coding taken care of for you.

Re:what's the fscking deal?

[Dictator+For+Life]

(lots of people run NT everyday with Administator access)

Or, like me, they give themselves Administrator rights on their user accounts.

Why? Because I can't 'su' to Administrator to do administrative tasks. I would have to log myself out, log in as Admin., and then log back in as myself. That's idiotic, and it's the difference between being fully multi-user and Windows NoThanks.

And even if I did leave myself as a regular user, I would still need to have write access to the Windows\System (or is it System32? I forget, but it doesn't make much difference) directory in order to run M$ Office (note: RUN, not 'install')! This too is idiotic.

Good thing

[kaptin]

>Crackers often reason that
>they are performing a service
>in breaking into Websites and
>networks because they expose security flaws.

Oh so true...The best way to fully be safe from a "virus" is to be immune to it and what better way to be immune to it than to have recovered from an attack of the "virus".

I think Microsoft should start paying these people...maybe then they would release a safer W2K.

Howler from Micros~1...

[Beethoven]

Does BO2K exploit any security vulnerabilities in Windows or Windows NT?

No. Programs like BO2K could be written for any operating system; this one just happens to have been written to run on Windows and Windows NT. On any operating system, if you choose to run a program, it can do whatever you can do.

This is, IMO, the one lie that more than any other keeps Windows in control of the OS market. People's only exposure is to an OS that runs everything as root and requires users to buy new anti-virus software every month, so they imagine that's the way things have to be.

Not so. Linux and *nix are fundamentally more secure than Windows, because they make adequate use of the hardware security feature known as memory protection. When a Linux user runs a program downloaded from who-knows-where, s/he runs it as non-root. (except maybe "make install", which is a weak point, IMHO) In contrast, W98 doesn't even try to be secure, and even under NT, users typically run every process with administrator privilege.

Re:Howler from Micros~1...

[dirty]

Ok, your statement is just plain wrong. For once microsoft is actually being honest. BO2K is not about security problems with NT. The same thing is possible under linux, look at vnc, it does esentially this, except it doesn't try to hide the fact from you.

Also, NT doesn't run everything as "root" and it does have memory protection. Actually NT has a better security model than linux (ACLs vs, uid/gid and the lack of setuid (although i consider that a bad thing)). From what I understand that will be changing, but for the moment it's true.

SOOOOO Impressed :P

[GraZZ]

Wow, that must have been a HUGE difficulty, considering the source is available (get it at this site)

Re:SOOOOO Impressed :P

[PinheadX]

Anyone know if this will compile under BeOS? I mean, is there any code in here that would throw BeOS for a loop? I just want to remotely administer my windoze box from across the room...

- - - - - - - - - - - - - - - - -
I run BeOS. The rules don't apply.

Re:"Decode" a GPL program?

[drwatt]

"ISS cracking abilities are viewed as childs play!"

Re:bbc runs SunOS 5.6

[Cally]

Well, that's the ftp server -- I was referring to the HTTP server.
...

Hmmm, Netcraft seems to be down at the mo ... but telnet on :80 says 'apache 1.3 (Unix).'

Interesting, because it definitely USED to be IIS / NT. No, really, it was !!

Re:bbc runs SunOS 5.6

[Cally]

OK netcraft.com reappeared ...

www.bbc.com is on SunOS. This is Boston Business Computing.

www.bbc.co.uk is on ... Solaris / Apache. I was wrong ...

But the point remains the same ... the same Netcraft app shows a bunch of high profile large corporations running IIS / NT ... even Windows 98 ?!?! (Gillette) ... so these must all be easy meat for crackers, right ? ... and then all their MIS people would be fired, and replaced with Unix hackers ...

I'm no fan of NT OR IIS -- I'm just saying that it's not impossible to make them reasonably secure.

Remember BO2K does not have to rely on the user

[Ice+Tiger]

Ok the easiest way to have it installed is via a user running it from email. Remember that NT has been a victim of the good old buffer overflow exploit of late as well.

I have heard of BO being installed via the outlook exploit under 95. Ok so even if this was done under NT then you still get user rights. However what if I installed it on someones IIS server using the recent buffer overflow exploit, or again using the ftp exploit. These will give me access under the user System.

