BackOrifice is a remote administration tool for Microsoft Windows and, as Bruce Schneier, chief technology officer at San Jose-based managed security services firm Counterpane Internet Security Inc. (http://www.counterpane.com), points out, "one of the coolest hacking tools ever developed."
Computerworld reporter Ann Harrison spoke with him recently about the tool, which he insists has gotten an undeservedly bad reputation.
Back Orifice 2000 (BO2K) is free, open source and available at http://www.bo2k.com.
Q: How does BO2K work?
A: There are two parts: a client and a server. The server is installed on the target machine. The client, residing on another machine anywhere on the Internet, can now take control of the server.
This is actually a legitimate requirement. Perfectly respectable programs, like pcAnywhere or Microsoft [Corp.'s] Systems Management Server [SMS], do the same thing. They allow a network administrator to remotely troubleshoot a computer. If the server is installed on a computer without the knowledge or consent of its owner, the client can effectively "own" the victim's PC.
Q: Why has BO2K acquired a reputation as only a hacker's tool?
A: Back Orifice's difference is primarily marketing spin. Since it was written by hackers, it is evil.
That's wrong; pcAnywhere is just as much an evil hacking tool as Back Orifice.
Not only can the client perform normal administration functions on the server's computer -- upload and download files, delete files, run programs, change configurations, take control of the keyboard and mouse, see whatever is on the server's screen -- but it can also do more subversive things: reboot the computer, display arbitrary dialog boxes, turn the microphone or camera on and off, capture keystrokes and passwords [Technology, Sept. 20]. And there is an extensible plug-in language for others to write modules.
Q: How does BO2K run in stealth mode?
A: Unless the server's owner is knowledgeable (and suspicious), he will never know that Back Orifice is running on his computer.
Other remote administration tools, even SMS, also have stealth modes. Back Orifice is just better at it.
Because Back Orifice is configurable, because it can be downloaded in source form and then recompiled to look different ... I doubt that all variants will ever be discovered.
BO2K's slogan is "show some control," and many will take that imperative seriously. Back Orifice will be used by lots of unethical people to do all sorts of unethical things. And that's not good.
Q: Back Orifice can't do anything until the server portion is installed on some victim's computer, right?
A: Yes. This means that the victim has to commit a security faux pas before anything else can happen. Not that this is very hard -- lots of people network their computers to the Internet without adequate protection.
Still, if the victim is sufficiently vigilant, he can never be attacked by Back Orifice.
Q: What about Microsoft?
A: One of the reasons Back Orifice is so nasty is that Microsoft doesn't design its operating systems to be secure. It never has.
In Unix, an attacker would first have to get root privileges. Not in Windows. There's no such thing as limited privileges or administrator privileges or root privileges. This might have made some sense in the age of isolated desktop computers. But on the Internet, this is absurd.
There are provisions to make Windows NT a very secure operating system, such as privilege levels in separate user accounts, file permissions and kernel object access control lists.
You have to make 300-plus security checks and modifications to Windows NT to make it secure. Microsoft refuses to ship the [operating system] in that condition.
Malicious remote administration tools are a major security risk. What Back Orifice has done is made mainstream computer users aware of the danger. There are certainly other similar tools in thehacker world -- one, called BackDoor-G, has recently been discovered -- some developed with much more sinister purposes in mind.
Microsoft responds to security threats only if they are demonstrated. Explain the threat in an academic paper and Microsoft denies it; release a hacking tool like Back Orifice and suddenly they take the vulnerability seriously.