August 17, 1998
Back Orifice threat: Getting caught in the digital crossfire
By Bob O'Donnell
Every time I check the day's computer industry news, it seems, a new digital menace is
being discovered. (I lamented this very point just a few weeks back in a recent
column.) One of the most recent is the somewhat notorious Back Orifice application,
developed and released by a hacker group called Cult of the Dead Cow. (For more
information on how this affects your security infrastructure, check out Mark Tebbe's
recent column on the subject.)
Despite its misleading name, Back Orifice has nothing to do with Microsoft's BackOffice
suite of products or even Windows NT. Instead, it's essentially a secret remote control
application that affects Windows 95 and Windows 98 users. Once it's installed on a system,
a remote user taking advantage of Back Orifice could essentially take control of a machine
and do things like add and remove applications, read passwords, send and receive files,
edit the registry, or do anything else that a machine's owner could.
In many ways, Back Orifice is similar to applications such as Symantec's popular PC
Anywhere or other remote control applications, except that it's much smaller and does its
work in the background, unbeknownst to the user. (It does create a process, however, which
a sophisticated user could conceivably see listed in a utility such as Wintop, which is
part of Microsoft's
Kernel Toys. Once it's installed just open your Run/command window and type in Wintop
to see more.)
The interesting part about Back Orifice is that it was apparently developed
specifically to demonstrate and exploit well-known security holes in the Windows operating
system. At the recent Black Hat Briefings hacker's conference at which the product was
introduced, Cult of the Dead Cow (CDC) members claimed that they released Back Orifice
(BO) to prove a point about the intolerably lax security in Windows. In other words, in
their own rather twisted way, they're trying to make a moral stand to improve the security
in the world's most popular operating system. (See the group's Morality Statement for more.) I
certainly don't condone any activities of this type, but one can't help but wonder if this
is just the first example of what could prove to be a new type of insidious
"technological vigilantism."
Microsoft, for its part, has released a security bulletin on
the program and claims that the threat is rather limited. (For a different take on the
issue, you can also look at CDC's
response to that bulletin. I'm not enough of a security expert to know for sure, but
it appears that the reality is somewhere in the middle.
At least one member of the development community feels the program is enough of a
threat that his company has already developed an "antidote" to the problem.
Privacy Software Corporation, makers of the NSClean and IEClean browser security products,
have already released BOClean, which is
designed to eradicate Back Orifice from computer systems and avoid potential damage that
flaws in BO's design may cause.
It appears that if you do manage to get the application onto your computer, there seems
to be no question that it can cause problems, but it's not entirely clear how easy it is
to get there in the first place. Several analyses of the program that I read suggested
that one of the most likely ways to unwittingly receive the software is through an
ActiveX-like control being downloaded from a Web page or e-mail message. Microsoft, for
example, claims that the problem could be avoided by refusing to download any applications
that are not digitally signed or certified (although the appearance last week of a plug-in
called Saran Wrap that can apparently hide BO in any number of seemingly innocuous files
makes this assertion unrealistic).
Still, this incident is bound to revive some of the same issues that have dogged
ActiveX and JavaScript certifications from their inception. Many small developers feel
that the need for certifications puts them at a disadvantage because many people will only
"trust" certificates from large, well-established companies. One of the CDC's
documents even longingly referred to the days when anyone could create a program and
immediately share it with the community, without it having to come from a big company. I
may be reading too much into this, but I sense regret and anger at the new methods being
used for software distribution.
In fact, ultimately, I think this entire Back Orifice incident is about anger being
directed toward Microsoft. Instead of merely resorting to Microsoft-bashing, however, this
group has chosen to vent its anger technologically, through a potentially destructive
program. I understand, appreciate, and even agree with the group's implied goal of making
security in Windows 95 and 98 stronger (which clearly needs to happen), but I certainly
don't agree with their vigilante-like means for achieving that end. Too many innocent
victims could end up in the digital crossfire.
©
Copyright 1998, by InfoWorld Publishing Corp., a
subsidiary of IDG Communications, Inc. Reprinted from InfoWorld,
155 Bovet Road, San Mateo, CA 94402. Further reproduction is prohibited.
