X

Antidote offered for NT "Trojan horse"

Internet security firms quickly release patches for Back Orifice 2000, a "Trojan horse" program unleashed with great fanfare over the weekend at a hackers convention in Las Vegas.

3 min read
Internet security firms have quickly released antidotes for Back Orifice 2000, a "Trojan horse" program unleashed with great fanfare over the weekend at a hackers convention in Las Vegas.

So far, Back Orifice is something of a "vaporvirus." Despite great hoopla over the weekend, it just emerged on the Net today at this site, and a handful of disks containing the BO2K were passed out. Ironically, those disks were infected with the CIH virus.

The Web site appears to include source code for BO2K, which would make it easier for malicious hackers to create variants of Back Orifice 2000 that would be harder to detect. The source code also could be embedded in another application, a computer game, for example.

Technically, Back Orifice 2000 is not a virus but a Trojan horse, a type of software that purports to do something useful but in fact opens up security holes in a user's system. Its defenders describe it as a remote administration tool for Windows NT networks, but once installed, it lets someone else control a desktop PC without the user's knowledge.

As anticipated, Cult of the Dead Cow distributed copies of BO2K, as it is dubbed, Saturday at the DefCon hacker conference.

That set off a scramble for a limited number of BO2K disks as attendees from Internet security firms tried to snare the code so they could write antivirus or intrusion-detection software to detect Back Orifice 2000, while others tried to grab it for other purposes.

As a result, most makers of antivirus or intrusion-detection systems have posted patches on their Web site to deal with the software.

"This is all looking pretty good in terms of the availability of detection systems," said Jason Garms, Microsoft's lead product manager for Windows NT security. Cult of the Dead Cow has insisted it's releasing BO2K to force Microsoft to tighten security in its NT operating system, but Microsoft claims it's already secure.

"This is not a vulnerability in the Windows platform," Garms said. "It's an application that does bad things to you once you've installed it."

Back Orifice 2000 can be distributed by email, but recipients would have to click on an attached file before it could infect their machines. It also can spread as an attachment to software downloaded from the Internet. Security experts are warning users not to open suspicious file attachments or to download software from untrusted or unknown sources.

But so far, there appear to be no reports of Back Orifice 2000 infecting any computers.

Internet Security Systems apparently was the first Net security firm to obtain a copy of the program, but the program has subsequently been spread among security firms in the interest of developing fixes quickly.

ISS has updated its RealSecure intrusion detection software to detect BO2K. Network Associates has done the same for its antivirus offerings and intends to make its CyberCop intrusion detection software detect the Trojan horse. CyberSafe also has added BO2K detection to its Centrax intrusion detection software.

Among other antivirus vendors, Symantec has posted directions on how to remove BO2K from a server and has a patch to its Norton AntiVirus software to detect BO2K. Data Fellows and Trend Micro have updated their files to detect BO2K, and Computer Associates has done the same both for its commercial antivirus offering.

Both CA and Trend Micro have free versions on their Web sites for individual users to detect whether BO2K is on their machines.