At the Defcon hacker convention earlier this month in flood-ravaged Las Vegas, 19 members of the Cult of the Dead Cow hacker group cavorted on stage to officially launch Back Orifice 2000, their latest software tool for taking control of Windows-based corporate networks.
It was a bizarre parody of a software vendor’s product launch. Grandmaster Rat howled out a cruel imitation of Martin Luther King’s historic “I have a dream” speech as he screamed “I have been to the mountaintop!” Amid shrieking sound effects and videos, he chanted “Hallelujah!” and by the end of his rant, he was gripping his crotch with one hand and saluting his audience with the other.
But that, of course, was just the warm-up act. Dildog, the software’s main author, took the mike to reel off all the supposed new improvements that Back Orifice 2000 has over its trojan horse predecessor, Back Orifice, which was unveiled at last year’s Defcon. A trojan horse lets an attacker secretly monitor or take control of network resources once it is installed on the target device.
The first Cult of the Dead Cow hacker tool was aimed at controlling Windows 95 and 98, “so it only ended up being widely used by home PCs,” Dildog suggested. But Back Orifice 2000, which he called “almost a complete rewrite from the ground up,” is for corporate enterprises because it includes NT and TCP/IP support, not just UDP, so the user “can talk over all kinds of networks.”
The new version is said to weigh in at just 113KB, under the previous version’s 160KB footprint. Now equipped with multiple-user logins so several people can use it at one time, it lets you control the user’s mouse, keyboard and files, and even shut down and uninstall the HTTP server, either through manual control or a timed automated intervention.
“It looks like a thread of other executables running,” Dildog explained as he demonstrated an early version of it to the hundreds of hackers, government spies, security analysts and media packed into the stifling, overcrowded hall at the Alexis Park and Resort.
Back Orifice 2000 is designed to be fully open and extensible so that third-party developers can easily build programs that offer new ways for the software to get loaded onto networks and manipulate user data. For instance, the tool today can take NT passwords and automatically dump them into the L0pht password-breaking program.
Back Orifice 2000 uses varying encryption strengths up to Triple-DES to hide itself. The Cult of the Dead Cow members claim antivirus software will have no effect against it because it can constantly morph to look like something else. One Cult of the Dead Cow member, Tweetyfish, suggested that only intrusion-detection software would have a chance to spot and eradicate it.
In an astonishing assertion, the Cult of the Dead Cow insisted that Back Orifice 2000 is not just a tool for hackers — they claim it is a legitimate network management tool that should be used by network professionals.
“It’s just like other tools that cost a whole lot of money, such as Symantec’s PCAnywhere or Microsoft’s SMS,” claimed Dildog. As a sign of its good intentions, Cult of the Dead Cow plans to release the source code for Back Orifice 2000, and will sue anyone that steals this code to make a commercial product of their own. Dildog acknowledged that releasing the source code would also help the hacker group fix any bug problems in Back Orifice 2000.
At the convention, Cult of the Dead Cow tossed out half a dozen CDs with Back Orifice 2000 on it to the audience clamouring for it. One security vendor, Internet Security Systems, says one of its employees attending Defcon managed to grab one, and found known computer viruses on it — alongside the Back Orifice 2000 program.
Stripped of the computer viruses, the CD’s content is being reviewed extensively by industry experts as the final version of Back Orifice 2000 was expected to be posted on-line following the convention.
“We wouldn’t classify this as an administration tool, we’d classify it as a backdoor,” said Chris Rowland, ISS director of the X-Force, the group at ISS that swings into action when security threats are spotted. “It’s developed to maliciously and stealthily install itself on a server.”
The ISS RealSecure intrusion-detection product has just been upgraded to recognize and eradicate Back Orifice 2000 and network-based attacks. Other vendors are also working along the same lines.
One Cult of the Dead Cow member, Sir Dystic, said he is developing his own intrusion-detection antidote for the code he helped create. Security vendors say they expect him to sell it.