84-02-02

DATA SECURITY MANAGEMENT

AN INTRODUCTION TO THE
BACK ORIFICE 2000
BACKDOOR PROGRAM
Christopher Klaus

INSIDE

General Information on Backdoor Programs; Installation Procedure; Using BO2K; Server Commands;
Protecting Against BO2K

Back Orifice 2000 (BO2K) is a backdoor program designed for misuse

and attack. It was released in July 1999 at DefCon VII, a computer hacker
convention held in Las Vegas, Nevada. Credit for developing and releas-
ing BO2K was claimed by a computer hacker organization that calls itself
The Cult of the Dead Cow. BO2K is a refinement of an earlier program
with a similar name. BO2K takes the form of a client/server application
that remotely controls an information processing application with a fixed
IP (Internet Protocol) address without the knowledge of either the re-
sponsible system administrators or the affected end users. Once it has
been installed, BO2K gathers information, performs system commands,
reconfigures machines, and redirects network traffic without authorized
access for any of these services.
BO2K can be used as a simple monitoring tool, but its main purpose
is to maintain unauthorized control over another machine for reconfigu-
ration and data collection. These features, plus the invisibility of BO2K,
make this backdoor program especially dangerous for both the adminis-
trators and the end users in a networked environment.
Unlike a conventional computer
virus, BO2K is not self-replicating. It PAYOFF IDEA
must deceive an individual user into Back Orifice 2000 (BO2K) is a backdoor program
installing the program. Once it has designed for misuse and attack. While it can be
been installed, BO2K easily performs used as a simple monitoring tool, its main pur-
pose is to maintain unauthorized control over an-
unauthorized actions without the other machine for reconfiguration and data col-
knowledge of the user. lection. This article describes backdoor
programs in general, BO2K in particular, and pro-
vides suggestions for protecting against it.

Auerbach Publications
© 2000 CRC Press LLC
GENERAL INFORMATION ON BACKDOOR PROGRAMS
Backdoor programs are significantly more dangerous than conventional
computer viruses. This particular type of program can be used by an in-
truder to take control of a microcomputer or a workstation and potential-
ly to gain broad network access. Until now, the most widely distributed
backdoor programs have been Netbus and the first version of Back Ori-
fice. These programs are commonly referred to as Trojan horses, due to
the fact that they pretend to do something other than their actual func-
tion. Typically, backdoor programs are sent as attachments to electronic
mail messages with innocent-looking file names. Also, BO2K has a plug-
in architecture that enables it to disguise itself once it has been installed.
Many authors of backdoor programs claim that they have not written
them to be intrusion tools. Rather, the authors claim that their programs
are remote-control utilities that demonstrate weaknesses in already in-
stalled operating systems. However, the actual use of these programs, as
demonstrated by their past activity, indicates that these Trojan horses are
frequently used to gain unauthorized access to and the use of an infor-
mation processing application, although a significant vulnerability cannot
be identified in the operating systems that they impact.
Netbus is available in versions for Windows 95, Windows 98, and
Windows NT. The first version of Back Orifice, initially released in July
1998, was available for Windows 95 and Windows 98. With the release
of BO2K, Windows NT is impacted, making this version especially dan-
gerous for organizational networked environments.

INSTALLATION PROCEDURE
Installing BO2K involves two separate operations: client installation and
server installation. BO2K installs on the server machine using a simple
process. The server application is executed, and BO2K is installed. This
executable, originally named bo2k.exe, possibly can be renamed. The
name that is being used for the executable will be specified in either the
client installation or, as illustrated in Exhibit 1, in the BO2K Configura-
tion Wizard.
This Wizard steps through various configuration settings, including the
server file (which is the executable), the network protocol (either TCP
[Terminal Control Protocol] or UDP [User Datagram Protocol]), the port
number, and the data encryption and password use administration mech-
anisms in use. Once this process is complete, running bo2kgui.exe exe-
cutes the graphical user interface (GUI) for BO2K, which is depicted in
Exhibit 2.
The BO2K Configuration Wizard is designed to allow for the quick
setup and immediate use, assuming some defaults, of the program on a
specified server. However, many options can be set manually through
the Configuration utility. These options are mainly used to reduce the

