As ISPs begin to hear complaints from clients, independent security groups are scrambling to find ways to detect and remove the Back Orifice hacker program from infected machines. But Microsoft remains remarkably reticent about the threat.
On Tuesday, Microsoft discounted the threat of the program, which was released Saturday by hacker group Cult of the Dead Cow (cDc) and affects only Windows 95 and Windows 98 operating systems. The group claims the program has been downloaded more than 14,000 times. It potentially allows malicious users to monitor and tamper with computers without the permission or knowledge of their owners.
In the wake of its release, several computer security firms, including Data Fellows Group and Internet Security Systems, have found and publicized ways to detect and remove the Back Orifice server. Network Associates is reportedly adding a detection tool to the next version of its virus software as well.
The hackers have issued several statements that lambaste Microsoft for not addressing the issue publicly and accuse it of contacting the group privately to request information about the program.
Deth Veggie, a cDc member, said SirDystic, another member, returned phone calls to Microsoft earlier this week to answer questions from security manager Scott Culp about what bugs or holes Back Orifice exploited.
"SirDystic explained to him that more than 'bugs [or] holes,' the problem was really a fundamental design flaw in Windows 95 [and] 98," Deth Veggie alleged. "Mr. Culp readily agreed."
A Microsoft representative said Friday that the company had nothing further to say on the issue. Meantime, cDc issued a public rebuttal to Microsoft's advisory on the tool, including the company's claim that the program cannot be installed without the user's knowledge. "Thanks to some actual exploits, there are several ways a program could be run on a Windows computer, not only without the user's approval, but without the user's knowledge," the rebuttal read.
James Strompolis, owner of Chicago-based consulting firm Aleph Consultants, said that he was contacted by a few small ISPs after some of their customers encountered an email attachment that did nothing when opened. It was Back Orifice.
While Strompolis said that these users could not determine whether or not any information on their systems was compromised, one machine had become very unstable, and the user was recommended to reinstall the operating system.
"One ISP claimed that BO was installed on a Web server running Apache by using a CGI script hole to get BO in there," Strompolis said. "It sounds like someone was going to use this Web server to install BO on machines visiting the Web site."
The Java consulting group WithinReach has set up a demonstration that does exactly that. It is a hostile Java applet that installs the Back Orifice server on a browser's system. While the demonstration applet requires the user's confirmation before the installation takes place, a WithinReach member said that it's entirely possible to pass this applet and grant it all permissions without ever presenting a certificate to the user.
"We have already demonstrated how such an applet can be sent by email to the target of an attack and immediately execute when viewed in the email client," he said.
In the days since the program was released, several security groups have found ways to detect and remove the BO server.
Internet Security Systems issued a security alert Thursday explaining how to detect and remove the program and how to use a Windows program to see if it has been installed on a machine.
In a press release issued Friday, Data Fellows Group announced that detection and removal of the Back Orifice server is now available in the company's F-Prot Anti-Virus software. And Strompolis said that Network Associates will add BO detection in the next release of their virus detection tools.
"I'm not a Microsft hater, but Microsoft's claims that BO is not really a threat are wishy-washy at best, in my opinion," Strompolis said. "They are correct that BO is not the threat. The lack of clear security-procedure explanations from Microsoft is the threat. "Why couldn't Microsoft find the stuff I've found and tell their customers how to find it? Why couldn't they whip together a small program to detect it for customers? It would be trivial for them to do this."
