18.4 Back Orifice 2000

URL: www.bo2k.com

Client OS: Windows 98/NT/2000

Target OS: Windows 98/NT/2000

Description:  BO2K is also called a remote administration tool by its developer, DilDog of the Cult of the Dead Cow; however, it is a powerful tool that has developed a reputation as a hacker tool. This modification of the original Back Orifice program works on Windows 98/NT/2000 as well as Windows 95. We do not install BO2K during penetration testing, mainly because of its reputation. However, we make use of any BO2K servers we come across to gain unauthorized access to target hosts.

BO2K also features a client–server type architecture in which the server resides on the controlled machine and the client on the controlling machine. Both the server and client are packaged together and available for download from the Web site, www.bo2k.com. Documentation and installation instructions are also available from this site.

Use:  BO2K can be installed remotely once it is loaded onto the target host. One of the popular ways to get the BO2K server onto the target machine is to hide it within an e-mail attachment. Once the user opens the attachment, the BO2K source code can quietly load itself onto the hard drive. For example, we could use a wrapping program such as eLiTeWrap (available at packetstormsecurity.org) to wrap BO2K into an executable greeting card, hmk.exe. When run, eLiTeWrap will look like the following on the screen.

eLiTeWrap 1.03 - (C) Tom "eLiTe" McIntyre
tom@dundeecake.demon.co.uk
http://www.dundeecake.demon.co.uk/elitewrap
Stub size: 7712 bytes
Enter name of output file: trojan.exe
Operations:
   1 - Pack only
   2 - Pack and execute, visible, asynchronously
   3 - Pack and execute, hidden, asynchronously
   4 - Pack and execute, visible, synchronously
   5 - Pack and execute, hidden, synchronously
   6 - Execute only,  visible, asynchronously
   7 - Execute only,  hidden, asynchronously
   8 - Execute only,  visible, synchronously
   9 - Execute only,  hidden, synchronously
Enter package file #1: hmk.exe
Enter operation: 2
Enter command line:
Enter package file #2: bo2k.exe
Enter operation: 3
Enter command line:
Enter package file #3:
All done :)

In this example, eLiTeWrap creates an executable called Trojan.exe. When the user executes Trojan.exe, hmk.exe opens visibly while bo2k.exe installs hidden. The victim will see only the greeting card, while BO2K installs in the background and is ready to accept connections.

Among BO2K's capabilities are rebooting the controlled machine, editing its registry, locking the keyboard and mouse, performing keystroke capture, file browsing, editing, and transferring, as well as the ability to stop and start services from the process list. All this can be done while the server is running in the background.

In addition, BO2K is highly extensible and features a collection of plug-ins that can enhance its capabilities. These are available from the BO2K site and several others throughout the Internet, including www.netninja.com/bo/.

There are several plug-ins that encrypt BO2K traffic with algorithms such as Blowfish, CAST, IDEA, and others. The Silk Rope 2K plug-in is used to create executables infected with BO2K. Often, these executables are then sent to target users as e-mail attachments in the hopes that the unsuspecting receiver will execute them and install BO2K. Christmas and holiday greetings are commonly used to hide BO2K from unsuspecting users.

The BO Peep plug-in is distributed with BO2K. BO Peep provides keyboard and mouse control capabilities along with streaming video of the infected machine's screen. The most popular plug-in is Butt Trumpet 2000, which will send e-mail to a predetermined SMTP server and e-mail address(es) containing the IP address of the infected host.

Back Orifice 2000 is a powerful tool that can be used to cause significant damage to the infected machine. Use this tool with the appropriate caution and care. To combat BO2K, several virus vendors have developed signatures to identify and remove the tool. If a box is suspected of being infected with BO2K, it is very wise to scan the box with a virus scanner that is configured to identify and remove B02K.