This Site will attempt to keep up with new inovations and updates of current computer virus information.
Back Orifice - According to Wired (1998-Nov-17), 79% of Australian ISP's are "infected" with Back Orifice.
Note: ISP's usually have high-level security, firewalls etc..
The statistics for the "masses" are possibly higher than 79% because of lack of security precautions, unawareness of current security situations, and ignorance.
Even if you are security conscious, the chances of being infected or already are, is high for domestic Net users.
Back Orifice 2000 (new version) (BO2K) module arrived in July.
This Trojan and its many variants will be a growing and unpredictable menace as well as other means of intrusions. Each new strain of trojan makes anti-virus tools obsolete as soon as they are released.
Here are the specifications and operating instructions for (old ver) what Back Orifice is capable of:
Back Orifice - Remote Administration System
Back Orifice is a client/server application which allows the client software to monitor, administer, and perform other network and multimedia actions on the machine running the server.
To communicate with the server, either the text based or GUI client can be run on any Microsoft Windows machine. The server currently only runs in Windows 95/98. New version for Unix has been released.
To install the server the server simply needs to be executed. When the server executable is run, it installs itself and then deletes itself.
This is useful for network environments where the server can be installed on a machine simply by copying the server executable into the Startup directory, where it will be installed, then removed. Once the server is installed on a machine, it will be started every time the machine boots.
To upgrade a running copy of Back Orifice remotely, simply upload the new version of the server to the remote host, and use the Process spawn command to execute
it. When run, the server will automatically kill any programs running as the file it intends to install itself as, install itself over the old version, run itself from its installed position, and delete the updated exe you just ran.
Before installation, several aspects of the server can be configured. The filename
that Back Orifice installs itself as, the port the server listens on, and the
password used for encryption can all be configured using the boconf.exe utility.
If the server is not configured, it defaults to listening on port 31337, using no password for encryption (packets are still encrypted), and installing itself as " .exe" (space dot exe).
The client communicates to the server via encrypted UDP packets. For successful communication, the client needs to send to the same port the server is listening on, and the client password must match the encryption password server was configured with.
The port the client sends its packets from can be set using the -p option with both the GUI and text clients. If packets are being filtered or a firewall is in place, it may be necessary to send from a specific port that will not be filtered or blocked. Since UDP communication is connectionless, the packets might be blocked either on their way to the server or the return packets might be blocked on their way back to the client.
Actions are performed on the server by sending commands from the client to a specific IP address. If the server machine is not on a static address, it can be located by using the sweep or sweeplist commands from the text client, or from the GUI client using the "Ping..." dialog or by putting a target IP of "1.2.3.*". If sweeping a list of subnets, when a server machine responds the
client will look in the same directory as subnet list and will display the first line of the first file it finds with the filename of the subnet.
The commands currently implemented in Back Orifice are listed below. Some of the command names differ between the GUI and text clients, but the syntax is the same for almost all commands. More information for any of the commands can be displayed in the text client by typing 'help command'.
The GUI sets the label of the two parameter fields to a description of the arguments each command accepts when that command is selected from the 'Command' list.
If a piece of required information was not supplied with the command, the error 'Missing data' will be returned by the server.
The Back Orifice commands are:
App add/appadd - Spawn a text based application on a TCP port. This allows you control a text or dos application (such as command.com) via a telnet session.
App del/appdel - Stops an application from listening for connections.
Apps list/applist - Lists the applications currently listening for connections.
Directory create/md - Creates a directory.
Directory list/dir - Lists files and directory. You must specify a wildcard if you want more than one file to be listed.
Directory remove/rd - Removes a directory.
Export add/shareadd - Creates an export on the server.
The exported directory or drive's icon does not get overlaid with the shared hand icon.
Export delete/sharedel - Deletes an export.
Exports list/sharelist - Lists current share names, the drive or directory that is being shared, the access for that share, and the password for the share.
File copy/copy - Copys a file.
File delete/del - Deletes a file.
File find/find - Searches a directory tree for files that match a wildcard specification.
File freeze/freeze - Compresses a file.
File melt/melt - Decompresses a file.
File view/view - Views the contents of a text file.
HTTP Disable/httpoff - Disables the http server.
HTTP Enable/httpon - Enables the http server.
Keylog begin/keylog - Logs keystrokes on the server machine to a text file.
The log shows you the name of the window the text was typed into.
Keylog end - Ends keyboard logging. To end keyboard logging from the text client, use 'keylog stop'.
MM Capture avi/capavi - Captures video and audio (if available) from a video input device to an AVI file.
MM Capture frame/capframe - Captures a frame of video from a video input device to a bitmap file.
MM Capture screen/capscreen - Captures an image of the server machine's screen to a bitmap file.
MM List capture devices/listcaps - Lists video input devices.
MM Play sound/sound - Plays a wav file on the server machine.
Net connections/netlist - Lists current incoming and outgoing network connections.
Net delete/netdisconnect - Disconnects the server machine from a network resource.
Net use/netconnect - Connects the server machine to a network resource.
Net view/netview - Views all network interfaces, domains, servers, and exports visible from the server machine.
Ping host/ping - Pings the host machine. Returns the machine name and the BO version number.
