Is the Back Orifice Door really shut?

While a number of security software vendors claim to have developed antidotes to the recently-released Back Orifice 2000 Trojan horse, the exploit's ability to change attack signatures may foil efforts to detect it.

Antivirus and intrusion-detection tools typically look for specific signatures or patterns of text common to a certain virus, Trojan horse or hostile applet. But the Cult of the Dead Cow, which developed BO2K, uses a random-number generator that allows exploits to acquire different signatures each time they are compressed.

"My compressor produces a changing algorithm so that no two attack signatures will look the same. So no intrusion or virus scanner will catch this," claimed Sir Dystic, a hacker with the Cult, which released BO2K at the DefCon hacker convention in Las Vegas last weekend.

The BO2K announcement followed last year's release of the first version of Back Orifice, which was designed to seize control of PCs running Microsoft's Windows 95 or 98 operating systems. BO2K targets NT-based systems, allowing an intruder to take control of the desktop without the user's knowledge. Since the source code for the tool is available on the BO2K Web site, it's likely that others will create variants or embed the code in seemingly innocent applications.

Update your antivirus software

Referred to as a Trojan horse because it arrives cloaked as a useful item, BO2K can be introduced when users click on an attachment to an e-mail message or a software download. While Cult of the Dead Cow asserts that it released BO2K to force Microsoft to beef up NT security, the Microsoft insists that BO2K is simply a rogue application that doesn't exploit a vulnerability in the platform. Microsoft has posted a BO2K advisory on its Web site and urges users to keep their antivirus software up to date.

Most developers of antivirus or intrusion-detection software have posted updates to their products that they say will detect and disable the exploit. Trend Micro, Symantec and Network Associates say they have updated their antivirus products to detect BO2K, and all report that none of their clients have detected infections yet.

Chris Williams, manager of Network Associates' security research, said the company is creating an emergency signature update for its CyberCop network detection tool that will be amended as expected BO2K variants are discovered. Williams suggested that companies use both anti-virus software to detect the Trojan horse as it's received, and a network assessment tool to uncover the exploit in systems that have already been infected.

Is it enough?

But other vendors doubt whether these measures will be effective. "By the time you were loading the contents of the compressed files into memory and executing them, it would be too late for the scanner to detect the virus," said Ron Moritz, director of technology at Finjan, an Israeli developer of mobile code security products.

Moritz added that it's possible to send a self-extracting compressed or encrypted executable file, perhaps containing other infected executables, that would bypass all existing antivirus services. He warned that others are probably writing other random compressors of their own that haven't been published.

Noah Dunker, a technician from Kansas, who attended the DefCon conference, pointed out that BO2K demonstrates Trojan horses can become polymorphic viruses -- acquiring the ability to transform themselves as they are passed from victim to victim.

Sir Dystic added that rather than requiring advanced skills to create self-modifying code, a polymorphic Trojan horse only needs to be different each time it is unleashed. "You only need to change the signatures after people begin scanning for the old signatures," Sir Dystic said.

Internet Security Systems said its Internet Scanner product will include a countermeasure to polymorphic compression but declined to provide details that it said could assist the Cult of the Dead Cow. Other companies say they will design products that scan for certain processes instead of text patterns in the code.

BO2K future uncertain

David Lu, vice president of product business management at Trend Micro, said it's "still too early to call" whether companies will succumb to BO2K. He said users should focus on maintaining good security practices such as not opening e-mail attachments or downloading software from suspicious sources.

Ira Winkler, president of Internet Security Advisors Group, said Trojan horses take a while to spread as crackers learn to use them and inept users install them on their systems. "[Trojan horses] always have a slow start, peaking in two or three months," Winkler said.

Trend Micro have both posted free versions of what they describe as BO2K detection software on their Web sites. Internet Security Systems says it has updated its RealSecure intrusion detection software to detect BO2K, and CyberSource claims to have done the same with it Centrax system. Data Fellows also says it has updated its product to hunt down BO2K.

Williams warned that users should pay special attention to configuration and data-integrity issues as well as signs which indicate that systems may have been compromised. These include files that have been suspiciously moved or deleted and unusual system activity.

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.
Show Comments

Brand Post

Most Popular Reviews

Latest Articles


PCW Evaluation Team

Luke Hill


I need power and lots of it. As a Front End Web developer anything less just won’t cut it which is why the MSI GT75 is an outstanding laptop for me. It’s a sleek and futuristic looking, high quality, beast that has a touch of sci-fi flare about it.

Emily Tyson

MSI GE63 Raider

If you’re looking to invest in your next work horse laptop for work or home use, you can’t go wrong with the MSI GE63.

Laura Johnston

MSI GS65 Stealth Thin

If you can afford the price tag, it is well worth the money. It out performs any other laptop I have tried for gaming, and the transportable design and incredible display also make it ideal for work.

Andrew Teoh

Brother MFC-L9570CDW Multifunction Printer

Touch screen visibility and operation was great and easy to navigate. Each menu and sub-menu was in an understandable order and category

Louise Coady

Brother MFC-L9570CDW Multifunction Printer

The printer was convenient, produced clear and vibrant images and was very easy to use

Edwina Hargreaves

WD My Cloud Home

I would recommend this device for families and small businesses who want one safe place to store all their important digital content and a way to easily share it with friends, family, business partners, or customers.

Featured Content

Product Launch Showcase

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?