Back Orifice 2000

Last updated
Back Orifice 2000
Developer(s) Dildog (cDc) (original code)
BO2k Development Team (current maintenance)
Stable release
1.1.6 (Windows), 0.1.5 pre1 (Linux) / March 21, 2007
Operating system Microsoft Windows,
Linux (client only)
Type Remote administration
License GPL
Back Orifice 2000 advertisement (featuring the original logo) Bo2kad.png
Back Orifice 2000 advertisement (featuring the original logo)

Back Orifice 2000 (often shortened to BO2k) is a computer program designed for remote system administration. It enables a user to control a computer running the Microsoft Windows operating system from a remote location. The name is a pun on Microsoft BackOffice Server software.

Contents

BO2k debuted on July 10, 1999, at DEF CON 7, a computer security convention in Las Vegas, Nevada. It was originally written by Dildog, a member of US hacker group Cult of the Dead Cow. It was a successor to the cDc's Back Orifice remote administration tool, released the previous year. As of 2007, BO2k was being actively developed.

Whereas the original Back Orifice was limited to the Windows 95 and Windows 98 operating systems, BO2k also supports Windows NT, Windows 2000 and Windows XP. Some BO2k client functionality has also been implemented for Linux systems. In addition, BO2k was released as free software, which allows one to port it to other operating systems.

Plugins

BO2k has a plugin architecture. The optional plugins include:

Controversy

Back Orifice and Back Orifice 2000 are widely regarded as malware, tools intended to be used as a combined rootkit and backdoor. For example, at present many antivirus software packages identify them as Trojan horses. [1] [2] [3] [4] [5] This classification is justified by the fact that BO2k can be installed by a Trojan horse, in cases where it is used by an unauthorized user, unbeknownst to the system administrator.

There are several reasons for this, including: the association with cDc; the tone of the initial product launch at DEF CON [6] (including that the first distribution of BO2k by cDc was infected by the CIH virus [7] ); the existence of tools (such as "Silk Rope" [8] ) designed to add BO2k dropper capability to self-propagating malware; and the fact that it has actually widely been used for malicious purposes. [9] [10] [11] The most common criticism is that BO2k installs and operates silently, without warning a logged-on user that remote administration or surveillance is taking place. [12] According to the official BO2k documentation, the person running the BO2k server is not supposed to know that it is running on their computer. [13]

BO2k developers counter these concerns in their Note on Product Legitimacy and Security, pointing out—among other things—that some remote administration tools widely recognized as legitimate also have options for silent installation and operation. [14]

See also

Related Research Articles

Malware is any software intentionally designed to cause disruption to a computer, server, client, or computer network, leak private information, gain unauthorized access to information or systems, deprive access to information, or which unknowingly interferes with the user's computer security and privacy. Researchers tend to classify malware into one or more sub-types.

Spyware is any software with malicious behavior that aims to gather information about a person or organization and send it to another entity in a way that harms the user by violating their privacy, endangering their device's security, or other means. This behavior may be present in malware and in legitimate software. Websites may engage in spyware behaviors like web tracking. Hardware devices may also be affected.

In computing, a Trojan horse is any malware that misleads users of its true intent by disguising itself as a standard program. The term is derived from the ancient Greek story of the deceptive Trojan Horse that led to the fall of the city of Troy.

Back Orifice is a computer program designed for remote system administration. It enables a user to control a computer running the Microsoft Windows operating system from a remote location. The name is a play on words on Microsoft BackOffice Server software. It can also control multiple computers at the same time using imaging.

<span class="mw-page-title-main">Timeline of computer viruses and worms</span> Computer malware timeline

This timeline of computer viruses and worms presents a chronological timeline of noteworthy computer viruses, computer worms, Trojan horses, similar malware, related research and events.

A rootkit is a collection of computer software, typically malicious, designed to enable access to a computer or an area of its software that is not otherwise allowed and often masks its existence or the existence of other software. The term rootkit is a compound of "root" and the word "kit". The term "rootkit" has negative connotations through its association with malware.

<span class="mw-page-title-main">CIH (computer virus)</span> Windows 9x computer virus

CIH, also known as Chernobyl or Spacefiller, is a Microsoft Windows 9x computer virus that first emerged in 1998. Its payload is highly destructive to vulnerable systems, overwriting critical information on infected system drives and, in some cases, destroying the system BIOS. The virus was created by Chen Ing-hau, a student at Tatung University in Taiwan. It was believed to have infected sixty million computers internationally, resulting in an estimated NT$1 billion (US$35,801,231.56) in commercial damages.

A backdoor is a typically covert method of bypassing normal authentication or encryption in a computer, product, embedded device, or its embodiment. Backdoors are most often used for securing remote access to a computer, or obtaining access to plaintext in cryptosystems. From there it may be used to gain access to privileged information like passwords, corrupt or delete data on hard drives, or transfer information within autoschediastic networks.

NetBus or Netbus is a software program for remotely controlling a Microsoft Windows computer system over a network. It was created in 1998 and has been very controversial for its potential to be used as a trojan horse.

Josh Buchbinder, better known as Sir Dystic, has been a member of Cult of the Dead Cow (cDc) since May 1997, and is the author of Back Orifice. He has also written several other hacker tools, including SMBRelay, NetE, and NBName. Sir Dystic has appeared at multiple hacker conventions, both as a member of panels and speaking on his own. He has also been interviewed on several television and radio programs and in an award-winning short film about hacker culture in general and cDc in particular.