Auerbach Publications
© 2000 CRC Press LLC
 EXHIBIT 1 — The BO2K Configuration Wizard

chance that BO2K will be detected by the system administrator or some

application user. The Configuration Wizard steps through these settings:

• Server File
• Network Protocol (UDP or TCP)
• Port Number
• Encryption (XOR or 3DES [Triple Data Encryption Standard])
• Password-Encryption Key

Once the Configuration Wizard completes this activity, the Server

Configuration utility screen is displayed, as shown in Exhibit 3. This util-
ity allows increasingly granular control over how BO2K is run, including
the client/server telecommunications settings, and the methods for pre-
venting the program from being detected. The option variables provided
by this utility and their descriptions are discussed in Exhibit 4.

USING BO2K
bo2kgui.exe executes the BO2K Workspace (depicted in Exhibit 2),
which contains a list of the servers that have been compromised and that

Auerbach Publications
© 2000 CRC Press LLC
 EXHIBIT 2 — The Graphical Interface of BO2K
Auerbach Publications
© 2000 CRC Press LLC
 EXHIBIT 3 — The Server Configuration Utility Screen

has been saved from a previous use of this program. These servers must
be defined for BO2K to connect to any system and to begin using the
program. Each of the named servers must be described by its name, IP
address, and connection information. Exhibit 5 depicts the screen for ed-
iting the server settings.
When a server has been defined, the Server Command Client is dis-
played, as illustrated in Exhibit 6. This window enables access to BO2K’s
commands. When the user of BO2K clicks on a category, BO2K displays
individual functions. Some of these functions require that additional pa-
rameters such as filenames and port numbers be provided.

SERVER COMMANDS
Over 70 commands are contained within BO2K. These commands gather
information and send various instructions to the server. After a connec-
tion is made between the two machines, a command is selected, the ap-
plicable parameters are entered, and the Send Command button runs the
command on the chosen server. Responses from the server will be dis-
played in the Server Response window, which is depicted in Exhibit 7.
The server commands and their descriptions are discussed in Exhibit 8.

Auerbach Publications
© 2000 CRC Press LLC
 EXHIBIT 4 — Server Configuration Utility Option Variables

Option Description

File Transfer
File Xfer Net Type Lists and changes the network protocol for
communication
File Xfer Bind Str File transfer bind string where RANDOM is the default
File Xfer Encryption Lists and changes the current encryption method
File Xfer Auth File transfer authentication whose default is NULLAUTH
TCPIO
Default Port Displays and changes the port that is being used for
TCP communication
UDPIO
Default Port Displays and changes the port that is being used for
UDP communication
Built-in
Load XOR Encryption Enables or disables XOR encryption, which is weaker
than Triple DES
Load NULLAUTH Enables or disables NULLAUTH authentication
Authentication
Load UDPIO Module Enables or disables UDP communication
Load TCPIO Module Enables or disables TCP communication
XOR
XOR Key Lists and changes the password for XOR authentication
Startup
Init Cmd Net Type Displays and changes the network protocol for startup
Init Cmd Encryption Displays current value for encryption at startup
Init Cmd Auth Displays and changes current authentication for startup
Idle Timeout (Ms) Can change the time in milliseconds for the server
timeout and disconnect
Stealth Operation
Run At Startup Enable or disable BO2K to be run at computer startup
Delete Original File Can delete original exe file (the choice is to Enable or
Disable)
Runtime Pathname Changes the value for the runtime pathname
Hide Process Enable or disable the process from being hidden
Host Process Name (NT) Changes the process name on the host machine; the
default is BO2K
Service Name (NT) Changes the service name from Remote Administration
Service to another name that is specified in the utility

PROTECTING AGAINST BO2K

Once BO2K is installed, its highly configurable nature makes it very dif-
ficult to detect. Typically, backdoor programs are complex, and several
detection methods are recommended to achieve maximum awareness of
BO2K installations and protection for any machine or series of machines
on a network. By default, BO2K installs itself in a Windows system direc-
tory as a file called fileUMGR32.EXE. If Windows NT is running, it will in-
stall a service that is listed as Remote Administration Service. This is a
default name, and can be changed.

