All products featured on WIRED are independently selected by our editors. However, we may receive compensation from retailers and/or from purchases of products through these links.
Microsoft is downplaying the threat presented by a new hacker program that's designed to attack computers running Windows 95 or Windows 98.
"Back Orifice does not expose or exploit any security issue with the Windows platform or the BackOffice suite of products," said a Microsoft security advisory posted Tuesday. "Back Orifice does not compromise the security of a Windows network."
The program, released Saturday by hacker group Cult of the Dead Cow (cDc), potentially allows malicious users to monitor and tamper with computers sans the permission or knowledge of their owners.
The hacker group released the program at the DefCon hacker convention in Las Vegas. CDc is one the oldest such groups in existence and has published hundreds of cyberculture texts since 1984.
"Sir Dystic," the cDc programmer who wrote Back Orifice, said in its release statement that the program has two main legitimate purposes: remote tech support aid and employee monitoring and administering of a Windows network.
Back Orifice is a Windows 95/98 client/server application that allows remote monitoring and administration on any machine running the 123 KB Back Orifice server. The executable file that contains the program can be renamed and sent to a victim as an email attachment. Since the server can potentially be installed and run on a machine without the victim's knowledge, it could be difficult to detect. When the program runs, the user gets no notification, and the server restarts every time the machine is rebooted.
The program allows the cracker to view files on the remote system, log keystrokes, and even capture audio and video, if the victim's machine is equipped with such hardware.
"It was exciting to see it introduced and how the product was so powerful, so transparent, and so easy to use," said Mike Hunter, who saw a demonstration at DefCon. "Back Orifice allows hardcore hackers and relative newbies alike the power to control people's computers."
The trick is getting it on the victim's machine in the first place.
"That's the exploit," said Russ Cooper, Windows security expert and moderator of the NTBugTraq mailing list. "If they can get it on your machine, then the program can do lots of things. But any program can do lots of things."
Karan Khanna, a Microsoft security manager, likened the program to the remote administration tool pcAnywhere, and said that customers shouldn't worry about it, as long as they take their security precautions seriously.
"For example," Khanna said, "do not install software [if you] don't know where it comes from, because you never know what the software will do. It's no different from the normal security practice that customers should follow."
But the cDc accuses Microsoft of spin control.
"Their 'Security Advisory' is really a slick attempt at spin control, with little relevance to the real situation at hand. In it they flip-flop around, contradicting their own statements. In addition, they make several claims that are just out-and-out lies," said cDc member "Deth Veggie."
Those lies, Deth Veggie said, include the fact that a user must deliberately install or be tricked into installing the program.
"Due to the lovely MIME mishandlings of Outlook and Netscape Messenger, the required Back Orifice executable need only be emailed to a targeted individual for it to be installed," said Deth Veggie. "The user no longer needs to click on an attachment for Back Orifice to install. Receiving the mail is enough for the plant to occur."
Cooper isn't convinced that such a sleuth installation is possible.
"Somebody demonstrate to me that they know how [the Outlook bug] works, because nobody has," said Cooper. "The fact is, the information that got out there was not sufficient for somebody to write their own [Outlook exploit]."
The hacker group claims that Microsoft has misrepresented other points about the program in its security advisory.
Since the port that Back Orifice's server uses is configurable, said Deth Veggie, in many cases it should successfully work through a firewall, contrary to Microsoft's advisory. Furthermore, he explained that if a machine has had the Back Orifice server installed, and is on a dial-up connection that uses a dynamic IP address (where an ISP assigns a unique IP address on-the-fly to the machine for each session, the cracker need only know a previously used IP address to locate the machine. The program is able to scan a range of addresses -- say, 204.152.97.* -- to find the machine's current location.
"Again and again, Microsoft claims in its advisory that Back Orifice needs to be installed by the user," said Deth Veggie. "Wishful thinking, I'm afraid."
Although Cooper thinks Back Orifice is very well-programmed, he does not believe the program serves the purpose that cDc had hoped it would: proving that Microsoft needs to do better with its network security.
"For years, Microsoft has said that if you want security, don't use Windows 95. Use Windows NT. In my opinion, the effect is going to be that this is going to encourage people to upgrade to Windows NT," said Cooper. "And personally, I don't think that this is what the cDc had in mind."
As of 11 a.m. Wednesday, Deth Veggie said that more than 14,000 copies of Back Orifice had been downloaded. Meanwhile, Microsoft has received no reports of malicious use.
