From xforce@iss.net Wed Jul 14 04:56:00 1999 From: X-Force To: alert@iss.net Cc: X-Force Date: Mon, 12 Jul 1999 20:02:45 -0400 (EDT) Subject: ISSalert: ISS Security Alert: Back Orifice 2000 TO UNSUBSCRIBE: email "unsubscribe alert" in the body of your message to majordomo@iss.net Contact alert-owner@iss.net for help with any problems! --------------------------------------------------------------------------- -----BEGIN PGP SIGNED MESSAGE----- ISS Security Alert July 12, 1999 Back Orifice 2000 Introduction: Back Orifice is a client/server application that can gather information, perform system commands, reconfigure machines, and redirect network traffic. By executing the Back Orifice server program on a machine, a user can connect remotely to that specific IP address and perform any of the above actions. Although Back Orifice can be used as a simple monitoring tool, its main purpose is to maintain control over another machine for reconfiguration and data collection. The features of Back Orifice, combined with anonymous, and possibly malicious, control of machines makes it especially dangerous in a networked environment. The specific commands available in Back Orifice are listed later in this alert. Installation: Installation is comprised of two parts: client and server. Installing Back Orifice on the server machine is a simple process. By executing the server application, Back Orifice is installed. This executable is originally named bo2k.exe, but can be renamed. The name of the executable is specified in the client installation, or the BO2K Configuration Wizard. The Wizard guides a user through the various configuration settings, including server file (the executable), network protocol (TCP or UDP), port number, encryption, and password. Once this process is complete, running bo2kgui.exe executes the user interface for Back Orifice. The Configuration Wizard allows for quick setup of the specfied server, assuming some defaults, for immediate use of Back Orifice. However, many options can be set manually through the Configuration Utility. These options are mainly used to reduce the chances of Back Orifice being detected. The Configuration Wizard steps through the following settings: Server File Network Protocol (UDP or TCP) Port Number Encryption (XOR or 3DES) Password/Encryption Key Once the wizard is completed, the server configuration screen is displayed, allowing more control over how Back Orifice is run, what settings are used for communication between client/server, and hiding the program from users. File Transfer Option: File Xfer Net Type Description: Lists and changes the network protocol for communication. Option: File Xfer Bind Str Description: File transfer bind string, RANDOM is default. Option: File Xfer Encryption Description: Lists and changes the current encryption method. Option: File Xfer Auth Description: File transfer authentication, default is NULLAUTH. TCPIO Option: Default Port Description: Displays and changes the port used for TCP communication. UDPIO Option: Default Port Description: Displays and changes the port used for UDP communication. Built-In Option: Load XOR Encryption Description: Enable or disable XOR encryption, which is weaker than 3DES. Option: Load NULLAUTH Authentication Description: Enables or disables NULLAUTH authentication. Option: Load UDPIO Module Description: Enables or disables UDP communication. Option: Load TCPIO Module Description: Enables or disables TCP communication. XOR Option: XOR Key Description: Lists and changes the password for XOR authentication. Startup Option: Init Cmd Net Type Description: Displays and changes the network protocol for startup. Option: Init Cmd Encryption Description: Displays current value for encryption at startup. Option: Init Cmd Auth Description: Displays and changes current authentication for startup. Option: Idle Timeout (ms) Description: Can change time (in milliseconds) for server timeout and disconnect. Stealth Option: Run at startup Description: Enable or disable Back Orifice to be run at computer startup. Option: Delete original file Description: Can delete original exe file (Enable or Disable). Option: Runtime pathname Description: Changes the value for the runtime pathname. Option: Hide process Description: Enable or disable process from being hidden, Option: Host process name (NT) Description: Changes the process name on the host machine (default is Back Orifice 2000). Option: Service Name (NT) Description: Changes the service name from Remote Administration Service to a user-defined name. Using Back Orifice: When bo2kgui.exe is run, the Workspace is displayed, which will contain a list of servers if the Workspace was saved from previous use. You must define a server to connect to a machine and begin using Back Orifice. Enter a name for the server and the IP Address, along with connection information. When a server has been defined, the Server Command Client will be displayed. This window allows the use of the functions of Back Orifice. By clicking on a category, the functions are displayed, some of which require parameters (such as filenames and port numbers). Server Commands: There are over 70 commands contained within Back Orifice. These commands are used to gather information and send various instructions to the server. After a connection is made between the two computers, select the command, enter the parameters (if applicable) and press the "Send