Auerbach Publications
© 2000 CRC Press LLC
 EXHIBIT 5 — The Screen for Editing Server Settings

Host-based vulnerability and intrusion detection applications provide

insufficient protection by themselves. Network-based systems provide
critical capabilities that go beyond host-based and anti-viral solutions by
detecting the presence of backdoors across the network, as well as im-
proper connection attempts taking place from outside a network.
It is recommended that users join revised versions of anti-virus soft-
ware with revised host- and network-based vulnerability scanning appli-
cations to detect violations of the organization’s IS security policy that
indicate that the systems involved have been compromised by BO2K. In
addition, host- and network-based intrusion detection mechanisms
should be used to identify BO2K attacks as they travel over the network.
In addition, it is recommended that computing users take these impor-
tant precautions:

• Do not open electronic mail message attachments, especially those

originating from non-trusted sources.
• Do not accept files from Internet chat mechanisms as they inherently
introduce vulnerabilities.

Auerbach Publications
© 2000 CRC Press LLC
 EXHIBIT 6 — The Server Command Client Enables Access to the BO2K
Commands

• Be sure that network file sharing not be enabled on computers that

are connected to the Internet without proper security measures being
in place.

Christopher Klaus is the founder and chief technology officer of Internet Security Systems (ISS), Atlanta, Georgia.
Its products are based on the Internet Scanner, which Klaus developed while a student at the Georgia Institute of
Technology. ISS has announced that its Real Secure product is now capable of detecting the presence of BO2K.
For more information on this subject, see the most recent ISS Windows Backdoor Update at ht-
tp://xforce.iss.net/alerts/advise30.php3.

Auerbach Publications
© 2000 CRC Press LLC
 EXHIBIT 7 — The BO2K Server Response Window
Auerbach Publications
© 2000 CRC Press LLC
EXHIBIT 8 — Server Commands

Command Description

Simple
Ping Sends a packet to the server to determine if the machine is
accessible
Query Returns the version number of the BO2K server
System
Reboot Machine Shuts down and reboots the machine
Lock-up Machine Freezes the remote machine and requires that it be rebooted
List Passwords Retrieves a list of users and their passwords
Get System Info Retrieves this information:
Machine name
Current user
Processor
Operating system version (SP version)
Memory (physical and paged)
All fixed and remote drives
Key Logging
Log Keystrokes Logs keystrokes to a file; entry of a file name is required in order
to store the output
End Keystroke Log Stops recording keystrokes to the specified file
View Keystroke Log Views a keystroke log file
Delete Keystroke Log Deletes a keystroke log file
GUI
System Message Box Displays a text box on the server that contains a specified title
and text
TCP/IP
Map Port Æ Other IP Redirects the network traffic from a specified port on the server
to another IP address and port
Map Port Æ TCP File Receives a file from a specific port; the entry requires the indication
Receive of a specific port, as well as the path and filename
List Mapped Ports Lists all of the redirected ports and the relevant source and
destination information
Remove Mapped Port Removes the specified redirected port
TCP File Send Connects to the specified port and sends a file; the entry requires
the indication of a specific target IP address and port, as well
as the path and filename
M$ Networking
Add Share Creates a new share on the remote machine; the entry requires
the indication of a pathname and a sharename
Remove Share Removes a share; the entry requires the indication of the
sharename
List Shares Lists all of the shares on the server machine
List Shares On LAN Lists the shares on the LAN
Map Shared Device Maps the shared device
Unmap Shared Device Removes the specified mapped shared device
List Connections Lists the network connections on the remote computer, both
current and persistent.
Process Control
List Processes List all of the processes that are running on the server; the entry
requires the indication of the remote machine name
Kill Process Kills the specified process; the entry requires the indication of the
process ID number, which can be obtained from the List
Processes command
Start Process Starts a process on the server that is specified by the pathname
and the arguments
Registry
Create Key Creates a key in the registry; the entry requires the indication of
the full key path

