Home | What's New | FAQ | Site Contents | Contact Us | SEARCH |
About Us | Alerts | Events | Improving Security | Other Resources | Reports | Survivability Research | Training and Education |
CERT Vulnerability Note VN-98.07The CERT Coordination Center publishes vulnerability notes to provide information about vulnerabilities to the user community. Because our understanding of the scope of a vulnerability may change, information that originally appears in vulnerability notes may later become part of an advisory or a vendor-initiated bulletin. Vulnerability notes may also be updated from time to time.
Date: Friday, October 2, 1998Topic: Back OrificeRecently, a Trojan horse program referred to as Back Orifice has received a great deal of publicity. Although Back Orifice is a potentially serious problem, the CERT/CC has received few reports of its use. As of the date of this Vulnerability Note, we have received less than fifty reports of attacks and probes relating to Back Orifice, which represent less than 2.5% of the reports we have received since Back Orifice was published.
How It WorksBecause it is a Trojan horse, users must install Back Orifice themselves or be tricked into installing it. It can be disguised in a variety of ways and is ostensibly positioned as a "remote administration tool."Basically, Back Orifice works as a client-server program, with the intruder controlling the client. Once the Trojan horse is on the user's system, the client (which may be running anywhere on the Internet) can access the affected system with the privileges of the user who inadvertently installed it.
Look for ItAlthough CERT/CC has not completed testing of the products listed below, and does not and cannot ensure the claims of their manufacturers, the manufacturers of the following products claim that the following products can detect, and in some cases remove, Back Orifice.
Protect YourselfBecause the intruder can make changes to the victim's machine after installing Back Orifice, removing Back Orifice from your system is not necessarily enough to prevent further intrusions. If you find Back Orifice installed on your system, we encourage you to recover by taking the steps outlined below:
CERT Contact InformationIf you believe that your system has been compromised, contact the CERT Coordination Center or your representative in the Forum of Incident Response and Security Teams (FIRST)We strongly urge you to encrypt any sensitive information you send by email. The CERT Coordination Center can support a shared DES key and PGP. Contact the CERT staff for more information. The CERT PGP key can be found at http://www.cert.org/pgp/CERT_PGP.key
Phone+1 412-268-7090 (24-hour hotline)CERT personnel answer 8:30-5:00 p.m. EST(GMT-5)/EDT(GMT-4), and
are on call for emergencies during other hours.
Fax+1 412-268-6989
NO WARRANTYAny material furnished by Carnegie Mellon University and the Software Engineering Institute is furnished on an "as is" basis. Carnegie Mellon University makes no warranties of any kind, either expressed or implied as to any matter including, but not limited to, warranty of fitness for a particular purpose or merchantability, exclusivity or results obtained from use of the material. Carnegie Mellon University does not make any warranty of any kind with respect to freedom from patent, trademark, or copyright infringement.
Comments or questions? Send them to [email protected] Created October 2, 1998 *Registered in the U.S. Patent and Trademark Office Neither CERT/CC, the Software Engineering Institute, or Carnegie Mellon Universityendorse any of the commercial products discussed herein or any other commercial products. Copyright 1998 Carnegie Mellon University. Conditions for use, disclaimers, and sponsorship information can be found in http://www.cert.org/legal_stuff/legal_stuff.html and ftp://ftp.cert.org/pub/legal_stuff. If you do not have FTP or web access, send mail to [email protected] with "copyright" in the subject line. |