Slashdot Mirror
BO2K cracked
Ford writes "The BBC is reporting that Internet Security Systems has "decoded the protocols and encryption algorithms of Back Orifice 2000 (BO2K) within 24 hours" of it's release. Microsoft has only issued only a warning, refusing to admit that there might be security vulnerabilities in WinNT.
" The security agencies interviewed in the article are claiming that BO2k is child's play, and that they've already detection systems in place. I'm just waiting for the Defcon response to their claims.
BO2K doesn't take advantage of any security holes in NT. It runs as a system service that accepts connections and allows the client to perform a myriad of both benign and unbenign tasks on the host machine. Of course, it has decent legitimate uses for system administrators but it is being presented in a viral fashion from a group who's objective is clearly to pull the wool over the collective eyes of the uneducated computer user and media. If CDC was truly interested in "helping" they would cease this childish, "me too" Microsoft bashing and provide the community with something new and insightful. I'm sure they're having all sorts of little rallies and pep-talks with one and other about how they're "showing some control" when they're just showing their own contempt for the rest of us professionals that know better. I am, quite frankly, offended that CDC assumes we're all so naive to believe that they're doing us a favor.
To get straight to the meat of my post: this (BO2K) is not exposing any security hole. BO2K could be written for *NIX, BeOS, MacOS, etc.
People seem to generally miss the most important detail of all: the only practical way to truly lock down any OS is to remove it from the network entirely and allow zero points of entry.
BO is a trojan horse. If you can get a user to run an executeable, you have him fscked. If I send someone a Linux executeable which modifies his login script to start a telnet server (modified to not require a login, of course) on some non standard (>1024) port, he has his account wide open. Anything he can do, you can log in and do as well. Is this a security flaw of Linux?
You cannot prevent users from doing such things, under any OS. As such I think Microsoft is right that this is not really a security problem in Windows.
Now, I do not know if BO gives administrator rights to the invader. If it does, then *that* would be a security problem. But letting people install programs is not.
Of course, you could make users unable to run programs from $HOME at all, but that would be unacceptable in many circumstances.
--
I haven't laughed so much since zipexplorer came out. ISS have wonderful marketing spin, I mean, how difficult is it to 'crack' things when you've source (as other people have pointed out). Come on Kris, I wasn't born yesterday.
I'm now waiting for a modified zipexplorer that includes the BO2K client, then we can all go back to installing proper email servers on our lans.
M-Sexchange no product has never been so well named
Martin
Not unless you have Admin rights.
,hacker Perl another Just)'
perl -e 'print scalar reverse q(\)-:
Matt. Want XML + Apache + Stylesheets? Get AxKit.
Good points, and I'm glad to read an informed view on this.
I think more people should do more research then reading zdnet and news.com on this subject. There are a lot of stupid posts above this one from people armed with disinformation. Quite simply, alot of them are missing the point.
Anyone who wasn't there to hear the introduction first hand, you should check out the 41 minute MP3 of it. It's a lot more interesting then most product announcements. Here is a link to a page containing the mp3. Pay particular to the cheers from the crowd every time they mention something stupid in Windows that contributed to the program.
Things like "remote threads". Seriously. You can start a thread of another program from your program, stick your program into it, and what do you know, explorer.exe is now also running rc5des.
For a good laugh, listen to the undocumented Win32 call used in the 95/98 client.
Discrediting BO2K is almost as dangerous as BO2K itself. You can't just scan for port 31337. BO2K doesn't have a default port, you have to put something in yourself. You can't just look on netstat for open TCP connections. BO2K can transport over ICMP. You can't look for a signature to the file, adding a random x=x; into it will change it.
Sure, you say, but how many script kiddies will go changing source code? A valid point, as most script kiddies can't tell a semicolon from a mouse. However, cDc has also released (surely not coincidence) a "pkzip-lite" style program that compresses/encrypts executables to random keys. File signatures are probobly the weakest form of "integrity verification" and that I"ve ever seen. As far as watching for network transmission signatures, you'd be amazed how easy it is to write around that. The important part is that your method not need be good! All it needs to be is 1 bit different. Insert an extra byte into a header. Write a silly wrapper to make it look like http data, or a real audio stream.
The biggest factor in this is the software's open source license, which allows all this and more to happen. BO2K is merely the first variation. Stopping it is ineffective.
The last big part is the spreading issue. True, the clearest way to infect a computer is to send it as an email attachment. A quick modification to happy99.exe would really spice things up. IIS servers are still easy targets on the real world. You won't get www3.microsoft.com, but you will probobly get www.joesfishingshack.com or similar. Imagine if someone combines a custom BO2K with a virus that is reasonably good at spreading itself.
Thats what I think, at least.
Squash
ISS (or fill in the blank with your favorite Internet Security company) said they "cracked" the encryption.
Yay!
But what wasn't mentioned was that the only way that they can find if BO2K is on the computer...
is when it's on the computer. They can only find the "encrypted" stream when the connection to the victim computer is already in progress.
So... they'll sell you their services to fix BO2K.. but only if you've already got it. There is no pre-emptive fix.
