Slashdot Mirror
cDc Charges MS w/ Distributing Cracker Software
davidr writes "Microsoft's response to Back Orifice 2000 has been to characterize it as a hacker tool instead of a network administration tool, because it can be installed stealthily and used to monitor users without their knowledge. cDc has reponded by pointing out that Microsoft's own tool, SMS,
does the same exact thing! They've called for antivirus software for SMS and challenged Microsoft to recall it. "
Read this one. Its interesting. Having never used SMS (hell,
I haven't really used windows in a year or so) I'll leave
it up to you guys to figure out if this is true.
Where I last worked, they had some remote control tools. Netfinity from (I think) IBM has the checkbox for asking a user before taking over the desktop unchecked by default. With no visible indication that RC is taking place (nothing in the systray, etc) it also is just as stealthy, although it is much less useful than last year's Back Oriface. Then the company started moving to IBM's Tivoli program. It as well requires a checkbox to ask the user before establishing a connection. So it too should be either banished or welcomed.
It all comes down to who cDc is. They probably will never be taken as a legitimate organization, so their products will be labelled as virii/trojans...
BO, even since the original release, has included the ability to change the port it operates on and to use a password to weakly encrypt all communcations. The only reason many BO and BO2K systems are open to anybody over the internet is because they use the default port (31337) and aren't configured to use a password.
In my experience, a LOT of the BO infected machines (I haven't done any work with BO2K) are machines which have a c:\bo or c:\cdc directory, leading me to the conclusion that these are script kiddies who downloaded Back Orifice and then proceeded to run the executables that come with it before reading the textfile, installing the server on their own system in the process. They get what they deserve.
10 PRINT CHR$(205.5+RND(1)); : GOTO 10
Also, regardless of how you get it, if you have a warrant you're ok -- so I wouldn't be surprised to see BO[2k] being used by law enforcement agencies all over the place.
Well, the truth of it is that illegal evidence is not generally used, but it can be used if necessary. What generally happens is that the evidence is thrown out, but not the case - wheras in the states the entire case is thrown out the window.
To be fair, nearly any system can be compromised by booting from a floppy. The solution s are the same in all cases, a boot password (make sure the BIOS doesn't have a backdoor (most did at one time, I don't know if they still do)), or remove the floppy drive.
For higher security needs, encrypt the filesystem (on systems that support it).
I use XDM all the time. Add the following to passwd:
xdm::0:0:XDM:/root:/usr/X11R6/bin/xdm
Just type xdm at login: and it comes up.
If you'd rather just start X, run it nohup, and log off of the console session.
That way, if someone kills X, they get a login: only. If they just kill the session, they get xdm login. If you want a text vc, just switch and login. The minor inconvenience is just the cost of security.
Don't forget to set a password on LILO so people can't just boot single. Set a configuration password in BIOS and disable booting from floppy and cdrom as well.
If you do all of the above, you guarentee that the box will have to be opened to get in. If you set up an encrypted loop device as well, even ripping the drives out and putting them on another system won't expose your data.
This is an interesting idea, but does it not open a whole other box of security problems adding a second root user with no passwd? (especially with networked machine)
It does require that XDM be looked at carefully. As long as XDM is secure, the extra entry is also secure since it will just run XDM and then log back out. PAM can be configured to only allow that login from the console. If the would be cracker tries to use a well timed ^c to interrupt XDM, they might possably succeed in running X without XDM, but that doesn't buy them anything.
I consider that line a security enhancement because it reduces the chances of forgetfully leaving a VC logged in.
I'm not sure what to do about the powermac situation. I suppose to be safe, you'd have to remove any drive that allows removable media to boot :-(. Poaasbly someone with more powermac experiance knows a better way.
IMPORTANT note about PC BIOS passwords: At one time, a surprising number of them had hard coded back door passwords. Tech support would give those out to users who forgot their passwords rather than telling them they must clear their CMOS. Very dumb. I don't know if that is still done or not, only that MINE doesn't have one. Only a disassembler will tell you for sure.