Again these have been patched, but I would be very suprised indeed if the last buffer overflow for a service runnning under NT had been found.

Ice Tiger

Another Journo gets it right, NOT

[Ice+Tiger]

Erm no this is not true, remember what one reads in a paper must be true. :)

BTW I suppose BO2K might be installable via an activex component, another secure microsoft feature. Oh yes before anyone points out about signatures and such, dodgy activex coponents have been used in the past by legitimate developers and then they get signed under that developers id.

Ice Tiger

Re:An actual quote from MS's PR machine:

[FigWig]

I thought this was the legal basis for the whole software industry. The software companies take no responsibility for their products at all, yet at the same time the end user has no rights that would resemble ownership of the product: can't modify, limited use, etc. Seems like a double whammy to me.

Aw crap! Now I sound like an open source advocate!

Bo2k is open...

[jscott]

...source that is, :)

telnet

[jscott]

the orginal BO include telnet functionality (a bit sketch tho) not sure about bo2k yet...

useful

[jscott]

I'm may be a lowly temp, but i do a lot of user support/configs. To me the og ob was _very_ useful (at times) I only hope bo2k is better and more stable. Although I don't think anyone else (sysadmin) around here would agree :)

Facts from the con

[HunterD]

Ok, I'm seeing alot of disinfo about BO2K here. So let's address a few right here: 1. Breaking BO2K's Crypto: Of course he broke BO2K's crypto - the Generic, straight from the 'box' crypto is XOR encryption - which is simple to 'break'. That said, inseide the US, you can download a plug-in that will allow BO2K to use 3DES. Sophos did not crack 3DES. Even if he did, the plugin architecture allows a programmer to add any encryption scheme they wish, and BO2K will use it fore all of it's transfers. 2. Detecting of BO2K Well - to detect BO2K in one configuration, all IIS had to do is look at the threads, and it will show up. This could be what they are discussing as easily detectable. However it is also possible to get BO2K to hide quite effectivly by having it hop between threads, and use whatever ports it wants to. IIS could also be referring to the fact that BO2K uses the same registry key every time - and it does so on purpose which leads into point 3.. 3. BO2K is a virus BO2K is not a virus. Not even remotly. At worst it's a Trojan, but it is no more a Trojan then other packages like say PC Anywhere (and another one that I can not remember the name of - it starts with an S) Interestingly, some other 'remote admin' packages can also be installed over the net, or given as a 'trojan', or even be run as a hidden process. BO2K has many of the same features as similar packages, and has the same ability to be used for admin, as well as cracking. 4. BO2K is bad BO2K is what you make of it. It's a tool. it can be used in many ways - some bad, some good. It really has some very useful features. Those features again can be used as you see fit. I am not affiliated with the cdc, these views come from seeing their presentation of BO2K at defcon.

Re:Facts from the con

[HunterD]

Oops - yep I meant ISS.

On your first point - Exactly - XOR 'encryption' sucks, it might as well be plaintext

As far as communication - I'm not really sure - but the program can communicate in more then one way - if they wrote a program to find it on UDP, just set it to TCP. If that doesn't work it can be set to ICMP. BO2K is quite impressive, and if ISS thinks they have a fool proof detection scheme, it is my guess that they have not hit all the bases.

Re:Facts from the con

[HaKn5La5H]

when i downloaded it - it sucked, but when i streamed it - it played fine. try that.

Re:Facts from the con

[johnnyw]

OK, I am with you here... except xor is not encryption at all. nothing more technical than a pad of paper and a pencil is needed to cryptanalize a message xor'd with a key...

In #2 are you referring to ISS or IIS?
Assuming you meant ISS, the company, whose X-Force (X-Farce? :) ) research team published these findings on bo2k.

I am, and continue to be unimpressed by this starched-collar attempt at information security. The big five and outfits like ISS have to understand that there are people that know better.

AND ANYWAY... I think that the detection of BO referred to is detection of client/server communication. NT's ability to find bo2k is of no vested interest in me, as I can not stand nor do I ever work with NT.

