Remote Administrative Command GUI Wreaks Havoc on Windows

If the disclosure of the Windows NT-specific SECHOLE.EXE gained notoriety among those in the know in the IT security community, the announcement of a new hacking “tool” called Back Orifice by the hacker group Cult of the Dead Cow (CDC, www.backorifice.net) approximated cyber-celebrity in its own right. While CDC claims that Back Orifice in its present incarnation has the ability to wreak havoc on the security of Windows 95 and Windows 98 computers, several security experts believe that BackOrifice may pose a threat to Windows NT machines as well.

Accordingly, CDC positions Back Orifice as a “remote administration system” that allows a user to surreptitiously control a Windows 9x computer across a TCP/IP connection using a simple console or GUI application. Because Back Orifice can be installed without an end user’s knowledge and doesn’t show up on the Windows 9X program list invoked when the CTRL-ALT-DEL key sequence is simultaneously depressed, it’s a stealthy Trojan program that could potentially compromise network security.

Using a Back Orifice administrative GUI or command line program, an unscrupulous hacker could share and unshare files on any Windows 9X workstation and retrieve passwords cached by the Windows 9X operating system. Back Orifice does not currently run on Windows NT.

As Frank Knobbe, a senior security consultant with systems integrator MicroAge (Nashville, Tenn., www.microage.com) notes, all of the publicity accorded Back Orifice can pose an additional danger to IT departments in the form of curious end users. “What frightens me is the publicity. Every John Doe that heard of Back Orifice can download and 'test' it in his corporate network,” Knobbe asserts. “It’s a nightmare for any network administrator, not because [these end users] pose a threat to NT systems – Back Orifice doesn't [run on NT at this time] -- but because they are going to screw other Windows 95 machines up. People will nuke themselves silly.”

Microsoft, too, acknowledges the possibility of a threat vis-à-vis Back Orifice’s Trojan implementation and the Windows 9x operating system, but maintains that Back Orifice is of no threat to either Windows NT Workstation or Windows NT Server. “There is no threat to customers of Windows NT Workstation or Windows NT Server,” a Microsoft security bulletin (www.microsoft.com/security/bulletins/ms98-010.htm) asserts. “The program does not run on the Windows NT platform. The author of ‘Back Orifice’ do not [sic] directly claim that their [sic] product poses any threat to Windows NT, even though it seems to be implied.”

But it’s Back Orifice’s purported inapplicability with regard to Windows NT that most troubles David Bovee, a security engineer with Internet and Web services provider Verio Northwest (Beaverton, Ore.) who has just completed a security analysis of the Back Orifice software for his company. “I programmed my screen saver with a pretty good password and Back Orifice trivially decrypted it and spit it out to me,” Bovee explains. “Likewise, I understand -- though I have not yet witnessed -- that it can decrypt the .PWL files that are created on 95/98 systems to ‘remember’ networking passwords.”

Such encrypted .PWL files contain cached Windows NT domain login credentials. According to Bovee, the availability of such credentials – even at the basic Windows NT “User” privilege level – could potentially become a major problem for any enterprise. “This is obviously where an enterprise would have to become quickly concerned!” he asserts. “Most users cache their networking passwords, which, guess what, gives the attacker a slew of login accounts/passwords that [he or she] can use to run GetAdmin or [any privilege elevation attack available to them] and thus compromise the larger network! This is key to the real problem with Back Orifice.”