****************************************************************************** Security Bulletin 9819 DISA Defense Communications System August 7, 1998 Published by: DISN Security Coordination Center (SCC@NIC.MIL) 1-(800) 365-3642 DEFENSE INFORMATION SYSTEM NETWORK SECURITY BULLETIN The DISN SECURITY BULLETIN is distributed by the DISN SCC (Security Coordination Center) under DISA contract as a means of communicating information on network and host security exposures, fixes, and concerns to security and management personnel at DISN facilities. Back issues may be obtained via FTP from NIC.MIL [207.132.116.5] using login= "anonymous" and password="guest". The bulletin pathname is scc/sec-yynn (where "yy" is the year the bulletin is issued and "nn" is a bulletin number, e.g. scc/sec-9705.txt). These are also available at our WWW site, http://nic.mil. ************************************************************************** + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + | The following important advisory was issued by the Internet Security | | Systems, Inc. (ISS) and is being relayed unedited via the | | Defense Information Systems Agency's Security Coordination Center | | distribution system as a means of providing DISN subscribers | | subscribers with useful security information. | + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + ISS Security Alert Advisory August 6th, 1998 Cult of the Dead Cow Back Orifice Backdoor Synopsis: A hacker group known as the Cult of the Dead Cow has released a Windows 95/98 backdoor named 'Back Orifice' (BO). Once installed this backdoor allows unauthorized users to execute privileged operations on the affected machine. Back Orifice leaves evidence of its existence and can be detected and removed. The communications protocol and encryption used by this backdoor has been broken by ISS X-Force. Description: A backdoor is a program that is designed to hide itself inside a target host in order to allow the installing user access to the system at a later time without using normal authorization or vulnerability exploitation. Functionality: The BO program is a backdoor designed for Windows 95/98. Once installed it allows anyone who knows the listening port number and BO password to remotely control the host. Intruders access the BO server using either a text or graphics based client. The server allows intruders to execute commands, list files, start silent services, share directories, upload and download files, manipulate the registry, kill processes, list processes, as well as other options. Encrypted Communications: All communications between backdoor client and the server use the User Datagram Protocol (UDP). All data sent between the client and server is encrypted, however it is trivial to decrypt the data sent. X-Force has been able to decrypt BO client requests without knowing the password and use the gathered data to generate a password that will work on the BO server. The way that BO encrypts its packets is to generate a 2 byte hash from the password, and use the hash as the encryption key. The first 8 bytes of all client request packets use the same string: "*!*QWTY?", thus it is very easy to brute force the entire 64k key space of the password hash and compare the result to the expected string. Once you know the correct hash value that will decrypt packets, it is possible to start generating and hashing random passwords to find a password that will work on the BO server. In our tests in the X-Force lab, this entire process takes only a few seconds, at most, on a Pentium-133 machine. With our tools we have been able to capture a BO request packet, find a password that will work on the BO server, and get the BO server to send a dialog message to warn the administrator and kill its own process. Determining if BO has been installed on your machine: The BO server will do several things as it installs itself on a target host: * Install a copy of the BO server in the system directory (c:\windows\system) either as " .exe" or a user specified file name. * Create a registry key under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices with the file name of the server file name and a description field of either "(Default)" or a user specified description. * The server will begin listening on UDP port 31337, or a UDP port specified by the installer. You can configure RealSecure to monitor for network traffic on the default UDP 31337 port for possible warning signs. In order to determine if you are vulnerable: 1. Start the regedit program (c:\windows\regedit.exe). 2. Access the key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices. Look for any services that may not have been intentionally installed on the machine. If the length of one of these file is close to 124,928 (give or take 30 bytes) then it is probably BO. Recommended action: BO can be removed by deleting the server and removing its registry entry. If possible, you should back up all user data, format your hard drive, and reinstall all operating systems and software on the infected machine. However, if someone has installed BO on your machine, then it is most likely part of a larger security breach. You should react according to your site security policy. Determining the password and configuration of an installed BO: 1. Using a text editor like notepad, view the server exe file. 2. If the last line of the file is '8 8$8(8,8084888<8@8D8H8L8P8T8X8\8'8d8h8l8', then the server is using the default configuration. Otherwise, the configuration will be the last several lines of this file, in this order: Conclusion: Back Orifice provides an easy method for intruders to install a backdoor on a compromised machine. Back Orifice's authentication and encryption is weak, therefore an administrator can determine what activities and information is being sent via BO. Back Orifice can be detected and removed. This backdoor only works on Windows 95 and Windows 98 for now and not currently on Windows NT. ---------- Copyright (c) 1998 by Internet Security Systems, Inc. Permission is hereby granted for the redistribution of this alert electronically. It is not to be edited in any way without express consent of X-Force. If you wish to reprint the whole or any part of this alert in any other medium excluding electronic medium, please e-mail xforce@iss.net for permission. Disclaimer The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties with regard to this information. In no event shall the author be liable for any damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk. X-Force PGP Key available at: http://www.iss.net/xforce/sensitive.html as well as on MIT's PGP key server and PGP.com's key server. X-Force Vulnerability and Threat Database: http://www.iss.net/xforce Please send suggestions, updates, and comments to: X-Force of Internet Security Systems, Inc. **************************************************************************** * * * The point of contact for NIPRNET security-related incidents is the * * ASSIST: * * * * E-mail address: ASSIST@ASSIST.MIL * * * * Telephone: 1-(800)-357-4231 (24 hours/day) * * * * You may also contact the Security Coordination Center (SCC) at the * * NIC: * * * * E-mail address: SCC@NIC.MIL * * * * Telephone: 1-(800)-365-3642 * * * * NIC Help Desk personnel are available from 7:00 a.m.-7:00 p.m. EST, * * Monday through Friday except on federal holidays. * * * **************************************************************************** PLEASE NOTE: Some users outside of the DOD computing communities may receive DISN Security Bulletins. If you are not part of the DOD community, please contact your agency's incident response team to report incidents. Your agency's team will coordinate with DOD. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained by sending email to docserver@first.org with an empty subject line and a message body containing the line: send first-contacts. This document was prepared as an service to the DOD community. Neither the United States Government nor any of their employees, makes any warranty, expressed or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation, or favoring by the United States Government. The opinions of the authors expressed herein do not necessarily state or reflect those of the United States Government, and shall not be used for advertising or product endorsement purposes.