Comments are below...
On Fri, 29 Oct 1999, Michael H. Warfield wrote:
> Date: Fri, 29 Oct 1999 13:12:09 -0400
> From: "Michael H. Warfield" <[EMAIL PROTECTED]>
> To: "Mullen, Patrick" <[EMAIL PROTECTED]>
> Cc: "'Michael H. Warfield'" <[EMAIL PROTECTED]>,
> Elaine -HFB- Ashton <[EMAIL PROTECTED]>,
> Bill Lavalette -=- Operations NdrsNet NOC/CERT <[EMAIL PROTECTED]>,
> 'Jason Axley' <[EMAIL PROTECTED]>,
> "'[EMAIL PROTECTED]'" <[EMAIL PROTECTED]>
> Subject: Re: BO2k source code
>
> On Thu, Oct 28, 1999 at 03:48:53PM -0400, Mullen, Patrick wrote:
> > > It may or may not be a "trojan horse", but it is definitely a
> > > trojan. (The Trojans hid in the horse, remember.) The thing gets
> > > wrapped up with games and utilities and worms and other nasties which
> > > allow it to be propagated to unsupecting chumps who are stupid enough
> > > to run active content they receive in the mail or off of insecure web
> > > sites.
>
>
> > Didn't you just prove yourself wrong? Back Orifice is not
> > wrapped in any game or utility or anything other than
> > social engineering. There may be versions out which are
> > trojans where someone tacked it onto the end of another
> > program, but in its original form all it (BO, anyway) does
> > is delete the executable after installation.
>
> So?
>
> The script kiddies are using Cellophane to marry BO* / Netbus and
> tools like it to arbitrary games and goodies and leaving them laying
> around like cybermines to be picked up by the unwary. I know of at least
> one university where an administrator has reported that BO infestations
> have become epidemic because of Cellophane wrapped games carrying BO
> payloads. You can't even trust games and cards you've seen before.
> One day it may be a 100K silly card. The next time you run into it,
> you may find an 800K surprise wrapped under the hood and acting just
> like the original (as far as you can see). BO is designed just for
> this purpose (integration into other vectors of propagation).
How the tool is used by people of questionable morals should not reflect
on the "goodness" or "badness" of the tool itself--they are separate and
unrelated. e.g. if hackers started using Tivoli as this payload, which
has the same feature of:
1) not having any icons
2) not having a splash screen
3) not having an install wizard (bo2k does have an install wizard, but
when repackaged, can be installed without it)
4) no user prompts at startup or any time
then by your definition, this is "malicious software". You've just
labelled a lot of software as malicious because they are
"designed to be stealthy". This is a useful feature, although bo2k is not
'designed to be stealthy' anymore than VNC is designed to be stealthy or
Tivoli is. If you believe that bo2k is malicious for these reasons, then
to be consistent, you _must_ also believe any other program that has the
same "features" to also be malicious. As you can see, this is ridiculous
logic as many helpful software packages have the same feature sets.
>
> This is were the malicious nature of BO2K comes to the forefront.
>
> Most cracker tools can be put to legitimate use somewhere, somehow.
> Many legitimate administrative tools can be abused to break into systems.
> What sets them apart is how they were originally designed and for what
> purpose. BO is designed to be stealthy. It installs itself, has no
> "install wizard" announcing the installation, and no user prompts at
> installation or startup, and no icons, and no start-up splash screens.
> It's designed to install itself and start itself up quietly, without the
> operator or administrator being aware of its installation or its existance
> after installation. It goes to significant effort to not be detected
> during routine operation (barring security scans which are not routine
> operation) above and beyond what a legitimate tool would be expected to do.
