Key points:
Although there are some standards to BO2K network traffic, everything
about the transport is as variable as the code can be mutated
extensively (which may break compatibility). A number of plugins and
mutations have been identified that do modify the transport. The
following is from the Undernet Bonk's post to NTSEC (hosted by ISS):
BT2K version 1.1- The Butt Trumpet 2000 plugin for BO2K. Once installed
and started, this plugin sends you an email with the host's IP address.
> Bored version 0.1-The BOred plugin for BO2K. It is still in > development, but will
>allow you to turn the BO'ed machine into not
> much more than a boring dumb terminal.
> Silk Rope 2K version 0.9-Silk Rope 2K! Bind your BO2K server to an
> existing program. Now features: a full graphical user interface for
> setup and a target date for infection.
> Speakeasy version 0.1 BETA-An IRC plugin that secretly logs into a
> predefined server and broadcasts the host's IP address.
> Silk Rope version 2.0-A packager that allows you to bind Back Orifice
> to most any existing program.
> Saran Wrap version 1.1-A packager that allows you to hide Back
> Orifice in an existing standard "Install Shield"-like installer.
> Butt Trumpet version 1.1-A plugin that sends you an email with the
> host's IP address, once installed.
> BO Peep version 1.0- This plugin gives you a streaming video
> (VidStream) of the machine's screen that the server is running on.
> It also provides remote keyboard and mouse accessibility.
> BO2K Server Sniper- This scanner has several loose signature
> definitions (which allows more room for false alarms, but also a
> greater chance of finding a BO2K server, should it exist on your
> system). It should detect the majority of future BO2K variants
> and plugins, as well as an ASPack or Petite compressed CDC BO2K
> server. It also includes a BO2K Server Analyzer.
> IDEA Encryption version 0.1- This internationally available plugin
> provides strong encryption using the IDEA algorithm. A highly
> recommended download for people outside of the U.S. or Canada.
> BO3DES version 1.0- Provides reliable, stream-sequenced UDP
> connections and reliable ICMP tunneling for BO2K traffic.
> CAST-256 Encryption version 2.0- This internationally available
> plugin provides strong encryption using the CAST-256 algorithm. The
> strongest encryption available for BO2K.
The preferred firewall security configuration against BO2K is not just
to close the known, standard BO2K ports (in other words not just to
react against the current BO2K specifically) but to close all ports that
are not carrying traffic that you have determined to be acceptable for
Internet exposure.
This issue was recently under consideration on the NTSEC list at
ISS.net. You may want to look at their archives. The archives for this
list, which you noted has reviewed this recently, are available through
a web interface at
http://lists.gnac.net
Happy hunting.
-Bayard Bell
"Tompkins, William A" wrote:
>
> Having been 'lurking' on this list for a while (and benefiting from it), I
> need some help from this list's archives (I think)... reference Back
> Orifice 2000
> I noted the earlier thread on BO2K, but didn't follow it closely. My boss
> wants a more detailed recommendation regarding BO2K.
> After reading the following recommendation in SANS NT digest : "network
> administrators need to configure firewalls to detect Back Orifice traffic,
> to attempt to stop it at the border." . . . I went to my mailbox for the
> method to get into this list's archives. Unfortunately, in doing mailbox
> cleanup, I deleted the instructions for "Firewalls List" Can someone
> forward the instructions to me?
> At this time we do not have "firewalls" and I need to determine what to do
> next (besides continuing to bemoan the absolute need for firewalls here).
>
> Regards,
>
> William Tompkins, CISSP, CRP
> Manager of Information Security
> Univ. of Tx Health Science Center at San Antonio
> 210-567-2308 (office)
> 512-589-6306 (cellular)
begin:vcard
n:Bell;Bayard
tel;fax:(404) 727-0079
tel;work:(404) 727-7157
x-mozilla-html:FALSE
org:Emory University;Division of Campus Life
version:2.1
email;internet:[EMAIL PROTECTED]
title:Local Support/MIS
adr;quoted-printable:;;Drawer DDD=0D=0A605 Asbury Circle;Atlanta;Georgia;30322;
x-mozilla-cpt:;-2912
fn:Bayard Bell
end:vcard
