It was something that Microsoft could have done without - a hacker program that exploited the apparently weak security of Windows 95 and Windows 98. As if to add salt to the wound, the hackers claimed that they would release a version for Windows NT as soon as they got around to installing that OS.

The program came as a nasty shock to Microsoft and to the millions of users of the Windows 95 and 98 users - especially those connected to the internet. The system administrators of networks using Windows 95 on the work stations were not pleased either.

Created by cDc to illustrate what they consider lax security on Windows 95/98, it gives the attacker total control over the computer that Back Orifice is installed on. It is either one of the best tools for system administration of Windows 95/98 networks or one of the worst threats to Windows internet computing since the last threat to Windows internet computing.

According the Mikko Hypponen, Data Fellows Manager of Anti-Virus Research, "Back Orifice is a seriously advanced tool for wannabe hackers". He went on to say that it presented little that was now and pointed out that it was neccessary for the program to be run before it does anything.

Opinion is polarised as people scramble to assign blame. Some critics of Microsoft claim that the threat is being played down by Microsoft. Others claim that Windows 95/98 offers only a very elementary level of security and is more a consumer product. The argument then runs on to state that if users want real security then they should upgrade to a stronger OS, the inference being they  should upgrade to NT. Naturally that irritates the first group.

According to the cDc, the program, when installed, will reveal all cached passwords, create shares hidden to the user and reveal the passwords of existing shares, start programs, shut down programs or upload and download files. It also makes itself mostly invisible in that it does not appear on the list of running programs accessed when CTRL+ALT+DEL is pressed the first time.

Once installed, it listens on a specified port, (the default is 31337). It also has a fairly basic level of encryption. It is the basis for one of those "Oh Sh**!" moments that system administrators dread.

The program has been downloaded over 50000 times since it was posted on the cDc site and no doubt it has been distributed through IRC, websites and ftp sites. Additional programs that work with BO, allowing it to have an even lower profile have also been posted. These programs, called Buttplugs by the cDc allow the BO server to be integrated with other files. One program, ButtTrumpet makes the affected computer e-mail its IP address to an e-mail address coded into it.

The effect of Back Orifice on Irish internet users is difficult to gauge. However a sweep of Irish ISPs revealed some compromised PCs. These computers were connected to the internet and were completely vulnerable. The users were probably tricked into installing the Back Orifice program.

One of the more dangerous things about this is the ease with which people can be tricked into installing the program on their computers. A posting in a TInet newsgroup suggested that a patch for BO was available and gave the website for the file. It was the Back Orifice server though it was renamed winsck32.ocx The instructions were clear, it had to be copied to the windows\system directory and the install.reg file had to be run from windows explorer. Anyone installing that patch would have compromised the security of their computer.

The creators of antivirus programs were quick to react. Data Fellows, (FPROT), had an update for their program that would detect BO. In tests it succeeded every time. But some people were taking advantage of the situation to infiltrate BO on to the machines of the unwary.

A program called ToiletPaper was created as a detector and disinfector for BO. However some people took advantage of this and began to pass out as a modified version on Internet Relay Chat (IRC). It purported to cure effects of the Back Orifice program and remove it from the user's system. But what was being passed out on IRC was not the ToiletPaper program - it was the Back Orifice server program combined with the ButtTrumpet program. The combined program was called remal.dll and was moved the windows\system directory. The "remal" part should have been a clue - it is "lamer" in reverse.

The ButtTrumpet part of the program would e-mail the IP address of the compromised computer to a hotmail.com account. The individual who customised the BO server could then log in, get the e-mail and connect to the compromised computer. Fortunately, the implementation of the ButtTrumpet program was flawed. It tried to send an e-mail to an server that was not running a mailserver.
 

IRC seems to be some what notorious for the distribution of these programs. Apparently two other versions of the BO server embedded in another program were being distributed. Other methods of getting the program on to a users computer include delivery as an e-mail attachment. However all methods have one thing in common - the program has to be run in order for it to be installed. And the effects are visible if you know what to look for.

1. It installs a copy of the server in the \windows\system directory as either ".exe" or a name chosen by the cracker.

2. It creates a registry key in HKEY_LOCAL_MACHINE\Software\Microsoft\Window s\CurrentVersion\RunServices with the name of the BO server file name and a description field of "Default" or some seemingly plausible description chosen by the cracker.

Once the compromised computer is rebooted, the new registry settings take effect with the BO server listening on the assigned port.

Removing the program is generally a case of running regedit.exe program and checking for suspect services installed in the RunServices key. The BO server program also has to be removed from the windows\system directory. In some cases, it is necessary to boot into DOS to remove the program.

Further details can be found in the ISS advisory. However the best solution  would be an antivirus program that can detect the BO server and remove it. F-Secure from Data Fellows (URL below) detects and disinfects a computer against BO.

In a section entitled "The Truth About 'Back Orifice'", Microsoft claims that the program does not demonstrate an inherent security vulnerability in the Windows platform. Yet according to Russ Cooper, the editor of NTBugtraq, a mailing list for the discussion of security exploits and bugs in NT, "Windows (95/98) has no security". He went on to say that it is not intended to be a secure operating system. With the release of Back Orifice this has become abundantly clear.