Oh, Hi Kewp :P been a while
I think that ISS needs to get it's head out of the sand and realize who they are pissing off....
and I am not talking about the cdc

Facts from the con

[HunterD]

Ok, I'm seeing alot of disinfo about BO2K here. So let's address a few right here:

1. Breaking BO2K's Crypto:
Of course he broke BO2K's crypto - the Generic, straight from the 'box' crypto is XOR encryption - which is simple to 'break'. That said, inseide the US, you can download a plug-in that will allow BO2K to use 3DES. Sophos did not crack 3DES. Even if he did, the plugin architecture allows a programmer to add any encryption scheme they wish, and BO2K will use it fore all of it's transfers.

2. Detecting of BO2K
Well - to detect BO2K in one configuration, all IIS had to do is look at the threads, and it will show up. This could be what they are discussing as easily detectable. However it is also possible to get BO2K to hide quite effectivly by having it hop between threads, and use whatever ports it wants to. IIS could also be referring to the fact that BO2K uses the same registry key every time - and it does so on purpose which leads into point 3....

3. BO2K is a virus
BO2K is not a virus. Not even remotly. At worst it's a Trojan, but it is no more a Trojan then other packages like say PC Anywhere (and another one that I can not remember the name of - it starts with an S) Interestingly, some other 'remote admin' packages can also be installed over the net, or given as a 'trojan', or even be run as a hidden process. BO2K has many of the same features as similar packages, and has the same ability to be used for admin, as well as cracking.

4. BO2K is bad
BO2K is what you make of it. It's a tool. it can be used in many ways - some bad, some good. It really has some very useful features. Those features again can be used as you see fit.

I am not affiliated with the cdc, these views come from seeing their presentation of BO2K at defcon.

Fixing Quake (was Re:what's the fscking deal?)

[Greg+W.]

couldn't be bothered writing 'su' and then a lengthy password every time he wants to play Quake

chmod 1777 /usr/local/games/quake/id1 cat >/usr/local/bin/squake <<EOF #!/bin/sh cd /usr/local/games/quake exec ./squake "$@" EOF chmod 755 /usr/local/bin/squake

You'll probably want to do the same for the "hipnotic" and "rogue" directories, and make similar wrappers for the other quake binaries. Shame on id for not writing a better installation script.

Fixing Quake (was Re:what's the fscking deal?)

[Greg+W.]

couldn't be bothered writing 'su' and then a lengthy password every time he wants to play Quake

chmod 1777 /usr/local/games/quake/id1
cat >/usr/local/bin/squake <<EOF
#!/bin/sh
cd /usr/local/games/quake
exec ./squake "$@"
EOF
chmod 755 /usr/local/bin/squake

You'll probably want to do the same for the "hipnotic" and "rogue" directories, and make similar wrappers for the other quake binaries. Shame on id for not writing a better installation script.

(Sorry about the first one. I honestly thought the Preview button was on the left, not the right, and clicked Submit too fast.) :(

Another paranoid heard from...

[dr_strangelove]

Just an aside. I was flipping through my video feeds and happened upon Pat Robertson announcing to his techno-illiterate hordes that "hackers" had released a new "virus" this weekend in Las Vegas (Sin City) called "BO2K". Pat seemed to think this was one more confirmation that the sky is falling, or whatever. To be honest, I was too busy laughing my guts out to pay close attention to his rant.

I did find it interesting that the acronym BO2K was never translated for the breathless masses.

Apparently "Back Orifice" is too naughty a phrase for good christians. Or maybe the just don't admit to their existance.

So the original is cracked. BFD.

[rde]

Woohoo! The world is safe, unless someone manages to get their hands on the source code and come up with a variant.
The report is quite sanctimonious, reflecting Rouland's attitude (I suppose). Dissing crackers in such a manner, though, is just inviting trouble.

Re:So the original is cracked. BFD.

[Black+Parrot]

> Lust tried Back Orifice 2000, cool stuff!

Whose machine did you try it on?

I've sure clicked on a lot of sites that were down over the last couple of days.

Thats not the point

[mplex]

They cracked the encryption algorithm that it used. That's different. They probably tried to write their own. Figures, kids think they can come up with their own uncrackable algorithm...

Re:Thats not the point

[brianosaurus]

just for the record, the US version has 3DES encryption, while the export version has XOR encryption (yes, hella-weak).

Being that ISS is a UK firm, they're brilliant minds were able to decrypt an XOR. Way to go!

Re:Just wondering...

