F-Secure Virus Descriptions : BO2K
|
|
|
Back Orifice 2000 is a new version of the famous Back Orifice
backdoor trojan (hacker's remote access tool). It was created by
the Cult of Dead Cow hackers group in July 1999. Originally the
BO2K was released as a source code and utilities package on a
CD-ROM. There are reports that some files on that CD-ROM were
infected with CIH virus, so the people who got that CD might get
infected and spread not only the compiled backdoor, but also the
CIH virus.
The first binary version of BO2K was compiled and spread in the
US. A few days later there appeared an international version of
this backdoor. With the time there may appear lots of versions of
BO2K with different compilers and having different features.
As its previous versions, the Back Orifice 2000 backdoor has 2
major parts: client and server. The server part needs to be
installed on a computer system to gain access to it with the
client part. The client part connects to the server part via
network and is used to perform a wide variety of actions to
remote system. The client part has a dialog interface that eases
the process of hacking of the remote computer.
Here's the screenshot of the client part.
In the same package there comes also a configuration utility that
is used to configure the server part of BO2K. By default the
server part doesn't install itself to system being run. It should
be properly configured to be used as a backdoor. The
configuration utility has a wizard that helps to quickly
configure the server part. It asks the user to specify networking
type (TCP or UDP), port number (1-65535), connection encryption
type - simple (XOR) or strong (3DES) and password for encryption
that will be the password for the server access also.
Here's the screenshot of the BO2K configuration wizard.
The configuration utility allows to flexibly configure the server
part. It can add or remove plugins (DLLs) from the server
application, configure file transfer properties, TCP and UDP
settings, built-in plugins activation, encryption key, and
startup properties. The startup properties setup allows to
configure automatic installation to system, server file name,
process name, process visibility and also NT-specific properties
(NT service and host process names).
Here's the screenshot of BO2K configuration utility.
When the server part is configured to act like a trojan i.e. to
install itself hideously to someone's system it writes itself to
\Windows\System\ or \WinNT\System32\ folders under a name
specified during configuration (default is UMGR32.EXE). Then it
modifies the Registry. Under Windows 95/98 server execution
string is written to:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices
under Windows NT the execution string is written to:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Then the file from which the server part started can be deleted
(if it was specified during configuring). After that the BO2K
will be active in memory each time Windows starts and will
provide access to the infected system for hackers who have the
client part and the correct password.
Being active the server part can hide its process or prevent its
task to be killed from Task Manager (on NT). The backdoor uses a
smart trick on NT by constantly changing its PID (process ID) and
by creating the additional process of itself that will keep the
backdoor alive even if one of the processes is killed. Besides,
the server part adds a random (but large) number of spaces and
'e' at the end of its name, so the server part file can't be
deleted from Windows (invalid or long name error occurs) though
disk checking utilities don't find any problems with filename.
The server part file can be only deleted from DOS or DOS session
(if the file is not locked of course).
Back Orifice 2000 like its ancestors has a lot of features. But
unlike the older versions the BO2K has many improvements:
connection encryption (including strong 3DES), ability to work
under NT, to use UDP, to allow internal plugins in DLL format, a
more advanced security, more remote system control features.
Here's the list of Back Orifice 2000 capabilities:
1. Ping and querry server part version
2. Rebooting, locking up system, listing of passwords (yes, it
works - passwords are retrieved from memory), geting system
info
3. Logging keyboard activities, operations with log file: view,
delete
4. Opening a messagebox with specified text and title
5. Mapping TCP ports to another IP, console application, HTTP
fileserver, filename, listing of mapped ports and TCP file
sending
6. Adding and removing network shares, listing of shares
(including LAN), mapping of shared devices, listing of active
connections
7. Process control (works under NT as well): list, kill, start
8. Full access to Registry (though the way it is done is not
convenient - all keys should be typed manually)
9. Playing WAV files (looped playback is possible), capturing
screen, AVI and video still
10. Full disk access: listing of directories and files, finding,
viewing, deleting, moving, copying of files and folders,
transfer list maintenance
11. Remote compression and decompression of files (to receive big
files from remote system)
12. Resolving full host name and IP address
13. Flexible server control including each plugins control,
command sockets manager
14. Possibility to run any plugins ('buttplugs') and to activate
any functions in them with specified parameters. For example
one plugin can initiate a video stream and 'highjack' a
remote system.
The US version has some serious bugs - sometimes installation of
the backdoor fails under NT. On NT shutdown an error messagebox
is displayed for some time.
When more version of Back Orifice 2000 appear this description
will be updated with new facts.
Detection and removal of Back Orifice 2000 is available with the
latest updates that can be downloaded from F-Secure ftp site
free of charge.
ftp://ftp.F-Secure.com/anti-virus/updates/avp/
ftp://ftp.Europe.F-Secure.com/anti-virus/updates/avp/
[Analysis: Alexey Podrezov, F-Secure]
|
![](/images/pixel.gif"){kind=tracking}
