Documentation
& Instructions Compilation for
Documentation rassemblée
par Bel Hadje Sami & Bahri Hassen
BO2K
freeware designed & written by cDc
And related add-ons, plug-ins, and
other software
This compilation has been put
together by the Non-Compiler.
The Non-Compiler takes neither credit
nor responsibility for the accuracy,
potential usage (or misuse) of the information contained herein
(however I do take full credit for
all the work done in putting it together, and
if SETI@home ever gets results, world peace erupts, or the 2nd coming
happens,
I would like to receive some credit
for those as well! Thank you.).
All documention contained herein is
credited to the original authors
in instances where this information
is known.
CONTENTS (as of 15 September
1999)
Back Orifice – General Information (Sept. 1998)
Data
Fellows/F-Protect Virus Info: Description of BO2K
Back Orifice 2000 – Tutorial (sort of…)
Butt Trumpet 2000 v. 1.2 and related FAQ
CDc Press Release “Back
Orifice 2000”
What is Back Orifice 2000?
Control. Back Orifice 2000 is the most powerful network administration tool
available for the Microsoft environment, bar none.
Built upon the phenomenal
success of Back Orifice released in August 98, Back Orifice 2000 puts network
administrators solidly back in control. In control of the system, network,
registry, passwords, file system, and processes. BO2K is a lot like other major
file-synchronization and remote control packages that are on the market as
commercial products. Except that BO2K is smaller, faster, free, and very, very
extensible. With the help of the open-source development community, BO2K will
grow even more powerful. With new plugins and features being added all the
time, BO2K is an obvious choice for the productive network administrator.
Feature List
General
Open source architecture ensures product
development in the future
Open source provides a trusted environment,
and promotes security
FREE. No price tag. Just download and install
Easy installation on both client and server
machines
Client Features
Address book style server list
Plugin extensibility
Multiple server connections at once
Customizable look-and-feel
Session logging
Native Server Support
Keystroke logging
HTTP filesystem browsing and transfer, with
optional restrictions.
Management of Microsoft Networking file
sharing
Direct registry editing
Direct file browsing, transfer, and
management
Plugin extensibility
Remote upgrading, installation, and
uninstallation
Network redirection of TCP/IP connections
Access console programs such as command
shells through Telnet
Multimedia support for audio/video capture,
and audio playback
NT registry passwords and Win9x screensaver
password dumping
Process control, start, stop, list
Multiple client connections over any medium
GUI message prompts
Proprietary file compression
Remote reboot
DNS name resolution
Features Added By Plugins
Cryptographically Strong Triple-DES
encryption
Remote desktop with optional mouse and
keyboard control
Drag and drop encrypted file transfers and
Explorer-like file system browsing
Graphical remote registry editing
Reliable UDP and ICMP communications
protocols
(COMING SOON) IPX/SPX, Telephony/Dialup, and
IRDA communication protocols
(COMING SOON) Scripting language for client
and server-side automation
Lots more coming soon!
Description
Back Orifice is the most
popular trojan at the moment. Since its release on DEFCON VI by Cult of the
Dead Cow (cDc), it has spread extraordinarily fast around the globe. Well, Sir Dystic did a great job. Back
Orifice is the most powerful trojan available at present. It is configurable
for many special purposes by using plugins. The many options make it no easy
toy for hacker kids however. One must know a lot to use this one right.
Basics
Back Orifice hides itself
from the task list when active. Upon infection, it installs itself in the
Registry under the key
HKLM/Software/Microsoft/Windows/CurrentVersion/RunServices, therefore launched
by Windows upon system start. It copies itself into the <WindowsRootDir>\system
directory, and then deletes the installer. The standard installer has an
invisible icon.
You need to have Windows 95
or 98 to get infected. BO won’t install itself on a NT system. This is due to
the static usage of some system DLL's, which are not available under NT. For
infection it is needed that you run the executable on your system. It is *not*
possible to get infected by just browsing the web or reading E-Mails. Theoretically.
However, there are bugs in many Internet software packages, including Microsoft
Internet Explorer, Microsoft Outlook Express and Netscape Communicator. Some
bugs may allow someone to run arbitrary code on your machine without the need
for your help. But these bugs are *very* difficult to exploit, and this can
only be done by a true hacker. Those attacking you with Back Orifice however
usually are only kids playing superhacker, so you needn't get worried about
those security bugs too much (Hmmm…but what about the authors? –ed.). But to be
on the safe side please install the updates, service packs and bugfixes for the
Internet software and for your Windows, available at www.microsoft.com and
www.netscape.com respectively.
