cDc Charges MS w/ Distributing Cracker Software

← Back to Stories (view on slashdot.org)

cDc Charges MS w/ Distributing Cracker Software

Posted by ryuzaki0 on Friday July 23, 1999 @04:22AM from the isn't-this-interesting dept.

davidr writes "Microsoft's response to Back Orifice 2000 has been to characterize it as a hacker tool instead of a network administration tool, because it can be installed stealthily and used to monitor users without their knowledge. cDc has reponded by pointing out that Microsoft's own tool, SMS, does the same exact thing! They've called for antivirus software for SMS and challenged Microsoft to recall it. " Read this one. Its interesting. Having never used SMS (hell, I haven't really used windows in a year or so) I'll leave it up to you guys to figure out if this is true.

7 of 356 comments (clear)

Min score:

Reason:

Sort:

SMS 1.2 and hiding. -- last links were bad. by bkosse · 1999-07-22 23:41 · Score: 4

GIF of how to turn off visibility. Notice how both permission required and visible signal are unchecked.
All the warning you get. WUSER32 is the process (it's not visible under the Applications pane) that runs SMS.
I don't know what SMS 2.0 behaves like as we aren't using it here yet.

--

--
Ben Kosse
Remember Ed Curry!
1. Re:SMS 1.2 and hiding. -- last links were bad. by ink · 1999-07-23 00:33 · Score: 3
  
  Actually, it can even hide itself without showing WUSER32 in the process list. It can run as a separate thread inside some other executable (welcome to the wonderful world of "I'm not a process I'm a thread").
  There was a BugTraq issue a few weeks ago about the lame search path that is used by Windows NT. It searches $HOME before *anything* else and so all you really need to do is put explorer.exe on the home drive and put a bo2k thread in it (well, you get the point). This can all be done easily within Word macros.
  Another thing that bugs me: A user can do this and under certain circumnstances the process is kept alive between logins. AND, as if that weren't enough: it registers itself as a startup program (all users have the ability to do this on a default NT install) and as soon as the Administrator logs in...
  Microsoft has a lot of work to do in order to make NT safe for multiple-user workstations.
  
  The wheel is turning but the hamster is dead.
  
  --
  The wheel is turning, but the hamster is dead.
Well, they're sorta the same by forkboy · 1999-07-22 23:40 · Score: 3

Yes, both can be used as remote administration tools, but there are a few primary differences. BO2K has functions they can pretty much only be used maliciously with are not contained in SMS. Examples, piping microphone input to a BO client, logging keystrokes, scanning for BO servers, etc. I don't know EVERYTHING SMS can do because, well, I try to avoid most Microsoft contact, but some of it is unavoidable in my job. Also, BO hides itself by making it's executables and registry entries look like system files/keys, which makes it a pain should you decide it's time to uninstall. Most legit remote managment tools can be removed with a minimal effort.

I'm not trying to defend MS here, but if cDc claims that BO2K is anything but a hacker tool, they're only kidding themselves. I want to see Gates eat a big steaming turd as much as the next guy, but I think cDc is going about it entirely the wrong way, and I think they're doomed to failure.

Wow, did I just play devil's advocate for M$? What IS this world coming to?

--
This message brought to you by the Council of People Who Are Sick of Seeing More People.
Lock-up Machine by chromatic · 1999-07-23 01:26 · Score: 3

I believe all that command does is actually execute OUTLOOK.EXE.

--
QDMerge -- data + templates = documents.

--
how to invest, a novice's guide
As well they should by Knight · 1999-07-22 23:25 · Score: 4

Microsoft needs to take a true stand on the issue. Either hidden remote control software is malicious or it is not. If they claim BO2K is malicious, they need to pull SMS from the shelves, because their functionality is nearly identical. I don't think it really matters what a person thinks of cDc, or what they are doing. It's a simple matter of blatant hypocrisy, and, in my opinion, they are breaking the law by slandering a competing product. If cDc had the money, they could probably win a lawsuit.
---------------------------------------- ---------------
If you need to point-and-click to administer a machine,
Funny that.... by blixco · 1999-07-22 23:34 · Score: 3

I actually got busted this morning for running NetBus on my system...NAV had picked it up and notified my admins, who use both SMS and PC Anywhere to "spy" on our systems. The really funny thing: as local administrator, I can uninstall NetBus Pro (actually has an uninstall routine) but I cannot uninstall SMS.