Plugin execute/pluginexec - Executes a Back Orifice plug-in. Executing functions that do not conform to the Back Orifice plug-in interface may cause the server
to crash.
Plugin kill/pluginkill - Tells a specific plug-in to shut down.
Plugins list/pluginlist - Lists active plug-ins or the return value of a plug-in that has exited.
Process kill/prockill - Terminates a process.
Process list/proclist - Lists running processes.
Process spawn/procspawn - Runs a program. From the GUI, if the second parameter is specified, the process will be executed as a normal, visible process.
Otherwise it will be executed hidden or detached.
Redir add/rediradd - Redirects incoming TCP connections or UDP packets to another IP address.
Redir del/redirdel - Stops a port redirection.
Redir list/redirlist - Lists active port redirections.
Reg create key/regmakekey - Creates a key in the registry. NOTE: For all registry commands, do not specify the leading \\ for registry values.
Reg delete key/regdelkey - Deletes a key from the registry.
Reg delete value/regdelval - Deletes a value from the registry.
Reg list keys/reglistkeys - Lists the sub keys of a registry key.
Reg list values/reglistvals - Lists the values of a registry key.
Reg set value/regsetval - Sets a value for a registry key. The values are specified as a type followed by a comma, then the value data. For binary values (type
B) the value is a series of two digit hex values. For DWORD values (type D) the value is a decimal number. For string values (type S) the value is a text string.
Resolve host/resolve - Resolves the IP address of a machine name relative to the server machine. The machine name can be an internet host name, or a local network machine name.
System dialogbox/dialog - Creates a dialog box on the server machine with the supplied text and an 'ok' button. You can create as many dialog boxes as you want, they will just cascade in front of the previous box.
System info/info - Displays system information for the server machine. Information displayed includes machine name, current user, CPU type, total and available
memory, Windows version information, and drive information, including drive type (Fixed, CD-rom, removable, or remote) and for fixed drives, the size and free space of the drive.
System lockup/lockup - Locks up the server machine.
System passwords/passes - Displays cached passwords for the current user and the screen saver password. Displayed passwords may have garbage data at their end.
System reboot/reboot - Shuts down the server machine and reboots it.
TCP file receive/tcprecv - Connects the server machine to a specific IP and port and saves any data received from that connection to the specified file.
TCP file send/tcpsend - Connects the server machine to a specific IP and port and sends the contents of the specified file, then disconnects. NOTE: For TCP file transfers, the specified IP and port must be listening before the TCP file command is sent or it will fail. A useful utility for transferring files this way is netcat, which is available for both Unix and win32.
Files can be transferred _from_ the server using the TCP file send command and netcat with a syntax.
Files can be transferred _to_ the server using the TCP file receive command and netcat with a syntax.
NOTE: The win32 version of netcat does not disconnect or exit when it reaches the end of the input file. After the contents of the file have been transferred, terminate netcat with ctrl-c or ctrl-break.
BOConfig:
BOConfig.exe allows you to configure the options for a bo server before it has been installed. It asks you for the executable name, which is the name that Back Orifice will install itself in the system directory. It does not have to end in .exe, but it will not append .exe if you do not supply a file extension.
It then asks for the exe description, which is the description that will describe the exe in the registry where it gets started from during boot. It then asks
for the port, which the server will listen for packets on.
It then asks for a password, which it will use for encryption. To communicate with the server from a client, the client must be configured with this same password.
This can be null. It then asks for the default plug-in to run on startup.
This is a DLL and function name in the form "DLL:_Function" of a Back Orifice plug-in which will automatically be run when the server starts. This can be
null. It then lets you enter any arguments that you want to pass to the plug-in at startup. This also can be null. And finally, it asks for the path to a file which can be attached to the server, which will be written in the system directory as the server starts. This could be a Back Orifice plug-in, which is automatically started.
The server will work without being configured. It defaults to communicating on port 31337 with no password and installing itself as " .exe".
Keyboard logging - Apparently ms-dos windows don't have a message loop, which prevents the ability to log keys that are typed into them.
Text based application TCP redirection (App add) - Several bugs. When command.com is spawned with it's handles redirected, the system also spawns REDIR32.EXE,
which it does not appear possible to terminate. (This seems OS interface that communicates with a TSR module loaded in the dos session to redirect the input
and output handles to pipes) So if you terminate the TCP connection before the application has terminate, REDIR32.EXE and WINOA386.MOD (the 'old application'
(16 bit) wrapper) will remain running, and neither Back Orifice nor the operating system itself will be able to terminate them. This even prevents the system from being able to shut down, it just sits at the 'Please wait...' screen forever.
There also seems to be problems redirecting the output from some console applications (such as FTP.EXE, and unfortunately currently boclient.exe).
Although output from the program is not relayed out, input may still be relayed in, so you can often quit the program through the TCP session. Otherwise use
Back Orifice to kill the executable.
Silk Rope (v2.0) This is an elegant and sophisticated wrapper for the BO installer.
Silk Rope binds your BO installer with a program of your choosing, saving the result as a single file. Great for modifying single-file installs.
Install/Infect Redesign--the installer (used to trojan-ize an existing EXE) has been internally modified and greatly simplified.
Links Here are links to Anti-Virus Software and hopefully some temporary protection from invasion.
