Description
The "Back Orifice administration tool" allows computers
that are running the Back Orifice driver (BOSERVER in the software's
own terminology) to be administered remotely by one of a pair of
administration clients (a GUI version and a console version).
The administration client allows manipulation of most elements
of a remote Windows 95/98 machine that has the BO driver installed,
including registry entries, the file system, the process
database, keystrokes typed and screen output.
Although this sort of control is offered by numerous existing
commercial applications, Back Orifice, as its name suggests, carries
additional baggage in its implementation which makes it an
"undesirable application". For example, the driver software
installs itself, by default, with an unusual name ("#.EXE",
where # represents a space character). It also deletes the original
installation file once the non-obviously-named driver is in
place. Furthermore it claims to include a feature which allows the
driver to be "bound", virus-like, to another program. Then,
when this hybrid program is run, the driver silently installs itself
with its unusual name before running the original program. This allows
it to obfuscate both its invocation and its presence.
Administrators anticipating a legitimate use for Back Orifice
on their network will probably want to bear in mind that the
packets transmitted between Back Orifice clients and servers are
easy to intercept and decode, even if BO's encryption is used.
This means that illicit network snoopers will be able to
intercept and recover BO sessions even on networks where BO is
being used intentionally. Such snoopers will also be able to
recover, from a BO packet session, the password used. This will
allow them to connect directly to machines on the network in
future.
In view of the above, we have assumed that no well-informed
administrators will want to allow Back Orifice tools to be used on
their network. We hope that although BO's notoriety may mean the tools
will become more widespread than might be liked, it will also mean
that users will be more easily encouraged not to accept and run
any arbitrary programs they receive. We further hope that BO's
notoriety will mean that administrators will be more likely to be on
the lookout for it, and therefore that those trying to use it for
malevolent purposes will be more likely to be caught out.
Please refer to the Back Orifice 2000 analysis for further details.