Back Orifice 2000, otherwise known as BO2K, is possibly the most intrusive Trojan ever developed. A hacker group called “The Cult of the Dead Cow” has developed this software as an open-source project.They claim that BO2K is a network administration tool, but it is more or less a screen to try to appear legitimate. If it is an admin tool, it does not need the multiple stealth features it has in order to evade detection. Also, it would inform the user before allowing an administrator to do any-thing so invasive as capture a desktop screenshot.
BO2K consists of three separate modules that, together, take control of a victim computer:
■ The server is a small program that runs on a victim machine.
The small exe file is about 112 kilobytes, which can grow depending on how many plug-ins are added to it.This small file is actually the server because once it is installed on a user
machine, it sits waiting for the administrator to connect.
■ The configuration tool is used to customize the Trojan exe-cutable (Figure 3.9). It can be tailored in many ways, such as installing itself automatically in the system folder when it is first run, or changing the name of the server file to something else in order to hide it.
■ A graphical administration tool used for monitoring and controlling a system.
The amazing thing about this program is how professionally it is pack-aged and how easy it is to use—you would almost think that Microsoft programmed it. It comes complete with an Installation program, wizards for configuration, and the ability to add plug-ins. Open source really is an impressive concept.The unfortunate part of this is that people with lim-ited knowledge of computers can wreak unlimlim-ited damage. Usually, there is some sort of correlation between computer knowledge and responsi-bility, but software such as this bypasses that completely.
Figure 3.9Customizing a Server
All of BO2K’s functions are controlled from the GUI.The list of abilities is quite extensive—some could conceivably be used for remote user administration, but many them are definitely there to cause a nui-sance.There are over 70 individual commands available to the adminis-trator of the server. Once a hacker has installed the small server file on a victim’s machine, he or she can do any of the following:
■ Reboot the victim machine.
■ Lock up the victim machine.
■ Grab all network passwords from the password buffer.
■ Get machine information such as processor speed, memory, and disk space.
■ Record all keystrokes the user types on the machine and view them at any time.
■ Display a system message box.
■ Redirect a system port to another IP address and port.
■ Add and remove shared resources in Microsoft networking.
■ Map and unmap resources to the network.
■ Start, Kill, and List system processes.This includes shutting down any program the user has running.
■ Complete editing and viewing rights to the user Registry.
■ Play a selected wave file on the victim machine.
■ Perform a screen capture of the desktop.
■ List any video capture devices present, such as a digital camera.
If one is present, the hacker can capture an avi movie from it, or a video still.This allows spying directly into the victim’s room.
■ Complete access to the user’s hard drive and complete editing rights.
■ Ability to shut down the server and have it remove itself from the system completely.
As you can appreciate, this gives hackers complete and absolute con-trol over a victim machine. Once someone has installed the server to a machine, he or she will have more control over it than the owner does, to the extent that it’s really not the owner’s machine anymore. For example, one of the more innocent-looking features in the preceding list is the ability to redirect a port to another IP address and port. If
someone was able to get BO2K onto a Web server machine, he or she could redirect all Web hits on that machine to another, perhaps more disreputable site on the Internet. Once this was accomplished, anyone going to your Web site would be redirected to the other.
BO2K also allows plug-ins, developed by third parties, to be used on the server side, client side, or both. Many third parties have taken up the call and developed some ingenious, albeit lethal, plug-ins.The plug-in modules allow for even greater functionality from the server or client.
These include:
■ See the user’s desktop live through a small video stream.
■ When the user logs on, it sends e-mail with the user’s IP address to a selected e-mail address.
■ Encrypt all network traffic from BO2K, so administrators can’t detect it on their network.
■ Piggyback BO2K into a machine by binding it to an existing program.
■ Browse files in an explorer-like graphical user interface.
■ View and edit the Registry in a graphical user interface.
Clearly, this goes beyond user administration. So why did they make it? One member who goes by the name of Sir Dystic says he wanted to raise awareness to the vulnerabilities that exist within the Windows operating system. He believes the best way to do this is by pointing out its weaknesses. Of course, this is like trying to raise awareness about the dangers of nuclear weapons by building some and handing them out on the street!
In terms of defense, so far there have not been any reports of BO2K being able to break through a firewall, and it is possible for a user to per-form a check to see if it is installed on his or her machine, and delete it.