[Black+Parrot]

> Now I doubt it would apply to viruses, as you would get nailed to a wall for it.

Of course, if you're already in the slammer for the next 20 you might as well try to drum up some income in case you can't get a job as a security consultant when you get out.

Just wondering...

[Black+Parrot]

I guess it wouldn't have mattered in this case, since BO2K is GPL'd, but I wonder: If the software lobbies manages to ram through all their proposed laws that would illegalize reverse engineering, will virus writers be able to sue anti-virus companies that crack their code?

Re:Just wondering...

[Mr.+Me]

If I'm not mistaken, those laws would just make the anti-reverse engineering clauses in EULAs enforcable. (I wonder how many people would accept a EULA that started out "By installing this virus on your machine you agree to the following conditions:". Probably a depressingly high number of windows users.)
--

Re:Just wondering...

[Microlith]

Don't assume the virus author is a minor. Also, if they hold a copyright(left) in their name, yes.

Now I doubt it would apply to viruses, as you would get nailed to a wall for it.

Re:This was inevitable....

[Seth+The+Man]

Actually,I think the oldest cDc member (in age, not membership) is someting over 60.

The youngest is 20.

And there's everything in between. For the most part the cDc guys are yer average white twenty-somethings (go figure) ..

I don't think it's right to lump all of them together as teenagers with delusions of grandeur, sure, some sort of fit that description (the ones that claim the hacker profile...) but the original guys aren't REALLY like that at all.

They are just some weird guys who released wizardry docs as text files when they were in Jr. High. oh, and some other stuff about rabbits.

Personally I prefer the text file aspect of cDc, the hacker part is a bit silly.

Summary

[schporto]

Below is my summary of the article....

Sophos cracked BO2K. Errr wrote a detector for it. We don't know the difference though. But they figured out the protocols and encryption schemes. Ohhh buzzwords.
Those nasty cDc'ers didn't like Rouland and he showed them. He asked for a copy which is completely sensible as he's a good guy, but they don't like him. We won't mention that he wanted a copy before everyone else.
We think this will allow them to control other computers. But we aren't sure what control it gives you, so we'll just blather on. Oh and insult them. They're kids. They are even infected.
But not to worry any one M$ is right on top of it. They even issued gasp a warning.
Its a toy but ISS warned the program could easily be used to delete files, reconfigure machines, steal passwords and redirect network traffic, without a user or administrator's knowledge.
Isn't it amazing what toys can do now.

Pardon the sarcasm.
-cpd

MS premier alert service costs...

[Kaa]

One bookmark:

http://www.microsoft.com/security/bulletins/bo2k .asp


Kaa

Re:MS premier alert service costs...

[urtica]

From that page:

Is BO2K like the Melissa virus?
Only in the sense that both were Trojan horse programs that performed malicious actions, and neither exploited any security vulnerabilities in Microsoft products.

Does anyone else feel that the claim that Melissa didn't exploit any security vulnerabilites in M$ products, is well... if not false, at least on very shaky ground.

Re:MS premier alert service costs...

[spoon42]

From that page:

Is BO2K like the Melissa virus?
Only in the sense that both were Trojan horse programs that performed malicious actions, and neither exploited any security vulnerabilities in Microsoft products.

Does anyone else feel that the claim that Melissa didn't exploit any security vulnerabilites in M$ products, is well... if not false, at least on very shaky ground.

of course not. at least according to M$, the ability to run Word macros from Outlook without the user's knowledge (or whatever the exact method was, I forget) is a "feature", remember? ;-)

Re:what's the fscking deal?

[austad]

The shell script would have to be run as root though, otherwise it wouldn't be able to edit /etc/inetd.conf. inetd also needs to be restarted for the change to take effect.

I suggest if anyone is really worried about it that you get yourself a copy of tripwire and figure out how to use it properly.

To hack or not to hack

[Nothinman]

>>would-be hackers, or crackers as they are more >>accurately known

Atleast the writers of the article got this right.

(First Post)

Re:An actual quote from MS's PR machine:

[opencode]

You're right ... I never thought of that ....

So MS is kinda like an HMO: YOU buy the product, you allegedly benefit from the product, and it is COMPLETELY YOUR RESPONSIBILITY to do ALL the checking and qualifying of the integrity of the product (so that WHEN things go awry, YOU'RE responsible to represent your OWN interests). the product vendor has too wide of a userbase to care about your lone satisfaction ....

