Concern rises over Windows NT "Trojan horse"

The self-described hacker group Cult of the Dead Cow said this week that it will release Back Orifice 2000, which it calls an administration tool for NT networks, at the DefCon hacker convention in Las Vegas.

While concern is rising, some argue that Back Orifice 2000 is not as dangerous as it's made out to be.

"I believe Back Orifice could only be used as an attack if security on a computer were already completely compromised," wrote Laurence Brothers, a computer professional at a large telecommunications company. "Obviously, no site operator or system administrator would ever deliberately install a program which comes with such risks."

But Gordon Twilegar, director of security strategy at software giant Computer Associates, today repeated his assertions of yesterday that a new version of the controversial program is "irresponsible."

"It poses a true threat," said Twilegar, whose firm is preparing to release new software to counteract Back Orifice 2000.

The program, reportedly to include source code, is due to be released tomorrow afternoon at the Back Orifice 2000 Web site.

One million dollars and a monster truck
In a tongue-in-cheek posting on the BO2K site, Cult of Dead Cow's Reid Fleming responded to a request from security software firm Internet Security Systems for an advance copy of the program:

"We had come to expect that the letter would contain an offer of money or other merchandise," the posting states. "Nevertheless, we are gladly willing to provide you with the software you desire if and only if you will, in exchange, grant us $1 million and a monster truck. This fee is not negotiable."

But Microsoft, whose Windows NT operating system is targeted by Cult of the Dead Cow, continues to call Back Orifice 2000 "a very malicious, destructive program."

James Kelley, a 22-year-old network engineer in Louisville, Kentucky, defended Back Orifice in an interview today, because he says it exposes security holes in Windows NT, which corporate users may not know about until it is too late.

"Let's say I'm a hacker and nobody tells you about a weakness...If I wanted to break into your company and steal secrets, you'd never know about it. [Back Orifice] makes you aware it can be done," said Kelley. "Microsoft wouldn't tell you that there would be a security weakness in your system. As long as nobody else knew, they wouldn't tell you. Back Orifice keeps them honest."

Kelley, who goes by the Internet name "Lucid Paradox," identifies himself as a former teen hacker who went straight after he got married.

The email debate about Back Orifice 2000 continues.

"A Trojan horse is a program that is made to look like it does one thing, when it in reality does another," Brian Knox, manager of information systems at Society for Neuroscience wrote in an email today. "Back Orifice does exactly what it is advertised as doing. There is nothing deceitful about it."

The distinction between virus and Trojan horse is not merely technical, noted Rick Forno, a security expect and author of The Art of Information Warfare . A virus can replicate itself without a computer user being aware of it and has a life of its own.

Efforts to contact Cult of the Dead Cow members have so far not been successful, but Microsoft, its antivirus allies, and security firms like ISS are preparing for a potentially big day tomorrow.

Microsoft has posted a list of frequently asked questions about Back Orifice 2000 on its Web site and urges "safe computing practices" to avoid the Trojan horse. Those include not running software programs downloaded from the Internet or attached to email if they come from unknown or untrusted sources.

Microsoft also urges users to keep their antivirus software up to date. If the code is released tomorrow, makers of antivirus and intrusion detection software are expected to post patches quickly to block Back Orifice 2000.