Hrm. Wonder which one acts more like a virus.
Re:Something to bear in mind by AaronW · 1999-07-23 00:28 · Score: 5

BO2K may have legitimate uses, but it seems to be most widely used for breaking into other computers or causing trouble. I'm running a Perl script called booby (available at http://members.home.com/lazyx/booby. This script simulates a BO infected system and logs all activity. BO seems to be a favorite for script kiddies. As a cable modem user I see a lot of BO activity. Here's some recent log entries (IP address and host name have been X-ed out):

Jul 21 21:56:04: xxxxxxxxxx.xxxxxx.xx.wave.home.com(24.xxx.xxx.xx): 1641 >>proclist
Jul 21 21:56:05: ...reply sent
Jul 21 21:56:22: xxxxxxxxxx.xxxxxx.xx.wave.home.com(24.xxx.xxx.xx): 1641 >>lockup
Jul 21 21:56:22: ...reply sent
Jul 21 21:56:29: xxxxxxxxxx.xxxxxx.xx.wave.home.com(24.xxx.xxx.xx): 1641 >>info
Jul 21 21:56:30: ...info sent
Jul 21 21:56:39: xxxxxxxxxx.xxxxxx.xx.wave.home.com(24.xxx.xxx.xx): 1641 >>passes
Jul 21 21:56:39: ...passwords sent
Jul 21 21:57:00: xxxxxxxxxx.xxxxxx.xx.wave.home.com(24.xxx.xxx.xx): 1641 >>reboot
Jul 21 21:57:00: ...reply sent
Jul 21 21:57:07: xxxxxxxxxx.xxxxxx.xx.wave.home.com(24.xxx.xxx.xx): 1641 >>passes
Jul 21 21:57:08: ...passwords sent
Jul 21 21:57:11: xxxxxxxxxx.xxxxxx.xx.wave.home.com(24.xxx.xxx.xx): 1641 >>reboot
Jul 21 21:57:12: ...reply sent
Jul 21 21:57:28: xxxxxxxxxx.xxxxxx.xx.wave.home.com(24.xxx.xxx.xx): 1641 >>proclist
Jul 21 21:57:29: ...reply sent
Jul 21 21:57:38: xxxxxxxxxx.xxxxxx.xx.wave.home.com(24.xxx.xxx.xx): 1641 >>lockup
Jul 21 21:57:38: ...reply sent
Jul 21 21:57:42: xxxxxxxxxx.xxxxxx.xx.wave.home.com(24.xxx.xxx.xx): 1641 >>lockup
Jul 21 21:57:42: ...reply sent
Jul 21 21:57:43: xxxxxxxxxx.xxxxxx.xx.wave.home.com(24.xxx.xxx.xx): 1641 >>lockup
Jul 21 21:57:43: ...reply sent
Jul 21 21:57:46: xxxxxxxxxx.xxxxxx.xx.wave.home.com(24.xxx.xxx.xx): 1641 >>info
Jul 21 21:57:47: ...info sent
Jul 21 21:57:59: xxxxxxxxxx.xxxxxx.xx.wave.home.com(24.xxx.xxx.xx): 1641 >>proclist
Jul 21 21:58:00: ...reply sent
Jul 21 21:58:12: xxxxxxxxxx.xxxxxx.xx.wave.home.com(24.xxx.xxx.xx): 1641 >>prockill 4291797281
Jul 21 21:58:13: ...reply sent
Jul 21 21:58:16: xxxxxxxxxx.xxxxxx.xx.wave.home.com(24.xxx.xxx.xx): 1641 >>proclist 4291797281
Jul 21 21:58:17: ...reply sent

As you can see, no useful tool would have commands like "lockup". I have seen more malicious attempts than this as well, such as one person who often launches DOS ping attacks against other users from BO infected machines.
As much as I hate Micro$loth, I must agree with them on this one. If there were a BO without all of the malicious features then perhapse it would be taken seriously, but with the stealth features and the crash features I think it's main purpose is fairly clear (at least to the script kiddies).

--
This post is encrypted twice with ROT-13. Documenting or attempting to crack this encryption is illegal.