The jumper these pins to clear the BIOS isn't too bad, but drian the battery with a pair of jumpers and a resister to clear the BIOS is better.
GIF of how to turn off visibility. Notice how both permission required and visible signal are unchecked.
All the warning you get. WUSER32 is the process (it's not visible under the Applications pane) that runs SMS.
I don't know what SMS 2.0 behaves like as we aren't using it here yet.
--
Ben Kosse
Remember Ed Curry!
Actually, for all practical purposes, what makes SMS not a cracking tool is its cost and its bloat. The average script kiddie (obviously) could not afford a legit copy of SMS, and probably wouldn't be able to figure it out if he/she did have it. Ironically, what makes BO2k a "cracking tool" is its price and ease-of-use. I'm sure that if MS made SMS small, easy, and free, crackers would have a field-day with it, too.
Causation can cause correlation
My only experience of SMS was when we were evaluating Amdahl's awful A+EDM. SMS was slightly better, but both were hampered by NT's design flaws. In the end, we went for SMS for NT, and stuck with rdist for Unix. I haven't been able to check out their web site, to find exactly what features the Linux client has, but I'm betting it's run either as root, or with setuid root privileges, and I'll pretty much guarantee it'll be closed source, and users won't be able to fix the security holes that I'm sure it'll introduce...
"The invisible and the non-existent look very much alike." -- Delos B. McKown
I was one of these IS people. Of COURSE it's a tool of control.
I wouldn't be too concerned though. SMS collects a lot of information, but unless the admin knows *exactly* what he's looking for he won't find it. SMS is very difficult to administer well, it breaks frequently, it is easy to confuse, and it is VERY slow.
If you want to hide something from SMS, get partition magic and change your partitioning slightly from week to week. Eventually SMS will fill up it's MS-SQL (slogan: "just like daddy's") database with 100-some entries on your machine and its contents and cease to be useful.
Wow! Looks like you have 362 copies of Netscape installed!
"Reactionaries must be deprived of the right to voice their opinions; only the people have that right." - Mao
If I work at a place that has SMS installed, how do I disable it (short of running Linux?)
That won't work. If a "process" like bo2k is running as a thread under some other program (like EXPLORER.EXE, for example...) then it will not show up on any process task you care to use.
For removal, you should be able to find BO2K's registry entry in RegEdit, under HKEY Local Machine>Software>Microsoft>Windows>Run or a similar directory either under windows her, or under the HKEY current user.
That will catch the default install of bo2k, but that is not the only way it can function. There are several other attacks (like the one above coupled with the default search path of Windows NT which searches $HOME before anything else).
The only reliable way of seeing if someone is monitoring you is to run a network snooper on some other machine on the same non-switched subnet as your machine. That only works if you can guarantee the security of the auditing machine (like turn off *all* network services on a Linux box and just have it snoop your NT machine's traffic). With that kind of setup you can see all the connections your machine is making and recieving.
The wheel is turning but the hamster is dead.
The wheel is turning, but the hamster is dead.
Before you talk with such certainty, check the urls supplied in our press release. There is, in fact, an option to install SMS silently, I believe it's install /i.
As far as requiring Windows NT, a login to a domain controller, and a SQL server login... well, no, we don't require any of those, because we don't think that people should have to buy NT, a machine to act as PDC, OR SQL Server in order to effectively administer their network. We think it should be FREE.
Ahhh I must say Veggie must have had some fine corn whiskey this last weekend to have such a brilliant stroke of vision.
F /...
My shower curtain is proud to be "Owned by the cDc".
---
Openstep/NeXTSTEP/Solaris/FreeBSD/Linux/ultrix/OS
--- I do not moderate.
There are several methods of removing Bo, NetBus, etc, but nothing yet for BO2K as far as I know, nothing for SMS either. I believe if in the permissions in User Manager on your box, if you have local admin rights, you change the "Access this computer from the network" field to only include your local and domain accounts, that'll keep the weenies out, but any NT admin who has the smallest clue can change it back on you via remote registry changes or SMC.