Command" button to run the command on the chosen server. The response will be displayed in the Server Response window. Simple Command: Ping Description: Sends a packet to the server to determine if the machine is accessible. Command: Query Description: Returns the version number of the Back Orifice server. System Command: Reboot Machine Description: Shuts down and reboots the machine. Command: Lock-up Machine Description: Freezes remote machine, requiring a reboot. Command: List Passwords Description: Retrieves a list of users and passwords. Command: Get System Info Description: Retrieves the following information: Machine Name Current User Processor Operating system version (SP version) Memory (Physical and paged) All fixed and remote drives Key Logging Command: Log Keystrokes Description: Logs keystrokes to a file. Required to enter a file name to store the output. Command: End Keystroke Log Description: Stops recording keystrokes to the specified file. Command: View Keystroke Log Description: Views a keystroke log file. Command: Delete Keystroke Log Description: Deletes a keystroke log file. GUI Command: System Message Box Description: Displays a text box on the server containing user-defined title and text. TCP/IP Command: Map Port -> Other IP Description: Redirects network traffic from a specified port on the server to another IP address and port. Command: Map Port -> TCP File Receive Description: Receives a file from a specific port. Requires specific port, as well as the path and filename. Command: List Mapped Ports Description: Lists all redirected ports and information (source and destination). Command: Remove Mapped Port Description: Removes specified redirected port. Command: TCP File Send Description: Connects to the specified port and sends a file. Requires specific target IP address and port, as well as the path and filename. M$ Networking Command: Add Share Description: Creates a new share on the remote machine. Requires pathname and sharename. Command: Remove Share Description: Removes a share. Requires sharename. Command: List Shares Description: Lists all shares on the server computer. Command: List Shares on LAN Description: Lists shares on LAN. Command: Map Shared Device Description: Maps shared device. Command: Unmap Shared Device Description:Removes specified mapped shared device. Command: List Connections Description: Lists network connections on remote computer, both current and persistent. Process Control Command: List Processes Description: List all running processes on the server. Requires remote machine name. Command: Kill Process Description: Kills the specified process. Requires the process ID number, which can be obtained from the List Processes command. Command: Start Process Description: Starts a process on the server specified by the pathname and arguments. Registry Command: Create Key Description: Creates a key in the registry. Requires full key path. Command: Set Value Description: Sets a value of a registry key. Full key path, value name, and value data must be specified. Command: Get Value Description: Displays registry entry for specified key path and value. Command: Delete Key Description: Deletes a registry key, must specify full key path. Command: Delete Value Description: Deletes a registry key for specified key path and value. Command: Rename Key Description: Renames a registry key. Requires current and new key name. Command: Rename Value Description: Renames a registry value. Requires current key path/value name and new key value. Command: Enumerate Keys Description: Displays and counts all subkeys for specified key path. Command: Enumerate Values Description: Desplays and counts values for specified input. Multimedia Command: Capture Video Still Description: Captures a still video image from the specified device. Must enter filename to capture to and capture specifications. Command: Capture AVI Description: Captures an AVI file from the specified device. Must enter filename to capture to and capture specifications. Command: Play WAV File Description: Plays the specified WAV file. Command: Play WAV File In Loop Description: Plays the specified WAV file repeatedly until stopped . Command: Stop WAV File Description: Stop a WAV file that is playing. Command: List Capture Devices Description: Shows attached system devices capable of capturing video. Command: Capture Screen Description: Creates an image of the current screen. File for output is defined by user. File/Directory Command: List Directory Description: Lists files and directories from the specified machine and remote path. Command: Find File Description: Searches for a file on the server machine, requires path and filename specifications. Command: Delete File Description: Removes a file from the server's drive. Command: View File Description: Allows specified file to be viewed. Command: Move/Rename File Description: Moves or renames a file. Must specify pathname for old and new file. Command: Copy File Description: Copies a file on the Back Orifice server, must specify source and target pathnames. Command: Make Directory Description: Makes a directory on the server. Requires a pathname. Command: Remove Directory Description: Removes the specified directory. Command: Set File Attributes Description: Set file attributes for specified pathname (ARSHT). Command: Receive File Description: Receives file from server, requires BINDSTR, NET, ENC, AUTH