| Quick Links | ||
| Trojan Zoo | Security @EHugin | |
|
Back Orifice Additional Info: Current exhibits: Sub7 Back Orifice Hack'a'Tack |
BackOrificeThis analysis is based on BackOrifice version 1.20. BackOrifice is arguably the best-known of the remote-control trojan horses. Although theoretically useful as a system management tool, the only people actually using it seem to be the script-kiddies. Such is life. BO is packaged with both a graphical and a text client. The text client has been ported to the Unix operating system, so unlike most trojans just about any kind of machine can control a Windows system infected with the BO server. The Windows BO client is rather klunky-looking (see screen shots on the Client Info page), and serves as little more than a primitive front-end to the text client. BackOrifice's client can perform a number of functions on a machine infected with the BO server, including starting, stopping, and listing processes, running programs on the remote host with the input/output buffers redirected to the client's machine, etc. One of the more interesting capabilities of BackOrifice is its ability to download plug-in DLL modules (sometimes referred to as "butt-plugs") to the server. These plug-ins conform to a simple, standardized API, and can dramatically extend the functionality of the original server. The BO client can send additional plug-ins to the server once it's connected. A full list of its capabilities, along with some screen shots of the client, are available on the Client Info page. Ports UsedThe Windows "netstat -an" command shows the BackOrifice server listening on the following ports: TCP 31337 UDP 31337 The port numbers were supposedly chosen because they spell out "ELEET". (Well, if you squint funny, assume that a "3" looks a lot like a backwards "E", a "1" like an "L", and a "7" like a "T" then I guess you can say that it works out that way.) This piece of trivia is unlikely to come in handy in any social situation unless it's composed entirely of geeks. :-) More to the point, these are simply the default port numbers. BackOrifice comes with a utility to configure the server to listen to any port the installer desires. This feature does not appear to be widely used by the script-kiddie/scanner crowd. (It's much easier to find infected machines if you only have to search for a single well-established port number.) Reconfiguring the port number, along with being able to password-protect the server, are features intended to make BO more appealing to system administrators. Scan SignatureThe BO client's scanner does not use a fixed port number for its side of the connection, although it will of course be looking for port 31337 on the scanned machines. (Assuming that nobody's looking for specially-configured BO servers.) Log entries generated by a BO client scanning your machine will therefore look like:
from: remotehostaddr udp (anything)
to : yourhostaddr udp 31337
Trojan DetectionThe easiest way I can think of to determine if your machine is infected with BackOrifice is simply to open up a DOS Command window and run "netstat -an". If you see any of the ports listed in the Ports Used section above then you've probably got BackOrifice on your machine. (See the Server Info page for screen shots of the netstat output.) You can also use the registry editor to look for BackOrifice. This is particularly useful if you're concerned about someone sticking a customized server on your machine that isn't using the UDP 31337 port. The server adds an entry to the:
HKEY_LOCAL_MACHINE
\Software
\Microsoft
\Windows
\CurrentVersion
\RunServices
section that looks like this:
Name Data
@ " .exe"
(Note:That's a blank, followed by a dot, followed by EXE) This is how the BackOrifice server launches itself automatically. The " .exe" file will normally be located in the C:\WINDOWS\SYSTEM directory. Note, however, that this name can also be configured by the person releasing the server, and may not be " .exe". Regardless, the registry key should be in the same location and be named "@". Windows 98 does not contain a key with this name by default. Note: BackOrifice will not show up in the Task Manager list. BackOrifice will also make sure that the AVI capture DLL (which is a standard Windows file) is loaded. My guess is that this is done to allow the BO client to take pictures using any teleconferencing cameras that you might have on your computer, but it installs the DLL even if the computer doesn't have such peripherals.
HKEY_LOCAL_MACHINE
\System
\CurrentControlSet
\Control
\SessionManager
\Known16DLLs
section that looks like this:
Name Data
AVICAP.DLL "AVICAP.DLL"
I believe you want to leave this alone if you've actually installed any kind of AVI hardware already. If you're absolutely positive that this file wasn't being loaded earlier, you might want to delete the entry, but since this is a legitimate Windows DLL it's probably safe to leave it alone. |