Tech
Back Orifice is fully configurable.
The standard port is 31337, name is " .exe" and it uses no password.
But this can all be configured. BO always places an entry in the RunServices
section in the Registry, whether the configuration is valid or not. BO uses the
UDP protocol for communication, which means that it is not locatable by a
common port scan. It only responds to packets encrypted using the password it
was configured to by the attacker. It has also the option to run plugins. These
plugins can be written by anyone, and therefore is a BO server not limited to
its standard functionality, but can easily be extended with other functions,
known examples include sending a mail upon infection, and connecting to an IRC
server and tell all the chatters there that the computer is infected, as well
as a sophisticated network traffic sniffer. BO lends full control over the
infected machine, including: application launch and control, directory and file
mgmt, net connection and share mgmt, compression and decompression, HTTP
server, keyboard log, screen capture, webcam capture, play sounds, ping, plugin
mgmt, process mgmt, port redirection mgmt, Registry mgmt, resolve host, display
dialog boxes, system information including cached passwords, lockup, reboot,
TCP file send and receive.
There is the possibility to
misconfigure BO so it will not copy itself to the system directory but stay
where it is and run from there. The Registry entry in this case is not valid,
which makes it harder to locate.
BO leaves a file called
windll.dll in the system directory. This dll is used for hooking the keyboard
and logging all keystrokes. Droppers
are available, enabling anyone to package BO into another program, infecting
the target upon execution of that program. The most powerful of these droppers,
SilkRope 2.x, even encrypts BO, so it wont be located with a common file scan.
F-Secure Virus Information Pages
NAME: BO2K
ALIAS: Back Orifice 2000
Back Orifice 2000 is a new
version of the famous Back Orifice backdoor trojan (hacker's remote access tool).
It was created by the Cult of Dead Cow hackers group in July 1999. Originally the BO2K was released as a source
code and utilities package on a CD-ROM. There are reports that some files on
that CD-ROM were infected with CIH virus, so the people who got that CD might
get infected and spread not only the compiled backdoor, but also the CIH virus.
The first binary version of
BO2K was compiled and spread in the US. A few days later there appeared an
international version of this backdoor. With the time there may appear lots of
versions of BO2K with different compilers and having different features. As its previous versions, the Back Orifice
2000 backdoor has 2 major parts: client and server. The server part needs to be
installed on a computer system to gain access to it with the client part. The
client part connects to the server part via network and is used to perform a
wide variety of actions to remote system. The client part has a dialog
interface that eases the process of hacking of the remote computer.
In the same package there
comes also a configuration utility that is used to configure the server part of
BO2K. By default the server part doesn't install itself to system being run. It
should be properly configured to be used as a backdoor. The configuration
utility has a wizard that helps to quickly configure the server part. It asks
the user to specify networking type (TCP or UDP), port number (1-65535),
connection encryption type - simple (XOR) or strong (3DES) and password for
encryption that will be the password for the server access also.
The configuration utility
allows to flexibly configure the server part. It can add or remove plugins
(DLLs) from the server application, configure file transfer properties, TCP and
UDP settings, built-in plugins activation, encryption key, and startup
properties. The startup properties setup allows to configure automatic
installation to system, server filename, process name, process visibility and
also NT-specific properties (NT service and host process names).
When the server part is
configured to act like a trojan i.e. to install itself hideously to someone's
system it writes itself to \Windows\System\ or \WinNT\System32\ folders under a
name specified during configuration (default is UMGR32.EXE). Then it modifies
the Registry. Under Windows 95/98 server execution string is written to:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices
under Windows NT the
execution string is written to:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Then the file from which the server part started can be deleted
(if it was specified during configuring). After that the BO2K will be active in
memory each time Windows starts and will provide access to the infected system
for hackers who have the client part and the correct password.
Being active the server part
can hide its process or prevent its task to be killed from Task Manager (on
NT). The backdoor uses a smart trick on NT by constantly changing its PID
(process ID) and by creating the additional process of itself that will keep
the backdoor alive even if one of the processes is killed. Besides, the server
part adds a random (but large) number of spaces and 'e' at the end of its name,
so the server part file can't be deleted from Windows (invalid or long name
error occurs) though disk checking utilities don't find any problems with
filename. The server part file can be only deleted from DOS or DOS session (if
the file is not locked of course).