Is this what you mean ? Again, not an easy joke, but a request for elaboration and clarification ...

An actual quote from MS's PR machine:

[opencode]

"Trojan horse software doesn't target technology, it targets the user. If BackOrifice did in fact exploit security vulnerabilities in Windows or Windows NT, Microsoft would promptly fix the vulnerability, and BackOrifice would be stopped."

Does this mean (as we knew all along) that Microsoft is more interested in maintaining the integrity of their technology than the interests of their users?

Sounds like a really easy joke here, but I'm interested how else I could interpret this statement. Please reply if you know ....

bbc runs SunOS 5.6

[fixe]

if you ftp to www.bbc.co.uk you get:

Connected to www.bbc.net.uk.
220 www2.thny.bbc.co.uk FTP server (SunOS 5.6) ready.

"Decode" a GPL program?

[rhdwdg]

Pretty easy when they give you the source. Sheesh. Next thing you know they'll "decode" how OpenBSD implements IPSec.

I rather think the Cult's point is still made.

Look at that last quoted sentence...

[uncleFester]

Microsoft has only issued only a warning, refusing to admit that there might be security vulnerabilities in WinNT.

To me, this is more serious than the BO2k release itself. Denial of any problems makes it very hard to solve them.

(I'd love to go into the 'you shouldn't even be able to install such tools under a proper or well-protected OS' thread, but then I'm not really feeling like Mr. Unix Snob this particular morning.)

-fester

ps.. SECOND POST.. MUAHAHAHA *spak*

Re: MS premier alert service...

[Wah]

just one real quick question: How much does it cost to get "Premier" Alert Service?

Seems along the normal lines of "We are not responsible for our software " (read the EULA). "We can do nothing about stupid users" "Windows is prefect, nope, no holes here."

Where is the "officially endorsed, M$ branded" NT remote admin. program? Anybody give me a link...

Re:what's the fscking deal?

[xcene]

OK, i forgot to add this part:

"..and trick this clueless linux newbie
into running the shell script as root"

Do you think the Linux newbie, who most likely is spending 98% of his uptime being logged in as root because he couldn't be bothered writing 'su' and then a lengthy password every time he wants to play Quake, would even bother thinking about the possibility of being trojaned?

And anyway, the shell script could at least add a telnet daemon which allows password-less logins to the *user* account, to the user's crontab.

what's the fscking deal?

[xcene]

There's been "rootkits" available for most flavours of UN*X for as long as I can remember. If running a "undetectable remote administration service" constitutes a security hole in the OS, I guess the only OS that does not contain such a security hole must be something along the lines of DOS 1.0.

Writing a "Back Orifice Linux Edition" isn't exactly hard. Create a shell script or something similar, mail it to someone who have just installed Linux at his home PC, trick him into running it, and what-do-you-know, the shell script might just add a telnet daemon (suitably UUEncoded in the shell script) which runs at port 31337 and allows root logins without a password to his inetd.conf. Does this mean that Linux has a security flaw?

Re:what's the fscking deal?

[Mignon]

And anyway, the shell script could at least add a telnet daemon which allows password-less logins to the *user* account, to the user's crontab

I thought you had to be root on Unix to open a server (listening) socket, or does that only apply to well-known services or something? Can anyone confirm/deny this?

Re:what's the fscking deal?

[drudd]

Oh boy, I can hack into the little linux newbie's personal comp and grab all his porn.

Yeah, that's a useful and a hack worthy of legend.

Re:what's the fscking deal?

[alonso]

Who can I login in a W98 box without root privileges? ;)

Re:what's the fscking deal?

[alonso]

Thanks:)) but I'm not and I have to protect myself from the cracker.... I use Linux, and I don't login as root..

Re:what's the fscking deal?

[Yishan]

See, the difference here is in the intended attitudes of the Linux user and a Windows user.

Linux has largely held as the domain of the close-to-the-metal install-it-yourself take-responsibility engineer. (sorry about the stereotypes, but still...) People who want to be able to configure anything and everything about their system, solve their own problems instead of calling some help-line, and do things in tty terminals.

