Is the Back Orifice Door really shut?

While a number of security software vendors claim to have developed antidotes to the recently-released Back Orifice 2000 Trojan horse, the exploit's ability to change attack signatures may foil efforts to detect it.

Antivirus and intrusion-detection tools typically look for specific signatures or patterns of text common to a certain virus, Trojan horse or hostile applet. But the Cult of the Dead Cow, which developed BO2K, uses a random-number generator that allows exploits to acquire different signatures each time they are compressed.

"My compressor produces a changing algorithm so that no two attack signatures will look the same. So no intrusion or virus scanner will catch this," claimed Sir Dystic, a hacker with the Cult, which released BO2K at the DefCon hacker convention in Las Vegas last weekend.

The BO2K announcement followed last year's release of the first version of Back Orifice, which was designed to seize control of PCs running Microsoft's Windows 95 or 98 operating systems. BO2K targets NT-based systems, allowing an intruder to take control of the desktop without the user's knowledge. Since the source code for the tool is available on the BO2K Web site, it's likely that others will create variants or embed the code in seemingly innocent applications.

Update your antivirus software

Referred to as a Trojan horse because it arrives cloaked as a useful item, BO2K can be introduced when users click on an attachment to an e-mail message or a software download. While Cult of the Dead Cow asserts that it released BO2K to force Microsoft to beef up NT security, the Microsoft insists that BO2K is simply a rogue application that doesn't exploit a vulnerability in the platform. Microsoft has posted a BO2K advisory on its Web site and urges users to keep their antivirus software up to date.

Most developers of antivirus or intrusion-detection software have posted updates to their products that they say will detect and disable the exploit. Trend Micro, Symantec and Network Associates say they have updated their antivirus products to detect BO2K, and all report that none of their clients have detected infections yet.

Chris Williams, manager of Network Associates' security research, said the company is creating an emergency signature update for its CyberCop network detection tool that will be amended as expected BO2K variants are discovered. Williams suggested that companies use both anti-virus software to detect the Trojan horse as it's received, and a network assessment tool to uncover the exploit in systems that have already been infected.

Is it enough?

But other vendors doubt whether these measures will be effective. "By the time you were loading the contents of the compressed files into memory and executing them, it would be too late for the scanner to detect the virus," said Ron Moritz, director of technology at Finjan, an Israeli developer of mobile code security products.

Moritz added that it's possible to send a self-extracting compressed or encrypted executable file, perhaps containing other infected executables, that would bypass all existing antivirus services. He warned that others are probably writing other random compressors of their own that haven't been published.

Noah Dunker, a technician from Kansas, who attended the DefCon conference, pointed out that BO2K demonstrates Trojan horses can become polymorphic viruses -- acquiring the ability to transform themselves as they are passed from victim to victim.

Sir Dystic added that rather than requiring advanced skills to create self-modifying code, a polymorphic Trojan horse only needs to be different each time it is unleashed. "You only need to change the signatures after people begin scanning for the old signatures," Sir Dystic said.

Internet Security Systems said its Internet Scanner product will include a countermeasure to polymorphic compression but declined to provide details that it said could assist the Cult of the Dead Cow. Other companies say they will design products that scan for certain processes instead of text patterns in the code.

BO2K future uncertain

David Lu, vice president of product business management at Trend Micro, said it's "still too early to call" whether companies will succumb to BO2K. He said users should focus on maintaining good security practices such as not opening e-mail attachments or downloading software from suspicious sources.

Ira Winkler, president of Internet Security Advisors Group, said Trojan horses take a while to spread as crackers learn to use them and inept users install them on their systems. "[Trojan horses] always have a slow start, peaking in two or three months," Winkler said.

Trend Micro have both posted free versions of what they describe as BO2K detection software on their Web sites. Internet Security Systems says it has updated its RealSecure intrusion detection software to detect BO2K, and CyberSource claims to have done the same with it Centrax system. Data Fellows also says it has updated its product to hunt down BO2K.

Williams warned that users should pay special attention to configuration and data-integrity issues as well as signs which indicate that systems may have been compromised. These include files that have been suspiciously moved or deleted and unusual system activity.

Join the PC World newsletter!

Error: Please check your email address.

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.
Show Comments

Most Popular Reviews

Latest News Articles


PCW Evaluation Team

Azadeh Williams

HP OfficeJet Pro 8730

A smarter way to print for busy small business owners, combining speedy printing with scanning and copying, making it easier to produce high quality documents and images at a touch of a button.

Andrew Grant

HP OfficeJet Pro 8730

I've had a multifunction printer in the office going on 10 years now. It was a neat bit of kit back in the day -- print, copy, scan, fax -- when printing over WiFi felt a bit like magic. It’s seen better days though and an upgrade’s well overdue. This HP OfficeJet Pro 8730 looks like it ticks all the same boxes: print, copy, scan, and fax. (Really? Does anyone fax anything any more? I guess it's good to know the facility’s there, just in case.) Printing over WiFi is more-or- less standard these days.

Ed Dawson

HP OfficeJet Pro 8730

As a freelance writer who is always on the go, I like my technology to be both efficient and effective so I can do my job well. The HP OfficeJet Pro 8730 Inkjet Printer ticks all the boxes in terms of form factor, performance and user interface.

Michael Hargreaves

Windows 10 for Business / Dell XPS 13

I’d happily recommend this touchscreen laptop and Windows 10 as a great way to get serious work done at a desk or on the road.

Aysha Strobbe

Windows 10 / HP Spectre x360

Ultimately, I think the Windows 10 environment is excellent for me as it caters for so many different uses. The inclusion of the Xbox app is also great for when you need some downtime too!

Mark Escubio

Windows 10 / Lenovo Yoga 910

For me, the Xbox Play Anywhere is a great new feature as it allows you to play your current Xbox games with higher resolutions and better graphics without forking out extra cash for another copy. Although available titles are still scarce, but I’m sure it will grow in time.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?