Wow, that must have been a HUGE difficulty, considering the source is available (get it at this site)
BTW if NT is so ludicrously insecure, how come www.bbc.co.uk has never been cracked ? They seem to use IIS as well as NT ...
"None are more hopelessly enslaved than those who falsely believe they are free." -- Goethe
The MS resource kit SU works fine (although only for command lines, as far as I can tell).
However, MS SU is not part of the OS, and requires installing it as a service. So the average NT workstation probably will never have this capcity, unless MS gets a clue and bundles it with Win2000.
--
Business. Numbers. Money. People. Computer World.
Running MS Office under a "secure" NT install is fairly well documented. Look around a bit.
--
Business. Numbers. Money. People. Computer World.
This isn't a flaw in NT, it's a flaw in the NT admin.
True, sadly, most NT Workstations seem to be set up with local administrative authority for the users.
I don't know if this is done to make the transition from Win9x easier, or to just reduce the workload of technicians, or because admins don't consider desktop security that important (after all, you could just steal the hard drive!) -- but in any case, it's a pretty stupid approach. Hopefully BO will get people to rethink this.
Note that if Linux ever starts getting used on the desktop, I wouldn't be suprised to see people give the users root authority too.
--
Business. Numbers. Money. People. Computer World.
1. Breaking BO2K's Crypto:
Of course he broke BO2K's crypto - the Generic, straight from the 'box' crypto is XOR encryption - which is simple to 'break'. That said, inseide the US, you can download a plug-in that will allow BO2K to use 3DES. Sophos did not crack 3DES. Even if he did, the plugin architecture allows a programmer to add any encryption scheme they wish, and BO2K will use it fore all of it's transfers.
2. Detecting of BO2K
Well - to detect BO2K in one configuration, all IIS had to do is look at the threads, and it will show up. This could be what they are discussing as easily detectable. However it is also possible to get BO2K to hide quite effectivly by having it hop between threads, and use whatever ports it wants to. IIS could also be referring to the fact that BO2K uses the same registry key every time - and it does so on purpose which leads into point 3....
3. BO2K is a virus
BO2K is not a virus. Not even remotly. At worst it's a Trojan, but it is no more a Trojan then other packages like say PC Anywhere (and another one that I can not remember the name of - it starts with an S) Interestingly, some other 'remote admin' packages can also be installed over the net, or given as a 'trojan', or even be run as a hidden process. BO2K has many of the same features as similar packages, and has the same ability to be used for admin, as well as cracking.
4. BO2K is bad
BO2K is what you make of it. It's a tool. it can be used in many ways - some bad, some good. It really has some very useful features. Those features again can be used as you see fit.
I am not affiliated with the cdc, these views come from seeing their presentation of BO2K at defcon.
- The unexamined life is not worth leading -
I guess it wouldn't have mattered in this case, since BO2K is GPL'd, but I wonder: If the software lobbies manages to ram through all their proposed laws that would illegalize reverse engineering, will virus writers be able to sue anti-virus companies that crack their code?
Sheesh, evil *and* a jerk. -- Jade
Actually,I think the oldest cDc member (in age, not membership) is someting over 60.
..
The youngest is 20.
And there's everything in between. For the most part the cDc guys are yer average white twenty-somethings (go figure)
I don't think it's right to lump all of them together as teenagers with delusions of grandeur, sure, some sort of fit that description (the ones that claim the hacker profile...) but the original guys aren't REALLY like that at all.
They are just some weird guys who released wizardry docs as text files when they were in Jr. High. oh, and some other stuff about rabbits.
Personally I prefer the text file aspect of cDc, the hacker part is a bit silly.
Screw this shit, I've had it/I ain't no mister cool./I'm a pig, I'm a dog/Excuse me if I drool./stm
Below is my summary of the article....
Sophos cracked BO2K. Errr wrote a detector for it. We don't know the difference though. But they figured out the protocols and encryption schemes. Ohhh buzzwords.
Those nasty cDc'ers didn't like Rouland and he showed them. He asked for a copy which is completely sensible as he's a good guy, but they don't like him. We won't mention that he wanted a copy before everyone else.
We think this will allow them to control other computers. But we aren't sure what control it gives you, so we'll just blather on. Oh and insult them. They're kids. They are even infected.
But not to worry any one M$ is right on top of it. They even issued gasp a warning.
Its a toy but ISS warned the program could easily be used to delete files, reconfigure machines, steal passwords and redirect network traffic, without a user or administrator's knowledge.
Isn't it amazing what toys can do now.
Pardon the sarcasm.
-cpd
One bookmark:
k .asp
http://www.microsoft.com/security/bulletins/bo2
Kaa
Kaa
Kaa's Law: In any sufficiently large group of people most are idiots.
Do all the package maintenance tools want to run as root ? As far as I know, rpm does. What about the others ?
If there's a culture of using root access to do any significant operation on a machine, it becomes much easier to convince a user to use root for every job, and hence to run any arbitrary install script from the net as root.
Package admin should demand only as much access as is necessary ; if run as a normal user, they should install only with that user's rights (modifying ~/bin, ~/lib etc.)