This message brought to you by the Council of People Who Are Sick of Seeing More People.
Yes, both can be used as remote administration tools, but there are a few primary differences. BO2K has functions they can pretty much only be used maliciously with are not contained in SMS. Examples, piping microphone input to a BO client, logging keystrokes, scanning for BO servers, etc. I don't know EVERYTHING SMS can do because, well, I try to avoid most Microsoft contact, but some of it is unavoidable in my job. Also, BO hides itself by making it's executables and registry entries look like system files/keys, which makes it a pain should you decide it's time to uninstall. Most legit remote managment tools can be removed with a minimal effort.
I'm not trying to defend MS here, but if cDc claims that BO2K is anything but a hacker tool, they're only kidding themselves. I want to see Gates eat a big steaming turd as much as the next guy, but I think cDc is going about it entirely the wrong way, and I think they're doomed to failure.
Wow, did I just play devil's advocate for M$? What IS this world coming to?
This message brought to you by the Council of People Who Are Sick of Seeing More People.
I believe all that command does is actually execute OUTLOOK.EXE.
--
QDMerge -- data + templates = documents.
how to invest, a novice's guide
I wonder how many law enforvement agencies use Back Orifice to assist them in their investigations...
-- ----------------------------------------------
Vive le logiciel... Libre!!!
Microsoft needs to take a true stand on the issue. Either hidden remote control software is malicious or it is not. If they claim BO2K is malicious, they need to pull SMS from the shelves, because their functionality is nearly identical. I don't think it really matters what a person thinks of cDc, or what they are doing. It's a simple matter of blatant hypocrisy, and, in my opinion, they are breaking the law by slandering a competing product. If cDc had the money, they could probably win a lawsuit.- ---------------
---------------------------------------
If you need to point-and-click to administer a machine,
Like most people, I laughed. I even downloaded the word document (I'll be sure to scan it before using it).
This does show Microsoft to be hypocrites, but that's hardly news to anyone.
One thing to remember, though, is that this doesn't make CDC angels.
BO2K is, to all intents and purposes, a cracker tool. It has valid uses, but the vast majority of people who download it are not sysadmins. BO2K remains a monumental pain in the nuts for innocent Windows administrators.
I'm not against CDC or BO2K; that doesn't mean we should paint CDC as saints.
yeah - that's like ignoring cancer until it goes away - it happens eventually - you die...
OK, kid, before you get too carried away with your own brilliance, tell me why practical geneticists - the people who develop new breeds of animals and new varieties of plants - cross offspring with parents and with each other when trying to get a trait to breed true. I took the original poster to mean "They are increasing one trait, but they are doing it through inbreeding, so eventuallky they will be a bunch of musclebound hemophiliac morons".
Obviously I wasn't clear. In replying to the previous poster, I simply meant to point out an error in the previous poster's logic, who said something to the effect that BO2K is inherently bad because it lets you damage a computer. My point was that file sharing also lets you damage a computer. BO2K is just a tool. A powerful, potentially dangerous tool, one that can be used for illegal and unethical purposes, but still a tool.
The simple act of sitting at someone else's computer and deleting a file without permission is potentially a crime and could certainly subject you to civil penalties.
I have used SMS for a corporation before-They pushed the install to all the machines, and yes they could control the machines with/without the users knowledge...BUT, one thing we always had to do was call the person up to have them manually activate all the services the first time (after that it saved the config)...I'm not really sure how this can be compared as the same thing. Also, the SMS software had to be installed, and without admin access to the domain-there was no way to do this unless we wanted to step around to each of the 750 machines on the network....So yes, SMS and BO2K do have similiar working features...with the exeption of how they are implemented (and in my book that is a big exception)...