Auerbach Publications
© 2000 CRC Press LLC
EXHIBIT 8 — Server Commands (Continued)

Command Description

Set Value Sets a value of a registry key; the full key path, the value name,
and the value data must be specified
Get Value Displays the registry entry for the specified key path and value
Delete Key Deletes a registry key; the entry must specify the full key path
Delete Value Deletes a registry key for a specified key path and value
Rename Key Renames a registry key; the entry requires that both the current
and new key name be specified
Rename Value Renames a registry value; the entry requires that both the current
key path-value name and new key value be specified
Enumerate Keys Displays and counts all of the subkeys for the specified key path
Enumerate Values Lists the values of the specified registry key
Multimedia
Capture Video Still Captures a still video image from the specified device. The filename
and device number of the image must be specified by the user
and contain the image size (the width and height in pixels) as
well as the BPP. If these dimensions are not indicated, a default
of 640 ¥ 480 pixels and 16 bpp would be used.
Capture AVI Captures an AVI (compressed video image) file from the specified
device; the filename and device number of the image must be
specified by the user and contain the image size (the width and
height in pixels) as well as the BPP. If these dimensions are not
indicated a default of 640 ¥ 480 pixels and 16 bpp would be used
Play WAV File Plays the specified WAV file
Play WAV File In Loop Plays the specified WAV file repeatedly until stopped
Stop WAV File Stop a WAV file that is playing
List Capture Devices Shows the attached system devices that are capable of capturing
video
Capture Screen Creates an image of the current screen; entry of the pathname for
file output is required
File/Directory
List Directory Lists files and directories from the specified machine and the
remote path
Find File Searches for a file on the server machine; the entry requires
specification of the path and filename
Delete File Removes a file from the server’s drive
View File Allows the specified file to be viewed on the remote machine
Move Or Rename File Moves or renames a file; the entry must specify the pathname for
both the old and the new file
Copy File Copies a file on the BO2K server; the entry must specify both the
source and the target pathnames
Make Directory Makes a directory on the server; the entry requires that a pathname
be designated
Remove Directory Removes the specified directory
Set File Attributes Sets the file attributes for the specified pathname (ARSHT)
Receive File Receives a file from a server; the entry requires BINDSTR, NET,
ENC, AUTH and the pathname
Send File Sends a file to a machine; the entry requires IP, NET, ENC, AUTH,
and the pathname
List Transfers Shows a list of the files that are being transferred
Cancel Transfer Cancels a transfer for the specified pathname
Compression
Freeze File Compresses files; the entry requires the pathname for the original
and output files
Melt File Decompresses file; the entry requires the pathname for the original
and output files
DNS
Resolve Hostname Retrieves the FQDN and IP address of the specified machine
Resolve Address Retrieves the FQDN and IP address of the specified machine

Auerbach Publications
© 2000 CRC Press LLC
EXHIBIT 8 — Server Commands (Continued)

Command Description

Server Control
Shutdown Server Stops BO2K on the server; the user must type delete before sending
the command
Restart Server Restarts BO2K after using the Shutdown Server command
Load Plugin Loads the specified plug-in
Debug Plugin Debugs the specified plug-in
List Plugins Lists the plug-ins that have been installed
Remove Plugins Removes the specified plug-in using its number, which is found
through the preceding List Plugins command

Auerbach Publications
© 2000 CRC Press LLC