This is pure FUD "[bo2k] goes to significant effort to not be detected".
bo2k installs entries in the registry and installs its binary with a
standard name and location on the filesystem. Virus scanners can easily
detect it on the system because, contrary to your completely false
assertions, bo2k does _NOT_ go to any significant lengths to not be
detected. Again, Microsoft's SMS and other tools do the same things. By
your logic, they must be labelled as not legitimate software. Again, my
previous message stated how legitimate software would want to hide its
existance: on a PC where users will screw with anything (especially since
the OS provides no protection from them doing so) that is running,
hiding its existance is a great feature. Also, if you needed to monitor
an employee or consultant you suspected of wrongdoing, having a tool run
without them knowing is a Good Thing(tm). Now, I don't believe your
argument:
If "any program hides existence" then "said program is malicious and not
legitimate software"
holds any water based on this information.
>
> That's one of the fundamental differences that these things
> can be judged on (but, by no means the only differnce). Legitimate tools
> announce their presence (hell - they're usually proud or announcing some
> copyright or logo). Malicious tools try to hide their presence. What
> use you CAN put the tool is of less significance that the way they are
> designed to work.
This is too simplistic an argument that does not consider the alternative
situations above where hiding a program's existance is a Good Thing(tm).
Therefore, you cannot jump to the conclusion that a tool is "bad" because
of this feature alone. If you still think this, than you must also apply
this to every other software package that does this (WinWhatWhere, etc.,
etc., see previous emails and paragraphs...)
>
> > Personally, I don't know what security term I would use
> > on Back Orifice. It's not a trojan because its intent
> > is clearly defined (except to the unsuspecting luser).
> > Mayhaps it's simply a network administration tool for
> > Windows which can be used for nefarious deeds.
>
> One could just as easily argue that it is a trojan because
> it is masquarding as something that it's not and it's true intent
> is not what it appears to be. While its technical functionallity may
> appear to be clear, it's still a tool for compromising the security of
> systems masquarding as a legitimate administration tool. Its intent is
> to compromise the security of the systems that it has stealthily infected
> (through other vectors of propagation) while appearing to be a tool that
> an administrator might have legitimately installed. The masquarding is
> not that it's masquarding as a different utility, it that it's masquarading
> as having a legitimate purpose on the systems under attack. That meets my
> definition of a trojan. This is a trojan on the "social engineering"
> level. Not replacing a program with something else but making people
> think that it's something honest when it's not.
This statement is simply not true: "[bo2k is] masquerading as having a
legitimate purpose on the systems under attack". You are claiming that
bo2k is installed knowingly by system owners for use as an administrative
tool, and then is being used by attackers, as if attackers are trying to
get people to think bo2k is legitimate so that they can then have a
backdoor into every system with bo2k on it. This is entirely false! The
source code for bo2k is freely available so one can verify for certain
that bo2k does not _contain_ a backdoor. You are claiming that it is a
backdoor, in and of itself. This is not true. I can be _used_ as a
backdoor, but so can a rogue ssh or telnet daemon.
>
> > I'm just glad no one has said "It's not a trojan, it's
> > a virus!!" ;-)
>
> No, but it is being loaded as the toxic payload of virii and
> trojans are being created by combining other games and executables with
> BO2K under a Cellophane wrapper. All these copies of BO2K that are
> cropping up are not some chearful inDUHvidual thinking "I'm just
> install this neat tool for myself".
I wouldn't claim that "all" copies of bo2k are installed for legitimate
use. However, you can't make the claim that the tool itself is "bad"
because it is used for non-legitimate uses in those circumstances. Your
argument distilled is:
If "tool X is used by bad peoples for bad purposes" then
"tool X is bad"
This is a fallacious argument. If this argument held, anything that was
used by bad peoples for bad purposes could be made bad (e.g. candlesticks
are all bad because Jack used a candlestick to kill his wife)
>
> > ~Patrick
>
> Mike
> --
> Michael H. Warfield | (770) 985-6132 | [EMAIL PROTECTED]
> (The Mad Wizard) | (770) 331-2437 | http://www.wittsend.com/mhw/
> NIC whois: MHW9 | An optimist believes we live in the best of all
> PGP Key: 0xDF1DD471 | possible worlds. A pessimist is sure of it!
>
>
AT&T Wireless Services
IT Security
UNIX Security Operations Specialist
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