Thats evidently the way our company thinks also. We need to spend $1500 and 3 weeks per license for compilers because we are not allowed to download free compilers from the 'net.
If its free, it can't nearly be as good as something you could pay copious amounts of $$$ for. Productivity be damned, we want to waste money.
If the company managers/CEOs/and government officials were in charge from the beginning, I'm surprised we ever climbed down from that first tree.
-- toolie
A couple of reasons why BO2K is NOT a legitimate remote network administration tool.
1. It's called Back Orifice. "Yes sir, I'd like to submit an expense report for...umm... Back Orifice"
2. The cDc claims that both that BO2K is a legitimate remote network administration tool, and that it is releasing BO2K to force Microsoft to plug (intrinsic design-related) security holes in NT. That's a contradiction. Imagine the press release for pcAnywhere 2000: "This version contains all kinds of all-new features, primarily designed to force Microsoft to plug security holes." And maybe Symantec will rename itself the Cult of the Norton Commander (cNc).
Also, it's quite obvious that use as a cracking tool was a consideration in the design of BO2K. While SMS and other remote administration systems do have "Stealth modes", BO2K has *only* a stealth mode, and stealth seems to have been a major design consideration. (Correct me if I'm wrong here, I didn't actually download it as I don't want to be sifting through my registry to get rid of it.)
Still, it is NOT a trojan. Trojans don't have install programs. I think anti-virus programs scanning for it is a bit of a joke. For that matter, I think anti-virus programs should stick with viruses (which, of course, BO2K is not by definition) - the only true protection against trojans is to be careful what software you run.
BO2K is certainly a useful program for remote administration. It's small, fast, etc. But claiming that it's just a useful little open source administration tool is engaging in a Microsoft-style bending of facts. For those of you who still claim this, think about who most of the future users of BO2K will be. Will they be script kiddies and people who just want to try it out, or will they be sysadmins of large networks? If it will very rarely be used to administer large networks ("Help Desk? I'm having trouble with Word." "OK, just let me Orifice into your system. Our custom BUTTplugs should help with this one") but rather used by the kind of people who haven't yet mastered the concept of digits being used in numbers and letters being used in words, and as such think that the program is l33t, then it isn't a legitimate remote administration tool.
I was testing SMS on our NT box because we were contemplating utilizing it for administration. I installed the client on one box to see how it would be. Lo and behold.. the next day.. it had installed itself on ALL of our computers. It had gone in and made changes to my login.bat script own its own. This was TOTALLY not cool.
I actually got busted this morning for running NetBus on my system...NAV had picked it up and notified my admins, who use both SMS and PC Anywhere to "spy" on our systems. The really funny thing: as local administrator, I can uninstall NetBus Pro (actually has an uninstall routine) but I cannot uninstall SMS.
Hrm. Wonder which one acts more like a virus.
Nature provides two forces against these kings of the hill: better billygoats, who can sneak past the big buggers, and the slow grinding away of the hill upon which they sit, which is so difficult to climb because of a steep monopoly. These may be thought of as Linux and the erosion of the computer operating system monopoly mountain-peak. Together, the mountain is getting harder to defend against something like Linux, and the faster, nimbler billygoats are winning more of the battles for the hilltop.
The inevitable conclusion is undetermined as of yet; the smaller, nimbler billygoats may yet force the hefty one off the top, the hefty kings of the hill may yet defend their mountain, or while the dual continues against each other, the mountain may just dissappear, and we all buy appliances.
To make the analogy more fun, we must look at what happens to the hefty billygoats. They do not control one mountain; they have a say in several mountains -- from software through to webTV to all kinds of fertile grazing lands. These mountains do not all dissappear, and so the hefty billygoats, with their limited company immortality, can cling to many unconnected lands.
One can see the faults in the billygoats at the top of the hillside, where they are forced to give way to things like Apache for MSN and HotMail. They are not superior. Just in greater numbers, and more aggressive. Outside of the analogy, one might think that the sun shines brighter on the Microsoft soil, because their lands are so fertile. It's more likely that it's fertilized with perfume-smelling dung to bring the birds and the bees. It's still dung, though, where it would not normally be fertile land.
