Incident Notes Vulnerability Notes Security Improvement Modules Tech Tips Sources of Tools Training Alerts Y2K

CERT Vulnerability Note VN-98.07

The CERT Coordination Center publishes vulnerability notes to provide information about vulnerabilities to the user community. Because our understanding of the scope of a vulnerability may change, information that originally appears in vulnerability notes may later become part of an advisory or a vendor-initiated bulletin. Vulnerability notes may also be updated from time to time.

Date: Friday, October 2, 1998

Topic: Back Orifice

Recently, a Trojan horse program referred to as Back Orifice has received a great deal of publicity. Although Back Orifice is a potentially serious problem, the CERT/CC has received few reports of its use. As of the date of this Vulnerability Note, we have received less than fifty reports of attacks and probes relating to Back Orifice, which represent less than 2.5% of the reports we have received since Back Orifice was published.

How It Works

Because it is a Trojan horse, users must install Back Orifice themselves or be tricked into installing it. It can be disguised in a variety of ways and is ostensibly positioned as a "remote administration tool."

Basically, Back Orifice works as a client-server program, with the intruder controlling the client. Once the Trojan horse is on the user's system, the client (which may be running anywhere on the Internet) can access the affected system with the privileges of the user who inadvertently installed it.

Look for It

Although CERT/CC has not completed testing of the products listed below, and does not and cannot ensure the claims of their manufacturers, the manufacturers of the following products claim that the following products can detect, and in some cases remove, Back Orifice.

Mcafee
http://www.nai.com/download/updates/updates.asp
Norton AntiVirus 2.0 for Windows 95
http:/www.symantec.com/nav/fs_nav5-95nt.html
RealSecure 2.5
http://www.iss.net/prod/rs.html

Protect Yourself

Because the intruder can make changes to the victim's machine after installing Back Orifice, removing Back Orifice from your system is not necessarily enough to prevent further intrusions. If you find Back Orifice installed on your system, we encourage you to recover by taking the steps outlined below:

A. Prepare
- 1. If you have a security policy, consult it
- 2. If you do not have a security policy
  - i. Consult with management
  - ii. Consult with your legal counsel
  - iii. Consider contacting law enforcement agencies
  - iv. Notify others within your organization
- 3. Document all of the steps you take in recovering
B. Regain control
- 1. Disconnect the compromised system(s) from the network
- 2. Make a complete copy of the compromised system(s)
C. Analyze the intrusion
- 1. Look for modifications made to system software and configuration files
- 2. Look for modifications to data
- 3. Look for tools and data left behind by the intruder
- 4. Review log files
- 5. Look for signs of a network sniffer
- 6. Check other systems on your network
- 7. Check for systems involved or affected at remote sites
D. Contact the CERT/CC and other sites involved
- 1. Follow the guidelines outlined in http://www.cert.org/tech_tips/incident_reporting.html
- 2. Contact the CERT Coordination Center
- 3. Obtain contact information for other sites involved and contact them
E. Recover from the intrusion
- 1. Reinstall your operating system from distribution media
- 2. Disable unnecessary services
- 3. Install all vendor security patches. See http://www.microsoft.com/security/
- 4. Consult CERT advisories, summaries, and vendor-initiated bulletins
- 5. Use caution when restoring data from backups, since it may contain data already altered by the intruder
- 6. Change passwords
F. Improve the security of your system and network using the lessons learned
G. Educate your users about the dangers of executing unknown programs or email attachment
H. Reconnect to the Internet
I. Update your security policy
- 1.Document lessons learned from being compromised
- 2.Calculate the cost of this incident
- 3.Incorporate necessary changes (if any) in your security policy

Below is a list of pointers to additional information about Back Orifice:

CERT Contact Information

If you believe that your system has been compromised, contact the CERT Coordination Center or your representative in the Forum of Incident Response and Security Teams (FIRST)

We strongly urge you to encrypt any sensitive information you send by email. The CERT Coordination Center can support a shared DES key and PGP. Contact the CERT staff for more information.

The CERT PGP key can be found at http://www.cert.org/pgp/CERT_PGP.key

Email

[email protected]

Phone

+1 412-268-7090 (24-hour hotline)

CERT personnel answer 8:30-5:00 p.m. EST(GMT-5)/EDT(GMT-4), and are on call for emergencies during other hours.

Fax

+1 412-268-6989

NO WARRANTY

Any material furnished by Carnegie Mellon University and the Software Engineering Institute is furnished on an "as is" basis. Carnegie Mellon University makes no warranties of any kind, either expressed or implied as to any matter including, but not limited to, warranty of fitness for a particular purpose or merchantability, exclusivity or results obtained from use of the material. Carnegie Mellon University does not make any warranty of any kind with respect to freedom from patent, trademark, or copyright infringement.

Comments or questions? Send them to [email protected]

Created October 2, 1998

*Registered in the U.S. Patent and Trademark Office

Neither CERT/CC, the Software Engineering Institute, or Carnegie Mellon Universityendorse any of the commercial products discussed herein or any other commercial products.

Copyright 1998 Carnegie Mellon University. Conditions for use, disclaimers, and sponsorship information can be found in http://www.cert.org/legal_stuff/legal_stuff.html and ftp://ftp.cert.org/pub/legal_stuff. If you do not have FTP or web access, send mail to [email protected] with "copyright" in the subject line.