Is the Back Orifice Door really shut?
- — 16 July, 1999 21:49
While a number of security software vendors claim to have developed antidotes to the recently-released Back Orifice 2000 Trojan horse, the exploit's ability to change attack signatures may foil efforts to detect it.
Antivirus and intrusion-detection tools typically look for specific signatures or patterns of text common to a certain virus, Trojan horse or hostile applet. But the Cult of the Dead Cow, which developed BO2K, uses a random-number generator that allows exploits to acquire different signatures each time they are compressed.
"My compressor produces a changing algorithm so that no two attack signatures will look the same. So no intrusion or virus scanner will catch this," claimed Sir Dystic, a hacker with the Cult, which released BO2K at the DefCon hacker convention in Las Vegas last weekend.
The BO2K announcement followed last year's release of the first version of Back Orifice, which was designed to seize control of PCs running Microsoft's Windows 95 or 98 operating systems. BO2K targets NT-based systems, allowing an intruder to take control of the desktop without the user's knowledge. Since the source code for the tool is available on the BO2K Web site, it's likely that others will create variants or embed the code in seemingly innocent applications.
Update your antivirus software
Referred to as a Trojan horse because it arrives cloaked as a useful item, BO2K can be introduced when users click on an attachment to an e-mail message or a software download. While Cult of the Dead Cow asserts that it released BO2K to force Microsoft to beef up NT security, the Microsoft insists that BO2K is simply a rogue application that doesn't exploit a vulnerability in the platform. Microsoft has posted a BO2K advisory on its Web site and urges users to keep their antivirus software up to date.
Most developers of antivirus or intrusion-detection software have posted updates to their products that they say will detect and disable the exploit. Trend Micro, Symantec and Network Associates say they have updated their antivirus products to detect BO2K, and all report that none of their clients have detected infections yet.
Chris Williams, manager of Network Associates' security research, said the company is creating an emergency signature update for its CyberCop network detection tool that will be amended as expected BO2K variants are discovered. Williams suggested that companies use both anti-virus software to detect the Trojan horse as it's received, and a network assessment tool to uncover the exploit in systems that have already been infected.
Is it enough?
But other vendors doubt whether these measures will be effective. "By the time you were loading the contents of the compressed files into memory and executing them, it would be too late for the scanner to detect the virus," said Ron Moritz, director of technology at Finjan, an Israeli developer of mobile code security products.
Moritz added that it's possible to send a self-extracting compressed or encrypted executable file, perhaps containing other infected executables, that would bypass all existing antivirus services. He warned that others are probably writing other random compressors of their own that haven't been published.
Noah Dunker, a technician from Kansas, who attended the DefCon conference, pointed out that BO2K demonstrates Trojan horses can become polymorphic viruses -- acquiring the ability to transform themselves as they are passed from victim to victim.
Sir Dystic added that rather than requiring advanced skills to create self-modifying code, a polymorphic Trojan horse only needs to be different each time it is unleashed. "You only need to change the signatures after people begin scanning for the old signatures," Sir Dystic said.
Internet Security Systems said its Internet Scanner product will include a countermeasure to polymorphic compression but declined to provide details that it said could assist the Cult of the Dead Cow. Other companies say they will design products that scan for certain processes instead of text patterns in the code.
BO2K future uncertain
David Lu, vice president of product business management at Trend Micro, said it's "still too early to call" whether companies will succumb to BO2K. He said users should focus on maintaining good security practices such as not opening e-mail attachments or downloading software from suspicious sources.
Ira Winkler, president of Internet Security Advisors Group, said Trojan horses take a while to spread as crackers learn to use them and inept users install them on their systems. "[Trojan horses] always have a slow start, peaking in two or three months," Winkler said.
Trend Micro have both posted free versions of what they describe as BO2K detection software on their Web sites. Internet Security Systems says it has updated its RealSecure intrusion detection software to detect BO2K, and CyberSource claims to have done the same with it Centrax system. Data Fellows also says it has updated its product to hunt down BO2K.
Williams warned that users should pay special attention to configuration and data-integrity issues as well as signs which indicate that systems may have been compromised. These include files that have been suspiciously moved or deleted and unusual system activity.