"Trojan horse software doesn't target technology, it targets the user. If BackOrifice did in fact exploit security vulnerabilities in Windows or Windows NT, Microsoft would promptly fix the vulnerability, and BackOrifice would be stopped."
Does this mean (as we knew all along) that Microsoft is more interested in maintaining the integrity of their technology than the interests of their users?
Sounds like a really easy joke here, but I'm interested how else I could interpret this statement. Please reply if you know ....
"He who questions training trains himself at asking questions." - The Sphinx, Mystery Men (1999)
if you ftp to www.bbc.co.uk you get:
Connected to www.bbc.net.uk.
220 www2.thny.bbc.co.uk FTP server (SunOS 5.6) ready.
Pretty easy when they give you the source. Sheesh. Next thing you know they'll "decode" how OpenBSD implements IPSec.
I rather think the Cult's point is still made.
To me, this is more serious than the BO2k release itself. Denial of any problems makes it very hard to solve them.
(I'd love to go into the 'you shouldn't even be able to install such tools under a proper or well-protected OS' thread, but then I'm not really feeling like Mr. Unix Snob this particular morning.)
-fester
ps.. SECOND POST.. MUAHAHAHA *spak*
-'fester
And which division of MS do you work for ? /.) most of the anti-social lamers seem to be part of this side of the fight, I have to disagree with the terrorist type tactics some of them use, but overall they are pretty amusing. I am sorry if it seemed I was ranting, oh and back to the original question, which MS division did you say you worked for ?
After the original release of BO and the way MS downplayed it, and now BO2k, it doesn't really matter if they are "a bunch of sad teenagers with serious delusions of grandeur" now does it. they've even released it under the GPL, for God's sake! which means it will be mutated and changed in ways that MS and the "anti-viral community" cannot even begin to keep up with. Yes Linux has security flaws, and they are fixed usually within 24 hours of being reported. The effect this could have is frightening, however I think that most of us out here that still have to use MS product are aware of the security threats and take precautions to minimize the risk. Linux is easier to lock down than NT and any sysadmin worth his salt is the only one who even knows the root password. It is much harder to hack a root password from a user account on Linux than it is to send someone an e-greeting card with BO attached. I don't think this is being overplayed by Linux advocates, I do know for a fact it is being played down to the point of being dangerous by MS advocates. The cDc is forcing MS to notice them and by doing that they just might be able to force MS to fix some flaws in their OS. IMHO this is a "Good Thing" I don't think any of the Linux users that have a decent IQ are getting cocky about NT, the fact is, it is less secure, more unstable, and frankly uglier than Linux. (OK uglier is an opinion not a fact) Oh and from the looks of it (just look around on
One could not write a program that would do what BO does on every Linux box it was run on, it would have to run as root. Only newbies are logged in as root all the time, and within 24 hours of something like BO being released for Linux there would be a patch/detection/fix released and sysadmins would know to use it. NT admins do not tend to have the level of security awareness the *nix admins do. Sending a secretary a electronic greeting card will get BO installed on most networks. After that she forwards the file to a few of her friends and guess what, security comprimised. It might be a little harder to get upper management to run a program but I doubt it.
I know your solution is to install a detector on every machine, but this is open source, it will mutate beyond detection very quickly. MS downplayed the initial release of BO, and the cDc responded with this release, maybe the unwashed masses will finally see that MS products are full of security holes, don't even get me started on VBA. It is the, dumbass users as you call them, that make up the majority of the computer market, what makes you think you are so much better than they are. Frankly your comment about that disgusts me, I suppose you have never gotten a virus. I am an admin, but I don't feel that I am high and mighty compared to my users, get real, without users I wouldn't ahve a job.
I cannot agree with the tactics used to prove MS's security flaws, but at least someone is pointing them out, and they are using a big red pointer to do it. If NT security was not screwed to begin with then this problem wouldn't exist. There is a reason that there are not many programs like this and viruses for Linux, it is very hard to do. There are plenty of cracking tools, but most sysadmins know what to watch for. I'll bet at least 50% of the NT admins out there have believed MS's FUD about this and are telling their users there is no problem. So no, the cDc is not asking MS to fix the users, how about fixing the things that allow this prgram to do this to begin with. I am going to lower myself to your level now and say this, it's people like you that allow MS to continue to produce buggy software with swiss cheese like security holes. ( I was going to call you something insulting, but I decided that I couldn't bear to lower myself all the way to your level) Have a nice day.
Completely true. Only, it's an old virus called "Good Times". Tell all your friends. ;)
What ISS did was pretty trivial. The "detection" system simply looks at the properties of the network connection. When testing IDS systems at a client site, I found that certain systems, which I can not elaborate on, could not "see" connections if certain operations were carried out on the packets that make up the connection prior to their transission. This effectivly serves as verification of of Timothy Newsham and Thom Ptacek's excellent paper on problems with IDS software. :)
Here is the URL, thus absolving me from being accused of inventing this idea myself
http://www.nai.com/media/ps/nai_labs/ids.ps
Enjoy
-johnny waters, former Information Security Professional (Being a Dillitante is not so bad)