Back Orifice Back Again

UPDATE -- The Symantec AntiVirus Research Center (SARC) at Symantec Corp. ( have analyzed and posted a virus definition set that it says protects against the Back Orifice 2000 Trojan Horse.

The company says the definition set is available now and users of Norton AntiVirus can download it through LiveUpdate or from the Symantec Web site. This will allow the operating system to detect when Back Orifice 2000 has been received. Other security vendors, such as Network Associates Inc. ( are releasing similar solutions.

Earlier today, Internet Security Systems (ISS, announced that it had decoded the protocols and encryption algorithms in Back Orifice 2000 (BO2K), the Cult of the Dead Cow's update to last year's Trojan Horse application, Back Orifice, that provided remote access to Windows 9.x machines. Released just 48 hours ago at the Las Vegas hacker convention Def Con, BO2K has the ability to do the same with machines running Windows NT, making it a much larger threat to the corporate enterprise.

ISS reports it is sharing whatever information it has with Microsoft Corp. and is rapidly developing countermeasures for inclusion to its security software RealSecure and Internet Scanner.

Bob Olson, vice president of product marketing for Network-1 Security Solutions Inc. (, says Back Orifice can access passwords, capture keystrokes and send the machine faulty warning messages. BO2K can even turn on the machine's microphone and listen for noise around the machine, and access the MS-DOS prompt and perform any function that can run from DOS.

It does all this by sending an e-mail message containing the IP address of the machine to some Web e-mail address such as Hotmail or Yahoo. Then, as the attacker, you remotely connect to the machine and begin administering it. Any applications on a Windows NT machine has access to the communication ports. Back Orifice 2000 takes advantage of this and uses any port in the machine it chooses.

This is where Network-1 has come in. The company has developed software called CyberwallPlus that locks down communication ports on the NT machine and only allows them to open up after the administrator has been notified.

"The real threat behind this is that the authors made it encoded so that it's difficult to detect it in a machine," says Olson. "[The Cult] did it purposely to point out the deficiencies in Windows NT security."

Not only does Back Orifice run undetected but it can get on the machine in a variety of ways. One is by floppy disk. In the original Back Orifice, the executable program was called "[spacebar].exe" so the file name was virtually invisible. The executable can also be sent by e-mail and "Saran Wrapped" onto another bona fide application.

Other innovations may come along as well, since the Cult decided to make this version open source, allowing other hackers to come up with their own implementation of the Trojan Horse. Symantec reports its solutions will defend against variations of Back Orifice 2000 as well.

As for the Cult of the Dead Cow, it's marketing this as a pure administration tool. The Cult's Web site has a press release announcing the "product," saying it will be free for download July 10 on the Back Office 2000 Web site ( during the hacker convention Def Con VII in Las Vegas. "Unfortunately for Microsoft, Back Orifice 2000 could bring pressure on the software leviathan to finally implement a security model in their Windows operating system," states the release. "Failure to do so would leave customers vulnerable to malicious attacks from crackers using tools that exploit Windows' breezy defenses." -- Brian Ploskina

About the Author

Scott Bekker is editor in chief of Redmond Channel Partner magazine.


  • Spaceflight Training in the Middle of a Pandemic

    Surprisingly, the worldwide COVID-19 lockdown has hardly slowed down the space training process for Brien. In fact, it has accelerated it.

  • Surface and ARM: Why Microsoft Shouldn't Follow Apple's Lead and Dump Intel

    Microsoft's current Surface flagship, the Surface Pro X, already runs on ARM. But as the ill-fated Surface RT showed, going all-in on ARM never did Microsoft many favors.

  • IT Security Isn't Supposed To Be Easy

    Joey explains why it's worth it to endure a little inconvenience for the long-term benefits of a password manager and multifactor authentication.

  • Microsoft Makes It Easier To Self-Provision PCs via Windows Autopilot When VPNs Are Used

    Microsoft announced this week that the Windows Autopilot service used with Microsoft Intune now supports enrolling devices, even in cases where virtual private networks (VPNs) might get in the way.

comments powered by Disqus

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.