Let me just flog this horse one more time...
No, we can't all agree that "bo2k's intentions aren't above board". Have
you ever used it or seen it used? It can do some very cool things that
the stock windoze applications can't. Want to securely transfer files
between windows machines? Want to remotely administer a windows machine?
How about remotely edit a registry? Want to list and kill processes
remotely? Want to do this with the stock OS?
Sorry! You need additional software to do this and many other things.
bo2k can do this and more for you--for FREE!
I don't see how you are able to claim that Back Orifice 2000 is not
legitimate software. The main reason given by posters to this list is
that "it installs itself secretly" or "it lacks an interactive
installation program". Well bo2k has an interactive installation program,
but it can be installed surreptitiously...but so can Microsoft's SMS and
Tivoli--are you also going to claim that those programs are not legitimate
because they can be installed in this manner? I can install VNC
surreptitiously too, but does that make this a "hacker" tool and not
useful, legitimate software? What about the fact that Microsoft designed
into the operating system the ability to hide programs from users? Does
this make Windows an evil hacker tool? There is a legitimate need for
this functionality--that's why it exists. You often want to hide running
software from users to keep them from diddling with it, or if you'd like
to stealthily monitor an employee suspected of fraud, etc. I wouldn't be
so quick to write off software because of this. What about other
packages, like winwhatwhere that are specifically designed to spy on
computer usage: http://www.winwhatwhere.com ? Are these "hacker" tools?
What about NetBUS? This is software that can do many of the same things
as bo2k, but is shareware developed by a company. The company has
threatened legal action against antivirus vendors for labeling the
software as hacker software and removing it from "infected" hosts.
Plus, I wouldn't be so quick to label a piece of software as a "hacker"
tool because it is popularly "bundled" with other software or used as a
payload in a trojan horse by miscreants. The only reason PC Anywhere
wasn't used instead of bo2k is bo2k IS FREE! That alone makes it more
popular. If VNC starts being used to remotely control machines by
"hackers", will it be off-limits too? That would be ridiculous.
I will reiterate: Back Orifice 2000 does NOT have a default port that it
runs on--unlike its predecessor Back Orifice. This is an install-time
configuration option.
-Jason
On Mon, 1 Nov 1999, Matt Doughty wrote:
> Date: Mon, 1 Nov 1999 12:34:59 +0900
> From: Matt Doughty <[EMAIL PROTECTED]>
> To: "Mullen, Patrick" <[EMAIL PROTECTED]>,
> "'Michael H. Warfield'" <[EMAIL PROTECTED]>,
> Elaine -HFB- Ashton <[EMAIL PROTECTED]>,
> Bill Lavalette -=- Operations NdrsNet NOC/CERT <[EMAIL PROTECTED]>,
> 'Jason Axley' <[EMAIL PROTECTED]>,
> "'[EMAIL PROTECTED]'" <[EMAIL PROTECTED]>
> Subject: Re: BO2k source code
>
> On Fri, Oct 29, 1999 at 01:12:09PM -0400, Michael H. Warfield wrote:
> >
> > The script kiddies are using Cellophane to marry BO* / Netbus and
> > tools like it to arbitrary games and goodies and leaving them laying
> > around like cybermines to be picked up by the unwary. I know of at least
> > one university where an administrator has reported that BO infestations
> > have become epidemic because of Cellophane wrapped games carrying BO
> > payloads. You can't even trust games and cards you've seen before.
> > One day it may be a 100K silly card. The next time you run into it,
> > you may find an 800K surprise wrapped under the hood and acting just
> > like the original (as far as you can see). BO is designed just for
> > this purpose (integration into other vectors of propagation).
> I think we all pretty much agree that the intentions of BO is far from
> above board. This is begining to seem like beating a dead horse, but here
> goes.
> >
> > This is were the malicious nature of BO2K comes to the forefront.
> >
> > Most cracker tools can be put to legitimate use somewhere, somehow.
> > Many legitimate administrative tools can be abused to break into systems.
> > What sets them apart is how they were originally designed and for what
> > purpose. BO is designed to be stealthy. It installs itself, has no
> > "install wizard" announcing the installation, and no user prompts at
> > installation or startup, and no icons, and no start-up splash screens.
> > It's designed to install itself and start itself up quietly, without the
> > operator or administrator being aware of its installation or its existance
> > after installation. It goes to significant effort to not be detected
> > during routine operation (barring security scans which are not routine
> > operation) above and beyond what a legitimate tool would be expected to do.
> >
> > That's one of the fundamental differences that these things
> > can be judged on (but, by no means the only differnce). Legitimate tools
> > announce their presence (hell - they're usually proud or announcing some
> > copyright or logo). Malicious tools try to hide their presence. What
> > use you CAN put the tool is of less significance that the way they are
> > designed to work.
> Hmm.. we seem to be running into a wall here. Just because a certain group
> of us refuse to define the BO as a trojan doesn't mean we believe it to
> be a completely benign product. Hell, I think we can all pretty much agree
> that is is used in a malicious manner in 99% of cases. The crux is the
> risk of muddying definitions.
> >
> > > Personally, I don't know what security term I would use
> > > on Back Orifice. It's not a trojan because its intent
> > > is clearly defined (except to the unsuspecting luser).
> > > Mayhaps it's simply a network administration tool for
> > > Windows which can be used for nefarious deeds.
> >
> > One could just as easily argue that it is a trojan because
> > it is masquarding as something that it's not and it's true intent
> > is not what it appears to be. While its technical functionallity may
> > appear to be clear, it's still a tool for compromising the security of
> > systems masquarding as a legitimate administration tool. Its intent is
> > to compromise the security of the systems that it has stealthily infected
> > (through other vectors of propagation) while appearing to be a tool that
> > an administrator might have legitimately installed. The masquarding is
> > not that it's masquarding as a different utility, it that it's masquarading
> > as having a legitimate purpose on the systems under attack. That meets my
> > definition of a trojan. This is a trojan on the "social engineering"
> > level. Not replacing a program with something else but making people
> > think that it's something honest when it's not.
>
> And making that argument is just as much of a stretch as those who would claim
> that BO is a harmless network administration tool.. Neither is true.. The fact
> is BO doesn't hide it functionality. Now, I'll say this again. BO is the
> payload in all those trojans you've mentioned above. The crucial issue here is
> that by standard definition a Trojan has to disguise its functionality. BO
> , no matter how stealthy, is out in the open about what it can do. It simply
> doesn't fit the definition of trojan by itself. There seems to to be certain
> feeling that if we somehow refuse to label BO as a trojan we are in effect
> labeling it as harmless. This is not the case, but muddying of definitions
> because of dislike of certain product is not productive. The original question
> that started this whole thread was a someone asking for information about
> BO the trojan for his report on Trojans. If he goes and writes that BO is a
> trojan he will be , by definition, wrong.
>
> Is BO a dangerous and often maliciously used tool? Yes.
> Is BO, by itself, a trojan by definition: No.
>
> Matt Doughty BOT Japan.
>
AT&T Wireless Services
IT Security
UNIX Security Operations Specialist
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
