Microsoft fears another release of Windows virus
Companies brace for Saturday's expected release of a new Trojan Horse program that could let hackers seize control of computer networks running Windows NT.
The hacker group, Cult of the Dead Cow, issued statements earlier this week saying it will release Back Orifice 2000, a purported administration tool for NT networks, at the Def Con hacker convention in Las Vegas.
Computer security experts consider Back Orifice a Trojan horse because it claims to do something beneficial--help network administrators do their jobs--while in fact it serves the darker purpose of opening security holes.
"We view this as a very malicious, destructive program," said Microsoft's Jason Garms. Along with Microsoft engineers and dozens of antivirus researchers around the globe, Garms will be working through the weekend to respond to the anticipated release of Back Orifice 2000.
The new version of Back Orifice would mark at least the third major virus released this year, costing corporations and users billions of dollars in downtime or damaged systems. The problems indicate that those who write viruses are getting more sophisticated in both spreading them and making them tougher to counteract.
In March, the Melissa virus struck and quickly spread via email, overwhelming corporate mail servers at some companies. Last month, the Worm.ExploreZip virus also circulated via email, but it was more malicious, wiping out files on a user's hard drive.
Computer Associates estimates viruses have already cost companies $7 billion this year.
Back Orifice 2000, like last year's Back Orifice program, could open security holes for outsiders to potentially steal data or even take control of individual PCs on a network, according to security experts.
Last year's Back Orifice program targeted PCs running Windows 95 and Windows 98 and allowed hackers to remotely control a specific machine without being detected. A spokesman for CERT, or Computer Emergency Response Team, said today that he still receives several reports weekly of hackers scanning networks to find machines that run the original program.
CERT, which monitors network security threats and issues advisories on how to counter them, has not issued any warnings about Back Orifice. However, the organization, connected to Carnegie Mellon University, is known for taking a cautious approach, and often doesn't issue advisories until it can offer counter-measures.
Security experts are particularly concerned that Cult of the Dead Cow may release the program's source code, which would allow would-be hackers anywhere to modify the code to elude detection.
"It's a bigger deal this time than last year if they release the original source code," said Roger Thompson, a security expert at industry group ICSA, because then it is easier for malicious users to create variations.
"By providing the source code, they're giving the underground hackers a destructive recipe to attack computers globally," echoed Gordon Twilegar, director of security strategy at Computer Associates. He predicts "another wave of a new type of virus."
Cult of the Dead Cow was founded in late 1984 and claims that members have hacked into Pentagon computers and disrupted telecommunications on two continents by moving satellites. "But unlike other hacker groups you've undoubtedly read about, we've never been caught," boasts a missive from cDc's "Ministry of Propaganda" posted on its Web site.
The group's Web site seemingly taunts Microsoft by noting that the original Back Orifice did not run on Windows NT.
"Let's try this again," Cult of the Dead Cow states. "Show some control." The group claims it's trying to force Microsoft to beef up security in its products.
Microsoft is not taking the threat lightly this year and has tried, so far unsuccessfully, to obtain code for Back Orifice 2000 so it can begin countering it.
"This targets the users, not the technology [Windows NT]," Garms said. "It doesn't use a security vulnerability [in Microsoft's operating system]. It's released in ways to manipulate or trick users to install it on the system."
Microsoft has posted a list of frequently asked questions about Back Orifice 2000 on its Web site and urges "safe computing practices" to avoid the Trojan horse. These include not running software programs downloaded from the Internet or attached to email if they come from unknown sources.
Microsoft also urges users to keep their antivirus software up to date. If the code is released Saturday, makers of antivirus and intrusion-detection software are expected to post patches quickly to block Back Orifice 2000.