Off-The-Shelf Hacking Utils Srdjan nozicas@sssitulsa.com BO 2k, Back Orifice, Back Orifice 2000, 2000, y2k, 2k, hacking Everybody in (everybody in shirt-and-tie) corporate environment knows of stress that everyday system administration poses. Hardware failures, lost files, mishandled data and so on increase overall antiacid medication revenue in computerized society. Sometimes end user is the single biggest generator of problems. Anything left in the open that user can access will (by Murphy's Law) end up corrupted, deleted or misconfigured sooner or later. And that's all before 9:00am. As if this wasn't enough, there is another problem: malicious hacking. Don't misunderstand me - I'm not a hacker-basher. I truly believe that any good system security officer was involved in some sort of hacking before, just following old strategy of learning ways of possible enemy. If you are building wall around your fortress, you are definitely going to take walk-around and conceive possible breach methods. Overall, security implementation can only be successful if you plan for defenses weak points. But hacking have ceased to be an effort of gathering data and turned into full blown war where large software companies have downplayed security problems in their systems and hacker community had taught them a valuable lesson. It's wrong to assume your data is secure - you have to be positive of it. Proliferation of hacking utilities has increased easiness of hacking. Nowadays person can have very little knowledge of operating systems and computers in general and still be capable of breach into low-security system. Everybody knows of cDc's Back Orifice. This util started out as simple but powerful remote administration/hacking tool. New version, BO2K is extremely powerful, stealthy Trojan Horse. It has potential of legitimate administrative use and it is very powerful hacking app. It was released last month, and I couldn't wait to test-drive it. BO2k has easy, wizard driven configuration menu that helps you create small (130k-200k) server file. User specifies protocol, authentication and encryption, generating .exe file ready for distribution. This file has to be executed on target PC before access can be gained. Once this is done administrator gains full access to server machine - being able to retrieve passwords, create and disconnect shares, reboot or shutdown host, perform any file transaction in the book and so on. Within 5 min after downloading BO2k I was able to gain access to my server through internet-connected laptop and post messages to users, get their passwords, kill their connections and remove their files. Just as little cDc logo said, "Show Some Control" whole network was sitting on my palm. And nobody could of known it. Or could they? For every poison, there is an antidote. NT out of box is not able to detect this intrusion and it would take some time to manually figure out what's going on. Several software houses offered solution. NAI and Symantec decided to treat BO2k as malicious app and didn't quite see it as "legitimate remote admin tool". NAI releases new DAT update for their virus suite on 8/4/99, little short of a month after release of BO2k. This tool discovered my intrusion attempt on one networked workstation I used as testbed. I thought I had disguised BO2k server file as a part of service pack, but message came right up. This is not to say that those guys from cdc or l0pht won't come up with plugin or revised, stealthier version, but for time being solution is available to prevent from this type of intrusion. This makes BO2k seem as remediable problem, but its open source and plugin development is going to stay as a constant threat for systems security worldwide. Smart, knowledgeable hackers will still do their job just like security admins will do theirs, but this new utilities and their counter-measures will definitely keep "Weekend Warriors" out of your system.