Is the Back Orifice Door really shut?

While a number of security software vendors claim to have developed antidotes to the recently-released Back Orifice 2000 Trojan horse, the exploit's ability to change attack signatures may foil efforts to detect it.

Antivirus and intrusion-detection tools typically look for specific signatures or patterns of text common to a certain virus, Trojan horse or hostile applet. But the Cult of the Dead Cow, which developed BO2K, uses a random-number generator that allows exploits to acquire different signatures each time they are compressed.

"My compressor produces a changing algorithm so that no two attack signatures will look the same. So no intrusion or virus scanner will catch this," claimed Sir Dystic, a hacker with the Cult, which released BO2K at the DefCon hacker convention in Las Vegas last weekend.

The BO2K announcement followed last year's release of the first version of Back Orifice, which was designed to seize control of PCs running Microsoft's Windows 95 or 98 operating systems. BO2K targets NT-based systems, allowing an intruder to take control of the desktop without the user's knowledge. Since the source code for the tool is available on the BO2K Web site, it's likely that others will create variants or embed the code in seemingly innocent applications.

Update your antivirus software

Referred to as a Trojan horse because it arrives cloaked as a useful item, BO2K can be introduced when users click on an attachment to an e-mail message or a software download. While Cult of the Dead Cow asserts that it released BO2K to force Microsoft to beef up NT security, the Microsoft insists that BO2K is simply a rogue application that doesn't exploit a vulnerability in the platform. Microsoft has posted a BO2K advisory on its Web site and urges users to keep their antivirus software up to date.

Most developers of antivirus or intrusion-detection software have posted updates to their products that they say will detect and disable the exploit. Trend Micro, Symantec and Network Associates say they have updated their antivirus products to detect BO2K, and all report that none of their clients have detected infections yet.

Chris Williams, manager of Network Associates' security research, said the company is creating an emergency signature update for its CyberCop network detection tool that will be amended as expected BO2K variants are discovered. Williams suggested that companies use both anti-virus software to detect the Trojan horse as it's received, and a network assessment tool to uncover the exploit in systems that have already been infected.

Is it enough?

But other vendors doubt whether these measures will be effective. "By the time you were loading the contents of the compressed files into memory and executing them, it would be too late for the scanner to detect the virus," said Ron Moritz, director of technology at Finjan, an Israeli developer of mobile code security products.

Moritz added that it's possible to send a self-extracting compressed or encrypted executable file, perhaps containing other infected executables, that would bypass all existing antivirus services. He warned that others are probably writing other random compressors of their own that haven't been published.

Noah Dunker, a technician from Kansas, who attended the DefCon conference, pointed out that BO2K demonstrates Trojan horses can become polymorphic viruses -- acquiring the ability to transform themselves as they are passed from victim to victim.

Sir Dystic added that rather than requiring advanced skills to create self-modifying code, a polymorphic Trojan horse only needs to be different each time it is unleashed. "You only need to change the signatures after people begin scanning for the old signatures," Sir Dystic said.

Internet Security Systems said its Internet Scanner product will include a countermeasure to polymorphic compression but declined to provide details that it said could assist the Cult of the Dead Cow. Other companies say they will design products that scan for certain processes instead of text patterns in the code.

BO2K future uncertain

David Lu, vice president of product business management at Trend Micro, said it's "still too early to call" whether companies will succumb to BO2K. He said users should focus on maintaining good security practices such as not opening e-mail attachments or downloading software from suspicious sources.

Ira Winkler, president of Internet Security Advisors Group, said Trojan horses take a while to spread as crackers learn to use them and inept users install them on their systems. "[Trojan horses] always have a slow start, peaking in two or three months," Winkler said.

Trend Micro have both posted free versions of what they describe as BO2K detection software on their Web sites. Internet Security Systems says it has updated its RealSecure intrusion detection software to detect BO2K, and CyberSource claims to have done the same with it Centrax system. Data Fellows also says it has updated its product to hunt down BO2K.

Williams warned that users should pay special attention to configuration and data-integrity issues as well as signs which indicate that systems may have been compromised. These include files that have been suspiciously moved or deleted and unusual system activity.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.
Comments are now closed.

Latest News Articles

Most Popular Articles

Follow Us

GGG Evaluation Team

Kathy Cassidy

STYLISTIC Q702

First impression on unpacking the Q702 test unit was the solid feel and clean, minimalist styling.

Anthony Grifoni

STYLISTIC Q572

For work use, Microsoft Word and Excel programs pre-installed on the device are adequate for preparing short documents.

Steph Mundell

LIFEBOOK UH574

The Fujitsu LifeBook UH574 allowed for great mobility without being obnoxiously heavy or clunky. Its twelve hours of battery life did not disappoint.

Andrew Mitsi

STYLISTIC Q702

The screen was particularly good. It is bright and visible from most angles, however heat is an issue, particularly around the Windows button on the front, and on the back where the battery housing is located.

Simon Harriott

STYLISTIC Q702

My first impression after unboxing the Q702 is that it is a nice looking unit. Styling is somewhat minimalist but very effective. The tablet part, once detached, has a nice weight, and no buttons or switches are located in awkward or intrusive positions.

Resources

Best Deals on GoodGearGuide

Compare & Save

Deals powered by WhistleOut
WhistleOut

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?