The CERT/CC is
    part of the Software Engineering Institute at Carnegie Mellon University Improving Security
CERT® Coordination Center

 Home | What's New | FAQ | Site Contents | Contact Us | SEARCH

About Us | Alerts | Events | Improving Security | Other Resources | Reports | Survivability Research | Training and Education


CERT Vulnerability Note VN-98.07

The CERT Coordination Center publishes vulnerability notes to provide information about vulnerabilities to the user community. Because our understanding of the scope of a vulnerability may change, information that originally appears in vulnerability notes may later become part of an advisory or a vendor-initiated bulletin. Vulnerability notes may also be updated from time to time.

Date: Friday, October 2, 1998

Topic: Back Orifice

Recently, a Trojan horse program referred to as Back Orifice has received a great deal of publicity. Although Back Orifice is a potentially serious problem, the CERT/CC has received few reports of its use. As of the date of this Vulnerability Note, we have received less than fifty reports of attacks and probes relating to Back Orifice, which represent less than 2.5% of the reports we have received since Back Orifice was published.

How It Works

Because it is a Trojan horse, users must install Back Orifice themselves or be tricked into installing it. It can be disguised in a variety of ways and is ostensibly positioned as a "remote administration tool."

Basically, Back Orifice works as a client-server program, with the intruder controlling the client. Once the Trojan horse is on the user's system, the client (which may be running anywhere on the Internet) can access the affected system with the privileges of the user who inadvertently installed it.

Look for It

Although CERT/CC has not completed testing of the products listed below, and does not and cannot ensure the claims of their manufacturers, the manufacturers of the following products claim that the following products can detect, and in some cases remove, Back Orifice.

Protect Yourself

Because the intruder can make changes to the victim's machine after installing Back Orifice, removing Back Orifice from your system is not necessarily enough to prevent further intrusions. If you find Back Orifice installed on your system, we encourage you to recover by taking the steps outlined below:

  • A. Prepare
    • 1. If you have a security policy, consult it
    • 2. If you do not have a security policy
      • i. Consult with management
      • ii. Consult with your legal counsel
      • iii. Consider contacting law enforcement agencies
      • iv. Notify others within your organization
    • 3. Document all of the steps you take in recovering
  • B. Regain control
    • 1. Disconnect the compromised system(s) from the network
    • 2. Make a complete copy of the compromised system(s)
  • C. Analyze the intrusion
    • 1. Look for modifications made to system software and configuration files
    • 2. Look for modifications to data
    • 3. Look for tools and data left behind by the intruder
    • 4. Review log files
    • 5. Look for signs of a network sniffer
    • 6. Check other systems on your network
    • 7. Check for systems involved or affected at remote sites
  • D. Contact the CERT/CC and other sites involved
  • E. Recover from the intrusion
  • F. Improve the security of your system and network using the lessons learned
  • G. Educate your users about the dangers of executing unknown programs or email attachment
  • H. Reconnect to the Internet
  • I. Update your security policy
    • 1.Document lessons learned from being compromised
    • 2.Calculate the cost of this incident
    • 3.Incorporate necessary changes (if any) in your security policy
Below is a list of pointers to additional information about Back Orifice:


CERT Contact Information

If you believe that your system has been compromised, contact the CERT Coordination Center or your representative in the Forum of Incident Response and Security Teams (FIRST)

We strongly urge you to encrypt any sensitive information you send by email. The CERT Coordination Center can support a shared DES key and PGP. Contact the CERT staff for more information.

The CERT PGP key can be found at http://www.cert.org/pgp/CERT_PGP.key

Email

[email protected]

Phone

+1 412-268-7090 (24-hour hotline)

CERT personnel answer 8:30-5:00 p.m. EST(GMT-5)/EDT(GMT-4), and are on call for emergencies during other hours.

Fax

+1 412-268-6989


NO WARRANTY

Any material furnished by Carnegie Mellon University and the Software Engineering Institute is furnished on an "as is" basis. Carnegie Mellon University makes no warranties of any kind, either expressed or implied as to any matter including, but not limited to, warranty of fitness for a particular purpose or merchantability, exclusivity or results obtained from use of the material. Carnegie Mellon University does not make any warranty of any kind with respect to freedom from patent, trademark, or copyright infringement.


Comments or questions? Send them to [email protected]

Created October 2, 1998

*Registered in the U.S. Patent and Trademark Office

Neither CERT/CC, the Software Engineering Institute, or Carnegie Mellon Universityendorse any of the commercial products discussed herein or any other commercial products.

Copyright 1998 Carnegie Mellon University. Conditions for use, disclaimers, and sponsorship information can be found in http://www.cert.org/legal_stuff/legal_stuff.html and ftp://ftp.cert.org/pub/legal_stuff. If you do not have FTP or web access, send mail to [email protected] with "copyright" in the subject line.