Backdoor Found

Impact

A backdoor is a program that is designed to hide itself on a target host. While all backdoor programs are different, generally they allow the installing user access to the target system at a later time without using normal authorization or vulnerability exploitation. The two most common backdoor programs are NetBus and Back Orifice.

Background

Back Orifice, a program developed by The Cult of the Dead Cow, is a backdoor program designed for Windows 95/98. Upon installation, Back Orifice begins listening on a pre-specified UDP port (by default 31337). At this point, anyone who knows on which port Back Orifice is listening, and the Back Orifice password, may remotely control the target host. Back Orifice is comprised of two parts: client and server. The server is placed on the target system while the client is used to control the remote host. The client portion of Back Orifice may be either text or graphics based. Using Back Orifice, malicious users may execute commands, list files, start/stop services, share directories, upload and download files, modify/delete registry entries and kill programs running on the target system. The Back Orifice program was developed by an underground hacker group called The Cult of the Dead Cow.

NetBus, another back door program, is very functionally similar to Back Orifice, but also allows a malicious user to open/close the CD-ROM drive, send interactive dialogs to chat with the compromised system and listen to the target system's microphone (if one is installed). NetBus uses TCP for communications. Version 1 always uses ports 12345 and 12346 to listen for incoming connections, while version 2 can use any port but uses 20034 by default. And, like Back Orifice, NetBus allows the installer to assign a password to the program. NetBus, unlike the Back Orifice program, will also run on Windows NT.

DRAT is a newer back door program. It changes the registry so that it is started up every time a .bat or .exe file is executed. Once DRAT is installed on a system, any remote user who knows the port and password (if any) can take control of the system using an ordinary telnet client. DRAT uses TCP for communications, and always listens for connections on port 48 and uses port 50 for file transfers.

qaz.worm is a combination trojan, worm, and backdoor. When it infects a machine, it installs itself as notepad.exe, renaming the original notepad program note.com, and alters the registry so that it will start up on bootup. It runs a pair of server processes (and then proceeds to call the original notepad program); one server process tries to spread the worm to other file shares, the other acts as a minimal backdoor, allowing someone to upload and run files (i.e. to install a more functional backdoor). Details may be found at the virus libraries of McAfee or F-Secure.

There are many other back door programs besides the ones described above. Please see the X-Force Windows Backdoor Update for information about other back doors.

The Problems

The problem with these types of programs is, of course, that remote and/or local users can take control of a target system (which is in and of itself bad enough), and then may use the information found on that system to further compromise the network on which that system resides. For instance, both Back Orifice and NetBus allow a malicious user to view cached passwords on a target system (which are stored in clear text). These passwords may then be used to attempt to access the various servers on the network. Also, both programs come with keystroke loggers which may be used for the same purpose. Obviously, the presence of a compromised machine on the network poses an enormous security risk for the entire network.

The full implications of these back door programs can not be easily assessed. It is interesting to note that the Back Orifice program has been downloaded over 200,000 times from the Cult of the Dead Cow's web site alone. In a few months, literally millions of copies of these programs may be floating around the Internet - installed, configured and silently working. The release of Back Orifice and NetBus has ushered in a new era in hacking. Historically, hacking has been the province of those with enough knowledge and dedication to find and exploit vulnerabilities in certain operating systems and programs - a relatively small group of people to be sure. Now, though, using "turnkey" hacking programs such as Back Orifice and NetBus, anyone with an Internet connection and even the most basic understanding of computing and the Internet can wreak havoc on target systems and networks. The chances that you will be a victim of such an exploit rises with each download.

Resolution

Good security practices, and smart and safe web browsing, are often the resolutions to this vulnerability. Back Orifice and NetBus both need to be run on the target system to be installed (in other words, they cannot be installed remotely). Usually, it will not be the malicious user running the program, it will be the user of the system. Both of these backdoor programs may be combined with other executables, so that when the other executable is run, the exploit, or trojan horse, program runs in the background. These executables may come in many forms: software programs, hidden in the installation routines of software programs, as attachments to animated email postcards and as attachments to regular email messages to name just a few of the delivery vehicles. As such, never install software or run programs that come from questionable or untrusted sites. This point cannot be made often enough, and will become even more relevant as these types of backdoor programs become more numerous and harmful in nature. With all of the threats out there, it's just not worth it.

The above paragraph deals mainly with threats from external users. But, internal users may also decide to employ these programs. In such cases, defending against attacks involve limiting access to machines to only those who are authorized to use them. The use of access and BIOS level passwords may help, as well as limiting physical access to machines. Sometimes, though, even the most thoughtful security procedures will not prevent a malicious user from infecting a system on the network. Fortunately, there are procedures for detecting and removing Back Orifice and NetBus once they have been installed. Read ISS's Windows Backdoor Alert for detailed information on these detection and elimination procedures.

Note: Several programs purporting to remove Back Orifice and NetBus carry trojan horse programs. The most popular of these "cleaner" programs is named bosniffer.exe. Under no conditions should this program be run. If at all possible, removal should be done manually. If this is not feasible or possible, stick with cleaner programs developed by known vendors, such as McAfee, Norton, etc.

DRAT is a little more tricky to remove because simply deleting the program will render all .bat and .exe files unusable. Fortunately, DRAT has a built-in self-removal mechanism which you can use if it is not password protected. Otherwise, you can still remove the back door, but the procedure is more complicated. See the posting to securityfocus incidents for fix information.

Removal procedures for other backdoors can be found in the X-Force Windows Backdoor Update.

Where can I read more about this?

A good source of information on both Back Orifice and NetBus is the ISS Windows Backdoor Alert. CERT Vulnerability Note 98.07 is another good source of information on Back Orifice. There is also an informative article from PC World on Back Orifice and one from InfoWorld on NetBus.

Information on DRAT can be found in a posting to the securityfocus incidents mailing list.

Information on all other backdoors can be found in the X-Force Windows Backdoor Update.