BO2k |
|
|
Introduction: BO2k: a new menace for Windows Users. |
|
What to Do?: Windows users -- Some steps you can take to minimize the
exposure. |
|
Vulnerability
of Windows: Other OSes may fare better. |
|
|
Related Links |
|
Vulnerability of Windows:
As for the dangers, from what I can see, they're perhaps even understated in my message,
but if you flood people with too much, it doesn't help. Microsoft's reaction to the
original BO release a year ago revealed an attitude of "ha ha - you're just helping
us
push our more expensive Windows NT. Our official position is that anyone who runs a trojan
is foolish, and it's their own fault."
However, just a bit ago, countable in weeks, Melissa, and others were spread from NT hosts
into non-NT Windows hosts inside many companies. This "route of infection"
should have brought a wake- up call to the windows community. There is little doubt that
WindowsNT even with Service-patch FIVE installed, still has bugs, at least some of which
could be exploited for intrusion or gaining of supervisor access.
CERT reported in February that they were receiving "many reports a day" of Back
Orifice installation trojans which use Silk Rope to obscure their intent. (e.g. you
receive an electronic greeting card in an .exe from someone - or proportedly from someone
- you know. But it was a forward by them, and a forward by the person that they got it
from. Upon executing the .exe, Back Orifice is installed, and then the actual greeting
card runs, to obscure the trojan nature).
With BO2k (BTW, I've not yet been able to get a copy of the source that was supposed to be
released by now, to examine), presuming that reports are accurate as to its efficacy,
mixed networks (part W95/98 part NT) are almost certainly the most vulnerable, after
all-95/98 hosts.
As to intrusion via VPN'd trusted extranet clients, perhaps that's the most socially
reprehensible problem with the whole thing. The likely knee-jerk is to shut down such
progressive moves, rather that insisting upon solid security procedures which exclude
hosts with no security, or bad security practices. To me, that's worse than the loss of
data and usability for those who knowledgably leave themselves open, or blindly move along
without ever paying attention to the risks.
People noticing unusual activity on a system MUST take heed of the warnings, and realize
that that's like listening for a train at a crossing, without looking to see if it is
there.
The "Subseven.backdoor.C" was reported as "in the wild" and being
distributed via various channels, as of mid-June, yet this has gotten absolutely NO press.
This is described as an "espionage" trojan, whose job it is to snoop data.
As I tried to explain in that first message, with BO going open-source, we can expect to
see various clones of it, some of which incorporate the code from others, or use them as
BUTTplugs.
Still the biggest risk is even dial-up to the net with promiscuous "Net
Neighborhood" sharing enabled, which gives full access to ANYONE on the net. That is,
indeed, a bomb with a lit fuse, and still (from what I've heard) not at all unusual.
An interesting description I read on a Linux message area points out that the remote
administration tasks provided by Back Orifice (and even BO2k) are merely normal facilities
on UNIX/UNIX-like systems. The difference is _only_ that of security (or lack of it)
provided by the operating system.
If you've toyed with UNIX or one of its many variants e.g. Linux: you can begin to see
that that is true. OTOH, the details are seldom _hidden_ on *N?X from simple searching,
unlike the obscurities provided by Windows.
| BO/BO2k |
UNIX equivalent |
| reboot system |
"reboot" and "shutdown" |
| ftp/http access |
ftpd, httpd |
| run commands |
run commands via telnet, rlogin, etc. |
| sniff keyboard |
sniff keyboard (by root) |
| sniff "screen |
access to /dev/mem and /dev/kmem |
| run GUI commands |
run GUI commands (with display either on the
host in question or exported) via rsh, rlogin, telnet, etc. |
| Work with registry |
work with .rc and system files |
| Remap ports in use |
(in almost all situations, OS blocked; with root
and kmem access would be possible). |
| crack passwords |
crack POOR passwords, brute force. Again, system
security is better. |
| modify shares |
export/imports via Samba or NFS but, again, only
with root access. |
| run "subprograms" |
run pipelines |
| run timed jobs |
cron |
| open other backdoors |
run raw shelld intrusion software |
| corrupt system files |
only as root |
| corrupt other users |
only as root or that user |
| snoop private data |
only as root or the owner |
So, it's only a big deal because of the lack of security when these
"normal" functions are extended without security.
Bruce
Introduction ![[Next]](../../../homepage/ar_right.gif) |