SMS vs BO2K arguments are one field on the mountain range that must be debated. BO2K does not possess the awe of the Open Source billygoats, but does have the potential to offset the balance in yet another area controlled by a bloated pack of oversized goats.
Packs of animals are forced to maintain a certain size to compete. Microsoft is well beyond this size, and, outside the analogy, their interdependancy may be the end of them.
The lesson? Polygomy and inbreeding will not necessarily lead to better goats.
I have a great idea. Since BO2K is open source, why not port it to Linux to run SMS capabilities from a Samba server? Sounds like a great project to me, if only I could program.....
Wiggles (the pathetic Linux luser)
Umm... your comment assumes that you made the mistake of using Micros~1's I'll fated Domain setup. (it's going away when the vapour clears from Windows 2001's inActive Directory)
;)
Can't we all agree to us LDAP and get on with enterprise computing architecture? (forgot -- there's no MSLDAP, Visual LDAP, or DirectLDAP-DNS-for-datacenters yet
Oh, by the way, what about VNC? If an email attachment started a VNC server and set the password, would that make vnc a virus?
I couldn't live without VNC to tame Windows boxes. If anti-virus software started uninstalling VNC, I'd find new anti-virus software.
What if vnc development forked and one branch was driven by some teenagers who were branded as hackers? Does vnc become a bad tool?
You have a couple options that would work with the original Back Orifice, and ought to work with BO2K...
For detection, Download and run the program WinTOP. This is the Windows equivalent of the Unix TOP program, which shows all processes listed in order of used processor time...It ought to be able to track the resources being used by BO2K.
For removal, you should be able to find BO2K's registry entry in RegEdit, under HKEY Local Machine>Software>Microsoft>Windows>Run or a similar directory either under windows her, or under the HKEY current user.
Anyone who knows differently, please post a correction.
Email: MattTC(at)Yahoo(dot)com
--"You can lead a man to knowledge, but you can't make him think."
On my NT Workstation box, I can see SMS client - the prcess has SMSAPM32.exe and smss.exe listed, as well as a Systems Management icon under Control Panel. However, this visibility is probably due to my adminstrator access, both locally, and in the domain.
One interesting thing to note about SMS, though - we applied SP 1 to it, and a previously unknown bug appeared (something to do with a certain configuration), where the client began to cause errors on seemingly random machines.
We're now in the process of removing the client.
Ahh, how I love Open Source...
PinkFreud
Either Microsoft has to admit that they have the same program and recall it...or anti-virus software has to scan for it...if either of the 2 happen people are going to be laughing for days....
But Microsoft will probably ignore the problem until it goes away
"Imagination is the only weapon in the war against reality." -Jules de Gautier
This is obviously just a ploy by cDc to legitimize a trojan horse app, that in 99% of all cases will be used to break into an unsuspecting user's machine.
I have been involved in dozens of SMS rollouts. SMS is a network analysis tool, that has the capability to remote control client workstations on the network.
In order for SMS to do this, you must install the SMS Client on a machine in the same Windows NT domain. This installation process will *not* run in the background, and will pop up several boxes to the user. Once the client is installed, the client configuration app must be opened, and the machine must be set to allow remote control. You also have the option of a dialog box show up informing you that someone is connected.
Along with these settings, every user that logs on to a network that is SMS aware, knows that the client is installed, because it pops and SMS configuration dialog box during every logon.
This remote control feature of SMS is used primarily for network admins that need to remote control servers than client desktops. In fact, out of all the installations I have done, the only machines that have this option turned on are the servers.
BTW, the SMS Admin tool that allows you to connect to the clients requires Windows NT, a valid logon to the Windows NT Domain that you want to administer, and a SQL server logon with appropriate rights to administer SMS.
How many checks like this does BO2K do?
Regards,
eg