(A Javascript-enabled browser is required to email me.)

A cautionary tale of Back Orifice
from TBTF for 1998-08-24

Chris Double <chris at cnd dot co dot nz> sent this note after TBTF covered the Back Orifice cracker intrusion tool. It points out one of the many devious ways unscrupulous users can get this Trojan horse remote-control server installed on an unwitting victim's machine. Chris was vigilant and lucky. But remember: beware of geeks bearing gifts.

The following material is copyright 1998 by Chris Double.

From: Chris Double <chris at cnd dot co dot nz>
To: <dawson dot tbtf at gmail dot com>
Subject: tbtf and Back Orifice War Story
Date: Thu, 20 Aug 1998 05:17:02 +1200

Hi Keith.

First off, I'd like to say I'm an avid reader of your TBTF web site. Always full of great stuff and interesting information. I thought you'd like to know that it is through information on your site that I discovered Back Orifice being distributed in a newsgroup as a useful utility that some people ran and unknowingly installed. This happened about 6 hours ago [on 19 August 1998 -- ed.].

The newsgroup is alt.games.creatures. Someone posted a utility there that extended the Creatures game (a program by cyberlife). A few people posted that they had run it but nothing seemed to happen. A post from one user mentioned that it was 120K and didn't even work.

I remembered reading on TBTF about Back Orifice and through the various links there was a warning to keep an eye out for files of about 120K. So I downloaded this supposed utility and download Back Orifice from the Cult of the Dead Cow website. I compared the utility (called nolimit.exe) to boserve.exe and sure enough they were they same.

The same person who posted it to the newsgroup also posted a link to the file on a popular creatures web site message board. They offered it for download at their homepage on tripod -- it's still there. [Note: it has been removed now. -- ed.] The file available, nolimit, is actually Back Orifice in disguise. Once again, creatures users downloaded and tried it.

This was quite devious as the poster knew the utility was something people wanted and knew that Creatures users are avid users of ICQ and Ice Chat. Both of these chat facilities allow easy access to peoples' IP addresses. By viewing the IP address of Ice Chat users the poster could then try accessing them using the Back Orifice GUI -- there would be a fairly good hit rate I imagine.

Unfortunately, when deleting the nolimit.exe program from my system after checking it out I accidentally double-clicked it and ran it. Sure enough I was infected. I followed the directions on the ISS advisory site.

There was a file called internet.exe placed in my system directory and the following in my registry:

HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ RunServices \ config file = "internet.exe"

I checked and this was Back Orifice running on the default configued port but with a password assigned to it.

Now the bad news. I removed the item from my registry, ran McAfee to check my drive (it found no viruses -- this was the McAfee version I downloaded about 4 hours beforehand and it failed to find Back Orifice) and rebooted. My machine wouldn't boot and the hard drive was corrupted. I've managed to recover most of the information but will eventually do a reinstall just in case.

I posted messages to alt.games.creatures warning users of the trojan and I've also sent a message to abuse@tripod.com.

Anyway, thought you'd like a war story concerning one of your articles from a reader. Keep up the great work!

Chris Double.
<chris at cnd dot co dot nz>

[ TBTF for 1998-08-24 ]