Windows has always been billed as "user-friendly" happy-stupid system, to remove the user from having to worry about grungy details, among which one is security.

So, one can make a legitimate case for the stupidity of the Linux user running things as root and falling prey to a trojan, and say that it's really a flaw on the part of the user, whereas Windows, with its much-vaunted "I'll take of everything don't worry" attitude, should be taking measures to plug holes like this, even if it's really the user's fault for running a foreign, untrusted program.

Downplayed (was Re:This was inevitable....)

[flesh99]

And which division of MS do you work for ?
After the original release of BO and the way MS downplayed it, and now BO2k, it doesn't really matter if they are "a bunch of sad teenagers with serious delusions of grandeur" now does it. they've even released it under the GPL, for God's sake! which means it will be mutated and changed in ways that MS and the "anti-viral community" cannot even begin to keep up with. Yes Linux has security flaws, and they are fixed usually within 24 hours of being reported. The effect this could have is frightening, however I think that most of us out here that still have to use MS product are aware of the security threats and take precautions to minimize the risk. Linux is easier to lock down than NT and any sysadmin worth his salt is the only one who even knows the root password. It is much harder to hack a root password from a user account on Linux than it is to send someone an e-greeting card with BO attached. I don't think this is being overplayed by Linux advocates, I do know for a fact it is being played down to the point of being dangerous by MS advocates. The cDc is forcing MS to notice them and by doing that they just might be able to force MS to fix some flaws in their OS. IMHO this is a "Good Thing" I don't think any of the Linux users that have a decent IQ are getting cocky about NT, the fact is, it is less secure, more unstable, and frankly uglier than Linux. (OK uglier is an opinion not a fact) Oh and from the looks of it (just look around on /.) most of the anti-social lamers seem to be part of this side of the fight, I have to disagree with the terrorist type tactics some of them use, but overall they are pretty amusing. I am sorry if it seemed I was ranting, oh and back to the original question, which MS division did you say you worked for ?

This was inevitable....

[briggers]

It only takes a few minutes browsing the cDc website to discover that they are basically a bunch of sad teenagers with serious delusions of grandeur. The sheer pretentiousness of this whole Back Orifice nonsense is truly something to behold - they've even released it under the GPL, for God's sake!

However, it's important for Linux users not to get too cocky about Window's security flaws, for it's only a matter of time before trojan horses start appearing on Linux. Remember that running a program as root makes your system just as vulnerable as any Windows platform. I'm sure there are plenty of anti-social lamers with a grudge against the Linux community who could certainly write something similar, if they haven't done so already.

Re:This was inevitable....

[Varkmitek]

Linux users have always known, and admitted the fact that security flaws exist in their OS, and that they will continue to crop up. Admitting that there are flaws is the first step towards getting them fixed - I don't think we're "cocky" about a the security of our OS: we're just confident that the security model is a bit more useful and, well, secure.

PS. I didn't know you could tell someones age by looking at their web page...

Re:"Microsoft hit by Cult of the Dead Cow"

[_Sprocket_]

"True to the hacker's word, anyone curious enough to log into the cult's website will find his or her computer automatically infected with a virus."

How true is this?

Completely true. Only, it's an old virus called "Good Times". Tell all your friends. ;)

In response to A. Coward's comment on crypto

[johnnyw]

Not quite, any nontrivial cryptosystem should be able to old up when it's underlying logic is examined. If that were not the case, we would all be walking around with hardware crypto-devices that explode when we tamper with them... and we dont do that... right? :)

I think that we are getting off-topic a bit.. ISS claimed to have figured out BO2K's crypto. I personally think that this is true. But it is irrelevant. What is important is wether or not they are capable of monitoring the connection between the client and the server for any and all keys known or unknown. I do not think this is true.
As for their analysis of the network traffic between the client and the server. That is trivial. Anyone with five spare minutes and tcpdump can do that. What is important is to recognize that this is all for nought. When was the last time that anyone took a look at how commercial IDS work? When was the last time that someone put together some programs that try to confuse IDS sensors by fragmenting packets, munging flags, tossing around impossible rst's, and sending packets slightly out-of order (but with good seq's)? I personally question ISS's (and all IDS vendors) ability to stand up to this test..

-jcw

Wrapping it up...

