ISSalert: ISS Security Advisory: cDc BackOrifice Backdoor

From: George Gallen <ggallen_at_slackinc.com>
Date: Fri, 07 Aug 1998 11:59:58 -0400

FYI
> ----------
> From: X-Force[SMTP:xforce_at_iss.net]
> Sent: Thursday, August 06, 1998 11:04 AM
> To: alert_at_iss.net
> Subject: ISSalert: ISS Security Advisory: cDc BackOrifice
> Backdoor
>
> ISS Security Alert Advisory
> August 6th, 1998
>
>
> Cult of the Dead Cow Back Orifice Backdoor
>
> Synopsis:
>
> A hacker group known as the Cult of the Dead Cow has released a
> Windows
> 95/98 backdoor named 'Back Orifice' (BO). Once installed this
> backdoor
> allows unauthorized users to execute privileged operations on the
> affected
> machine.
>
> Back Orifice leaves evidence of its existence and can be detected and
> removed. The communications protocol and encryption used by this
> backdoor
> has been broken by ISS X-Force.
>
> Description:
> A backdoor is a program that is designed to hide itself inside a
> target
> host in order to allow the installing user access to the system at a
> later
> time without using normal authorization or vulnerability exploitation.
>
> Functionality:
> The BO program is a backdoor designed for Windows 95/98. Once
> installed it
> allows anyone who knows the listening port number and BO password to
> remotely control the host. Intruders access the BO server using
> either a
> text or graphics based client. The server allows intruders to execute
>
> commands, list files, start silent services, share directories, upload
> and
> download files, manipulate the registry, kill processes, list
> processes, as
> well as other options.
>
> Encrypted Communications:
> All communications between backdoor client and the server use the User
>
> Datagram Protocol (UDP). All data sent between the client and server
> is
> encrypted, however it is trivial to decrypt the data sent. X-Force has
> been
> able to decrypt BO client requests without knowing the password and
> use the
> gathered data to generate a password that will work on the BO server.
>
> The way that BO encrypts its packets is to generate a 2 byte hash from
> the
> password, and use the hash as the encryption key. The first 8 bytes of
> all
> client request packets use the same string: "*!*QWTY?", thus it is
> very
> easy to brute force the entire 64k key space of the password hash and
> compare the result to the expected string. Once you know the correct
> hash
> value that will decrypt packets, it is possible to start generating
> and
> hashing random passwords to find a password that will work on the BO
> server. In our tests in the X-Force lab, this entire process takes
> only a
> few seconds, at most, on a Pentium-133 machine. With our tools we have
> been
> able to capture a BO request packet, find a password that will work on
> the
> BO server, and get the BO server to send a dialog message to warn the
> administrator and kill its own process.
>
> Determining if BO has been installed on your machine:
> The BO server will do several things as it installs itself on a target
>
> host:
>
> * Install a copy of the BO server in the system directory
> (c:\windows\system) either as " .exe" or a user specified file name.
>
> * Create a registry key under
> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServic
> es
> with the file name of the server file name and a description field of
> either "(Default)" or a user specified description.
>
> * The server will begin listening on UDP port 31337, or a UDP port
> specified by the installer. You can configure RealSecure to monitor
> for
> network traffic on the default UDP 31337 port for possible warning
> signs.
> In order to determine if you are vulnerable:
>
> 1. Start the regedit program (c:\windows\regedit.exe).
> 2. Access the key
> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServic
> es.
> Look for any services that may not have been intentionally installed
> on the
> machine. If the length of one of these file is close to 124,928 (give
> or
> take 30 bytes) then it is probably BO.
>
> Recommended action:
> BO can be removed by deleting the server and removing its registry
> entry.
> If possible, you should back up all user data, format your hard
> drive, and
> reinstall all operating systems and software on the infected machine.
> However, if someone has installed BO on your machine, then it is most
> likely
> part of a larger security breach. You should react according to your
> site
> security policy.
>
>
> Determining the password and configuration of an installed BO:
> 1. Using a text editor like notepad, view the server exe file.
> 2. If the last line of the file is '8
> 8$8(8,8084888<8_at_8D8H8L8P8T8X8\8'8d8h8l8',
> then the server is using the default configuration. Otherwise, the
> configuration will be the last several lines of this file, in this
> order:
>
> <filename>
> <service description>
> <port number>
> <password>
> <optional plugin information>
>
> Conclusion:
> Back Orifice provides an easy method for intruders to install a
> backdoor on
> a compromised machine. Back Orifice's authentication and encryption
> is
> weak, therefore an administrator can determine what activities and
> information is being sent via BO. Back Orifice can be detected and
> removed. This backdoor only works on Windows 95 and Windows 98 for
> now
> and not currently on Windows NT.
>
> ----------
>
> Copyright (c) 1998 by Internet Security Systems, Inc.
>
> Permission is hereby granted for the redistribution of this alert
> electronically. It is not to be edited in any way without express
> consent
> of X-Force. If you wish to reprint the whole or any part of this
> alert in
> any other medium excluding electronic medium, please e-mail
> xforce_at_iss.net
> for permission.
>
> Disclaimer
> The information within this paper may change without notice. Use of
> this
> information constitutes acceptance for use in an AS IS condition.
> There are
> NO warranties with regard to this information. In no event shall the
> author
> be liable for any damages whatsoever arising out of or in connection
> with
> the use or spread of this information. Any use of this information is
> at
> the user's own risk.
>
> X-Force PGP Key available at:
> http://www.iss.net/xforce/sensitive.html as
> well as on MIT's PGP key server and PGP.com's key server.
>
> X-Force Vulnerability and Threat Database: http://www.iss.net/xforce
>
> Please send suggestions, updates, and comments to:
> X-Force <xforce_at_iss.net> of Internet Security Systems, Inc.
>
Received on Fri Aug 07 1998 - 15:59:48 NZST