Tool for attacking NT servers released this weekend: Is your network safe from the Cult of the Dead Cow?

By Ellen Messmer
Network World, 07/09/99

They're baaaack! That bad-boy hacker group Cult of the Dead Cow will unleash another menace this Saturday. Last year the group authored the "Back Orifice" Trojan horse designed to help their pals take over your network.

At the Def Con conference, generally attended by hundreds of hackers and nearly as many cops, the Cult of the Dead Cow members will take the wraps off Back Orifice 2000.

An unkind cut at Microsoft's Back Office suite; Back Orifice 2000 lets hackers sneak into your network via your server as well as your Windows 95 or 98 desktop (the mode used by the first Back Orifice).

The original Back Orifice was bad enough. In fact, once a hacker was able to sneak in (usually virtually rather than physically) and install Back Orifice on your desktop, he had complete remote control of your network and files. And it's was very hard to detect because this Trojan horse was encrypted in a pretty artful manner.

The Cult of the Dead Cow says that the server side upgrade of Back Orifice 2000 offers another way to commandeer a network - right through your NT server. (You can read their description of it at www.cultdeadcow.com. But don't believe everything you read-this is hacker software, not a remote administration tool you would want to use it on your network yourself, regardless of what they say).

Security experts familiar with the inner workings of the first Back Orifice say it's a dangerous program and most easily installed by simply inserting a floppy disk with the Cult of the Dead Cow's application somehow snuck onto it.

Bob Olsen, vice president of marketing at security vendor Network-1 Security Solutions, says the original Back Orifice can also be dumped onto the network remotely by sending the victim an e-mail message using a hacker add-on built for Back Orifice called "saran wrap." This add-on installs Back Orifice onto the desktop using a .exe file attachment masquerading as something harmless, like a greeting.

The entire security industry will be watching for the shipment of Back Orifice 2000, which will be available for download at www.bo2k.com. Network-1 says it will ensure that its NT firewall can guard against it by detecting it and shutting down ports it tries to use. A slew of other vendors are sure to have something to say about guarding against Back Orifice 2000 as well.

Network-1's Olsen does fault Microsoft to some extent for the ease with which a Trojan horse such as Back Orifice can exploit NT.

"Windows is designed for maximum connectivity, which is the opposite of a security model," Olsen notes. "Microsoft should have a kernel-mode network-access service and intrusion detection in NT." Something like that would help prevent the maliciously inventive, such as the folks from the Cult of the Dead Cow, from finding their work so easy, Olsen says.