Stealthy TCP IO Module for Back Orifice 2000

«I think this idea is very good.»
--- DilDog, author of BO2K, member of cDc and L0phT

«Thanks for solving this problem, Roe.
I have been reading in firewall mailing lists and newsgroups about this very thing.»

--- OX, one of the guys at alt.fan.cult-dead-cow



Overview

STCPIO is a plugin for the remote administration suite Back Orifice 2000 (BO2K) from the one and only, the Cult of the Dead Cow (cDc). Released at DEFCON 7, BO2K was subject to massive hype even weeks before the actual release of it.

When using the standard IO modules (TCPIO and UDPIO) that come with BO2K, the network traffic can be easily identified as BO2K data. There is security software around that can identify BO2K packets by traffic analysis.

Stealthy TCPIO (STCPIO) on the other hand generates traffic that is unidentifyable as BO2K traffic. This is extremely helpful if you run BO2K on a network with high end security software. With STCPIO, the software wont create bunchs of false alerts when you administer a server using BO2K.

There is absolutely no way to identify a STCPIO packet as BO2K traffic for sure, if, and only if, the underlying enc module is secure. So far, ISS have not come up with any idea to overcome STCPIO.

Please note: The strength of STCPIO greatly depends on the strength of the encryption plugin used. If there is any pattern in the output of the encryption module, there will be a way to detect it. Thus XOR is a bad choice here, as it is very weak.



What's New?

Update to version 2.0 is strongly recommended, as earlier versions were somewhat unstable.

Version 2.0, August 29th 1999
Version 1.3, August 28th 1999
Version 1.2, August 23rd 1999
Version 1.1, August 22nd 1999
Version 1.0, August 21st 1999


Usage / Installation

Add the plugin to both the client and the server, be sure to configure matching packet header encryption engines and ports. You should now be able to select STCPIO from any IO module drop-down menu, and you can specify STCPIO in any IO module setting; where you specified TCPIO you can now use STCPIO. Please be sure to use STCPIO both in the client and the server, otherwise it wont work (surprise, surprise).

I suggest using my Serpent or CAST-256 strong encryption plugins along with STCPIO for top security.

If you can't figure out how to add plugins I suggest you go to your local software store and acquire a copy of PC Anywhere [tm], so you wont have to coap with the tremendous difficult task of adding a plugin :-P



Tech Stuff

Any BO2K traffic can be identified as such if sent through the standard TCPIO and UDPIO modules. The reason: they send a packet header (length field) *unencrypted* along the way. So when analysing sniffed traffic in a network, you can take the first DWORD of a packet, assume it the length of the following data, and if there is in fact exactly that much data following, you know it's a BO2K packet. This technique is used by the ISS network security software, and possibly others as well.

STCPIO simply encrypts the length field using the configured encryption engine.

This procedure makes identifying BO2K packets as such impossible, effectively hiding it from all network analysers, sniffers and similar security software.

For details on how BO2K traffic can be detected, see the ISS Security Alert on BO2K.



Legal Issues

This software contains no strong encryption - it merely uses external encryption modules. Therefore this plugin constitutes no violation of the U.S. ITAR export regulations whatsoever.



License

This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version.

This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.

If you do redistribute or modify it, please let me know.



This document � Daniel Roethlisberger
Source of this document:
http://www.roe.ch/bo2k