Slashdot Mirror

← Back to Stories (view on slashdot.org)

cDc Charges MS w/ Distributing Cracker Software

Posted by ryuzaki0 on from the isn't-this-interesting dept.

davidr writes "Microsoft's response to Back Orifice 2000 has been to characterize it as a hacker tool instead of a network administration tool, because it can be installed stealthily and used to monitor users without their knowledge. cDc has reponded by pointing out that Microsoft's own tool, SMS, does the same exact thing! They've called for antivirus software for SMS and challenged Microsoft to recall it. " Read this one. Its interesting. Having never used SMS (hell, I haven't really used windows in a year or so) I'll leave it up to you guys to figure out if this is true.

1 of 356 comments (clear)

  1. Re:Something to bear in mind by AaronW · · Score: 5
    BO2K may have legitimate uses, but it seems to be most widely used for breaking into other computers or causing trouble. I'm running a Perl script called booby (available at http://members.home.com/lazyx/booby. This script simulates a BO infected system and logs all activity. BO seems to be a favorite for script kiddies. As a cable modem user I see a lot of BO activity. Here's some recent log entries (IP address and host name have been X-ed out):

    Jul 21 21:56:04: xxxxxxxxxx.xxxxxx.xx.wave.home.com(24.xxx.xxx.xx): 1641 >>proclist
    Jul 21 21:56:05: ...reply sent
    Jul 21 21:56:22: xxxxxxxxxx.xxxxxx.xx.wave.home.com(24.xxx.xxx.xx): 1641 >>lockup
    Jul 21 21:56:22: ...reply sent
    Jul 21 21:56:29: xxxxxxxxxx.xxxxxx.xx.wave.home.com(24.xxx.xxx.xx): 1641 >>info
    Jul 21 21:56:30: ...info sent
    Jul 21 21:56:39: xxxxxxxxxx.xxxxxx.xx.wave.home.com(24.xxx.xxx.xx): 1641 >>passes
    Jul 21 21:56:39: ...passwords sent
    Jul 21 21:57:00: xxxxxxxxxx.xxxxxx.xx.wave.home.com(24.xxx.xxx.xx): 1641 >>reboot
    Jul 21 21:57:00: ...reply sent
    Jul 21 21:57:07: xxxxxxxxxx.xxxxxx.xx.wave.home.com(24.xxx.xxx.xx): 1641 >>passes
    Jul 21 21:57:08: ...passwords sent
    Jul 21 21:57:11: xxxxxxxxxx.xxxxxx.xx.wave.home.com(24.xxx.xxx.xx): 1641 >>reboot
    Jul 21 21:57:12: ...reply sent
    Jul 21 21:57:28: xxxxxxxxxx.xxxxxx.xx.wave.home.com(24.xxx.xxx.xx): 1641 >>proclist
    Jul 21 21:57:29: ...reply sent
    Jul 21 21:57:38: xxxxxxxxxx.xxxxxx.xx.wave.home.com(24.xxx.xxx.xx): 1641 >>lockup
    Jul 21 21:57:38: ...reply sent
    Jul 21 21:57:42: xxxxxxxxxx.xxxxxx.xx.wave.home.com(24.xxx.xxx.xx): 1641 >>lockup
    Jul 21 21:57:42: ...reply sent
    Jul 21 21:57:43: xxxxxxxxxx.xxxxxx.xx.wave.home.com(24.xxx.xxx.xx): 1641 >>lockup
    Jul 21 21:57:43: ...reply sent
    Jul 21 21:57:46: xxxxxxxxxx.xxxxxx.xx.wave.home.com(24.xxx.xxx.xx): 1641 >>info
    Jul 21 21:57:47: ...info sent
    Jul 21 21:57:59: xxxxxxxxxx.xxxxxx.xx.wave.home.com(24.xxx.xxx.xx): 1641 >>proclist
    Jul 21 21:58:00: ...reply sent
    Jul 21 21:58:12: xxxxxxxxxx.xxxxxx.xx.wave.home.com(24.xxx.xxx.xx): 1641 >>prockill 4291797281
    Jul 21 21:58:13: ...reply sent
    Jul 21 21:58:16: xxxxxxxxxx.xxxxxx.xx.wave.home.com(24.xxx.xxx.xx): 1641 >>proclist 4291797281
    Jul 21 21:58:17: ...reply sent

    As you can see, no useful tool would have commands like "lockup". I have seen more malicious attempts than this as well, such as one person who often launches DOS ping attacks against other users from BO infected machines.

    As much as I hate Micro$loth, I must agree with them on this one. If there were a BO without all of the malicious features then perhapse it would be taken seriously, but with the stealth features and the crash features I think it's main purpose is fairly clear (at least to the script kiddies).

    --
    This post is encrypted twice with ROT-13. Documenting or attempting to crack this encryption is illegal.