[johnnyw]

Sure, I have some bias against big corporate "Information Security" shops. Especially ones where former hackers kick back in their leather chairs in Brooks Brothers suits, fly with AMEX corporate, and bill more bartabs to clients than the sparse meals that I (no longer in infosec) am used to now. This aside, here are some facts about the biz that may be of some relevance.

1) The customer has the money.
Because of this, companies like ISS want to maintain a good relationship with their customers. If this means duping some CIO's into thinking that their "engineers" shit marble... then so be it. I know some people at ISS and I feel terrible about being so g/d damn angry at them (iss, not my associates)... unfortuatly, however, this is the way that it is.
2) The customer runs MS operating systems.
This is a whole different rant. The customer had some security with just the win9x being vulnerable.. now bo2k runs on NT and that is bad.
3) The customer likes being able to sleep at night...
Exactly, so what do we do to keep that happening and keep them as a customer??? We hype up some findings about some new threat and toss in some buzz words (fuzz words ;) ) and know that 90% of the cio's dont talk to their hardcore engineers.

I am still FUMING about the "we dont hire hackers" comment that Mr. Klaus said in an interview with someone (infoweek? I forget). I wont even talk about EY's "Extreme Hacking"... the hacking that is extreme "But has no nose rings".... well not since I left them, anyway....

Bitter, Tired, and wanting OUT of the industry forever..
-johnny waters... freak, hacker, and future bondage store owner :)

ISS X-farce findings

[johnnyw]

What ISS did was pretty trivial. The "detection" system simply looks at the properties of the network connection. When testing IDS systems at a client site, I found that certain systems, which I can not elaborate on, could not "see" connections if certain operations were carried out on the packets that make up the connection prior to their transission. This effectivly serves as verification of of Timothy Newsham and Thom Ptacek's excellent paper on problems with IDS software.
Here is the URL, thus absolving me from being accused of inventing this idea myself :)
http://www.nai.com/media/ps/nai_labs/ids.ps

Enjoy
-johnny waters, former Information Security Professional (Being a Dillitante is not so bad)

BO2K: cDc's mission is accomplished

[Servant63]

This story PROVES that cDc (Cult of the Dead Cow) is smarter than Microsoft. cDc made it open source, so if people point out problems (for example the encryption) they will be fixed. But Microsoft REFUSES to update or let Windows be updated. Therefore BO2K will evolve while windows remains static and vulnerable to these attacks.
Another thing, its not that big a threat if u are aware of what u are download and whom u are downloading it from. be open-minded, just because it is infamous for "hacking" u can use it for your business. its free and its better than any remote administration tool i have ever seen.
i would like to salute cDc on their wonderful product.

"Microsoft hit by Cult of the Dead Cow"

[cainem]

This story by Julian Borger, in today's Guardian (UK newspaper) contains the following:

"True to the hacker's word, anyone curious enough to log into the cult's website will find his or her computer automatically infected with a virus."

How true is this?

Quite funny stuff, actually..

[ViGe]

I find it really amusing, that such a group claims to be founded in 1984 - and they still, after 15 years, don't have anything better to do than write trojan horses? Writing that kind of stuff is something I would believe about 14-15 old kids do, so a little calculation - they formed cDc about the same minute they were born.. Quite an impressive achievement!
--

Re:Quite funny stuff, actually..

[Natty]

Hey, what do you meen about 14-15 year old punks writing trojan horses. I'm 14-15 years old and I don't do stuff like that! Then again I don't do much, other then reading slashdot and playing quake that is. ..sigh.. I really need to find something productive to do.

Re: MS premier alert service...

[B+Man]

Microsoft SMS (or Systems Management Software) is the product that MS endorses and brands for a remote admin program.
Sucks like shit, but its a product.

B

Childs Play

[growler66]

If BO2k is 'childs play' does that say much about the security of MS OS's ?

NT security flaws

[Tincan]

I just think it's funny that Mickeysoft denies that there might be any security flaws with NT. No system (computer or otherwise) is truly secure and NT isn't all that advanced of an OS. In my days as an NT network admin, I've installed countless hotfixes and security patches. There's no denying that NT is closer to wide open than bulletproof, but that doesn't mean that BO exposes any problems with NT itself.