and pathname. Command: Send File Description: Sends file to machine, requires IP, NET, ENC, AUTH, and pathname. Command: List Transfers Description: Shows a list of files being transferred. Command: Cancel Transfer Description: Cancels a transfer for specified pathname. Compression Command: Freeze File Description: Compresses files, requires pathname for original and output files. Command: Melt File Description: Decompresses files, requires pathname for original and output files. DNS Command: Resolve Hostname Description: Retrieves FQDN and IP address of specified machine. Command: Resolve Address Description: Retrieves FQDN and IP address of specified machine. Server Control Command: Shutdown Server Description: Stops Back Orifice on the server. Must type delete before sending the command. Command: Restart Server Description: Restarts Back Orifice after using the Shutdown Server command. Command: Load Plugin Description: Loads specified plugin. Command: Debug Plugin Description: Debugs specified plugin. Command: List Plugins Description: Lists plugins installed. Command: Remove Plugins Description:Removes specified plugin (# required). Networking: BO2k supports several networking options. It can use TCP or UDP as transports and encrypt with a simple XOR encryption algorithm or a more advanced 3DES encryption. The XOR algorithm can be easily decrypted and requires no brute-forcing, the original release of Back Orifice 1.2 had a stronger algorithm that did. This means that it is easy to detect BO2k activity on your network with an intusion detection system, no matter which port it uses. The X-Force has been able to decrypt the XOR'd packets and report which commands are being executed. Although it is possible to detect BO2k traffic encrypted with 3DES, there is no way to determine which commands are being used. The next release of RealSecure will detect all BO2k traffic on your network using the XOR or 3DES encryption algorithms. The format of the BO2k packets is [Length (4 bytes)][Data that is 'Length' long] By looking for a series of packets that contain a 4 byte length (in little-endian byte order), followed by that length of data, you can detect all BO2k packets, regardless of the encryption used. This format is used on both the TCP and UDP transports. To decrypt the packets using the XOR encryption, XOR the 4 bytes starting at offset 4 with the value 0x3713C3CD (0xCDC31337 in little-endian order). This will give you the XOR encryption key, which is generated from the XOR key configured by the user. You can then XOR that 4 byte key with the rest of the packet -- XOR it with the 4 bytes at offset 8, 12, 16, etc. This will reveal a packet structure that is described in the BO2k source code. Recommendations: ISS Internet Scanner currently checks for Back Orifice installations and Real Secure will check for it. To remove Back Orifice from your system, obtain the latest version of anti-virus software from your anti-virus vendor. It is very difficult to detect Back Orifice running on a machine because it is so highly configurable. By default, it will install itsself in your Windows system directory as the fileUMGR32.EXE. If you are running Windows NT, it will install a service listed as "Remote Administration Service." This is the default name, and can be changed. ________ About ISS: ISS leads the market as the source for e-business risk management solutions, serving as a trusted security provider to thousands of organizations including 21 of the 25 largest U.S. commercial banks and more than 35 government agencies. With its Adaptive Security Management approach, ISS empowers organizations to measure and manage enterprise security risks within Intranet, extranet and electronic commerce environments. Its award-winning SAFEsuite(r) product line of intrusion detection, vulnerability management and decision support solutions are vital for protection in today's world of global connectivity, enabling organizations to proactively monitor, detect and respond to security risks. Founded in 1994, ISS is headquartered in Atlanta, GA with additional offices throughout the U.S. and international operations in Australia/New Zealand, Belgium, France, Germany, Japan, Latin America and the UK. For more information, visit the ISS Web site at www.iss.net or call 800-776-2362. Copyright (c) 1999 by Internet Security Systems, Inc. Permission is hereby granted for the redistribution of this Alert electronically. It is not to be edited in any way without express consent of the X-Force. If you wish to reprint the whole or any part of this Alert in any other medium excluding electronic medium, please e-mail xforce@iss.net for permission. Disclaimer The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties with regard to this information. In no event shall the author be liable for any damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk. X-Force PGP Key available at: http://xforce.iss.net/sensitive.php3 as well as on MIT's PGP key server and PGP.com's key server. Please send suggestions, updates, and comments to: X-Force xforce@iss.net of Internet Security Systems, Inc. -----BEGIN PGP SIGNATURE----- Version: 2.6.3a Charset: noconv iQCVAwUBN4qB4zRfJiV99eG9AQFVcAP/X7qQF4lsDt2/YjGpPBkk4P7Whwfla3zk 8yhUI0gFWz1OJTkUCMnPyNiBMisBWZlfFQte2tszhe/uxbB6ydNI2q8r3LV9Vrty vrJYdgrZJWDJ6XDzzBpC8vnHVi61yBLYR9gPRBiN+Jn3J2zX5L18LlYatGMgNjXq +yD6UEZ6dsw= =hqmS -----END PGP SIGNATURE-----