Remote administration refers to any method of controlling a computer or other Internet-connected device, such as a smartphone, from a remote location. There are many commercially available and free-to-use software that make remote administration easy to set up and use. Remote administration is often used when it's difficult or impractical to be physically near a system in order to use it or troubleshoot it. Many server administrators also use remote administration to control the servers around the world at remote locations. It is also used by companies and corporations to improve overall productivity as well as promote remote work. It may also refer to both legal and illegal remote administration.

<span class="mw-page-title-main">Cult of the Dead Cow</span> Hacker organization

Cult of the Dead Cow, also known as cDc or cDc Communications, is a computer hacker and DIY media organization founded in 1984 in Lubbock, Texas. The group maintains a weblog on its site, also titled "[Cult of the Dead Cow]". New media are released first through the blog, which also features thoughts and opinions of the group's members.

<span class="mw-page-title-main">Extended Copy Protection</span> Copy protection rootkit by Sony BMG

Extended Copy Protection (XCP) is a software package developed by the British company First 4 Internet and sold as a copy protection or digital rights management (DRM) scheme for Compact Discs. It was used on some CDs distributed by Sony BMG and sparked the 2005 Sony BMG CD copy protection scandal; in that context it is also known as the Sony rootkit.

<span class="mw-page-title-main">Mark Russinovich</span> Spanish-born American software engineer

Mark Eugene Russinovich is a Spanish-born American software engineer and author who serves as CTO of Microsoft Azure. He was a cofounder of software producers Winternals before Microsoft acquired it in 2006.

Sub7, or SubSeven or Sub7Server, is a Trojan horse program originally released in February 1999. Its name was derived by spelling NetBus backwards ("suBteN") and swapping "ten" with "seven". As of June 2021, the development of Sub7 is being continued.

In computing, the term remote desktop refers to a software- or operating system feature that allows a personal computer's desktop environment to be run remotely from one system, while being displayed on a separate client device. Remote desktop applications have varying features. Some allow attaching to an existing user's session and "remote controlling", either displaying the remote control session or blanking the screen. Taking over a desktop remotely is a form of remote administration.

Torpig, also known as Anserin or Sinowal is a type of botnet spread through systems compromised by the Mebroot rootkit by a variety of trojan horses for the purpose of collecting sensitive personal and corporate data such as bank account and credit card information. It targets computers that use Microsoft Windows, recruiting a network of zombies for the botnet. Torpig circumvents antivirus software through the use of rootkit technology and scans the infected system for credentials, accounts and passwords as well as potentially allowing attackers full access to the computer. It is also purportedly capable of modifying data on the computer, and can perform man-in-the-browser attacks.

Alureon is a trojan and rootkit created to steal data by intercepting a system's network traffic and searching for banking usernames and passwords, credit card data, PayPal information, social security numbers, and other sensitive user data. Following a series of customer complaints, Microsoft determined that Alureon caused a wave of BSoDs on some 32-bit Microsoft Windows systems. The update, MS10-015, triggered these crashes by breaking assumptions made by the malware author(s).

Sality is the classification for a family of malicious software (malware), which infects Microsoft Windows systems files. Sality was first discovered in 2003 and has advanced to become a dynamic, enduring and full-featured form of malicious code. Systems infected with Sality may communicate over a peer-to-peer (P2P) network to form a botnet to relay spam, proxying of communications, exfiltrating sensitive data, compromising web servers and/or coordinating distributed computing tasks to process intensive tasks. Since 2010, certain variants of Sality have also incorporated rootkit functions as part of an ongoing evolution of the malware family. Because of its continued development and capabilities, Sality is considered one of the most complex and formidable forms of malware to date.

ZeroAccess is a Trojan horse computer malware that affects Microsoft Windows operating systems. It is used to download other malware on an infected machine from a botnet while remaining hidden using rootkit techniques.

References

  1. Symantec press release, dated 12 July 1999, accessed 8 August 2006
  2. ISS press release [ permanent dead link ], dated 13 July 1999, accessed 8 August 2006
  3. Trend Micro press release Archived 2007-03-11 at the Wayback Machine , dated 12 July 1999, accessed 8 August 2006
  4. CA threat description Archived 2007-03-12 at the Wayback Machine , dated 30 November 2005, accessed 8 August 2006
  5. F-secure threat description, accessed 8 August 2006
  6. CNN.com report "Bad rap for Back Orifice 2000?", dated 21 Jul 1999, accessed 8 August 2006
  7. ZDNet news "Back Orifice CDs infected with CIH virus", dated 14 July 1999, accessed 8 August 2006
  8. "Trend Micro threat description". Archived from the original on 2002-10-20. Retrieved 2020-06-21.
  9. Insecure.org mailing list archive, Rik van Riel report dated 3 October 2000, accessed 8 August 2006
  10. Security Focus "Airport PCs stuffed with meaty goodness", dated 21 September 2005, accessed 8 August 2006
  11. Microsoft Security Administrator article "Danger: Remote Access Trojans", September 2002 edition, accessed 8 August 2006
  12. Bruce Schneier's Crypto-Gram Newsletter, dated 15 August 1999, accessed 8 August 2006
  13. "Official BO2k Documentation: Basic Setup". Archived from the original on 2012-07-10. Retrieved 2007-05-10.
  14. "Legitimacy". Archived from the original on 2005-04-07. Retrieved 2006-08-05.