Back Orifice is a Trojan that provides a backdoor into your computer when active and you are connected to the Internet.
The name is a play on Microsoft’s Back Office and the program is advertised as a network management program. It is produced by the group Cult of the Dead Cow (cDc). Even though it does what it’s advertised to do, the fact that it installs silently, can’t be easily detected once run, and potentially allows a remote user to take complete control of your computer without your permission when it is installed has caused the AV companies to call it a Trojan and they have developed detection routines for the program.
BO is distributed as several programs and documentation. The original programs run on Win95/98 only; Bo-2000 also runs on NT. Indications are BO can be attached to other executables in the same style as viruses. When run, BO silently installs itself (you can’t even see it in the task list — see rootkit) and, when the computer is connected to a TCP/IP network (e.g., the Internet) it sits in the background and just listens. What it’s listening for are commands starting with *!*QWTY? from a remote computer. The commands themselves are encrypted (in the US version; an international version does not use strong encryption). When a command is received BO is capable of many things; some benign, others quite destructive and/or intrusive. A short list includes: computer info, list disk contents, file manipulation (including updating itself!), compressing & decompressing files, get and send cached passwords, terminate processes, display messages, access the registry, plus store and send keyboard input while users are logging into other services. BO even supports HTTP protocols and emulates a web server so others can access the user’s computer using a web browser. If that’s not enough, BO can expand its abilities using plug-ins (which, of course, it can be commanded to download to itself).
As evil as I’ve made Back Orifice sound, it has legitimate uses for network maintenance and even functions in a manner similar, although much more extensively, to various remote control utilities (e.g., Carbon Copy). The main difference is that they make themselves known while BO completely hides itself.
You probably want to know if Back Orifice is on your system so keep your AV software up to date and make certain detection of programs like it is turned on.
Microsoft has released a security bulletin on BO that fairly well dismisses the program. The cDc have released a point-by-point rebuttal of Microsoft’s bulletin. For a bit of entertainment, take a look at:
http://www.cultdeadcow.com/tools/bo_msrebuttal.html [Sorry, isn’t there any longer.]
BO-2000 even supplies a plug-in that allows a remote user to see what is on your screen and take control of the mouse and keyboard. Since BO was written with a flexible architecture other plug-ins can be written and remotely installed.
Even when I ran the Zone Alarm firewall software and only connected via a dial-up connection I often would see a Back Orifice inquiry against my current IP address in the Zone Alarm logs.
You probably don’t want this beast running in the background on your computer.
Some Virus Threat Details | |
Some Virus Thread Details | CIH Spacefiller |