Back Orifice 2000, like its
ancestors, has a lot of features. But unlike the older versions the BO2K has
many improvements: connection encryption (including strong 3DES), ability to
work under NT, to use UDP, to allow internal plugins in DLL format, a more
advanced security, more remote system control features.
Here's the list of Back
Orifice 2000 capabilities:
1.
Ping and querry server part version
2.
Rebooting, locking up system, listing of passwords (yes, it works -
passwords are retrieved from memory), geting system info
3.
Logging keyboard activities, operations with log file: view, delete
1.
Opening a messagebox with specified text and title
2.
Mapping TCP ports to another IP, console application, HTTPfileserver,
filename, listing of mapped ports and TCP file sending
6.
Adding and removing network shares, listing of shares (including LAN),
mapping of shared devices, listing of active connections
7.
Process control (works under NT as well): list, kill, start
8.
Full access to Registry (though the way it is done is not convenient -
all keys should be typed manually)
9.
Playing WAV files (looped playback is possible), capturing screen, AVI
and video still
10.
Full disk access: listing of directories and files, finding, viewing,
deleting, moving, copying of files and folders, transfer list maintenance
11.
Remote compression and decompression of files (to receive big files
from remote system)
12.
Resolving full host name and IP address
13.
Flexible server control including each plugins control, command sockets manager
14.
Possibility to run any plugins ('buttplugs') and to activate any
functions in them with specified parameters. For example one plugin can
initiate a video stream and 'highjack' a remote system.
The US version has some
serious bugs - sometimes installation of the backdoor failsunder NT. On NT
shutdown an error messagebox is displayed for some time.
Detection and removal of
Back Orifice 2000 is available with the latest updates that can be downloaded
from Data Fellows ftp site free of charge.
(Above text downloaded from
DataFellows website September 1999)
Back Orifice Tutorial
(sort of…)
This
is a simple tutorial for those who want to get started using BO2K quickly.
Step One: Configure the BO2K Server
Alright, once you've
unpacked the BO2K distribution into a directory, start up the BO2K server
configuration tool by running the
tool. The configuration program
pops up. Now we want to open the BO2K server, the one that we're going to be
installing on the server machine, and configure it. First, make a copy of the
BO2K executable, and open that one by
clicking the open server button (do NOT click on the BO2K.EXE directly
or you will infect yourself!) and choosing the proper BO2K.EXE executable from
the list of files.
You can configure the
built-in system settings, such as encryption keys and default ports by using
the tree control at the bottom of the window, and changing the setting on the
right. For example, to change to port that BO2K listens on (aka, what BO2K
'binds to'), Do the following:
Expand the 'Startup' option folder then click on the 'Init Cmd Bind Str' and you'll see the current 'binding string' appear in the 'Current Value' box. A 'binding string' is a protocol-independent way to specify where the protocol will be listening. For UDPIO and TCPIO protocols, this is simply a port number. If you were running a Netware/IPX plugin or some other protocol, the binding string would have a different syntax.
Since the default value of
the 'Init Cmd Net Type' option is still 'TCPIO', we'll go ahead and set the
port to something like 18006. To do this, type 18006 into the 'New Value' box
and hit 'Set Value'. Now, the server is configured to use TCPIO port 18006.
Tada.
Add
the BO_PEEP plugin.
1. To the right of
the 'Plugins Loaded:' box, there is an 'Insert...' button. Click it.
2. When the 'Insert
BO2K plugin' box comes up, choose bo_peep.dll and hit O pen.
3. You'll notice
that the BO_PEEP plugin now shows up in the Plugins Loaded: box. Also, the list
of options in the "Option Variables" box has been updated to include
BO_PEEP options. You can modify these later if you wish. Now on with the tour.
Save the server by clicking the 'Save server' button, and close the program.
Step
Two: Install The BO2K Server
This is a relatively simple
task. Just copy the server to the target machine, and run it. If you're
installing on a Win95/98 machine, the server executable will move itself into
the c:\windows\system directory and name itself 'UMGR32.EXE'. The name is
configurable with the BO2KCFG tool that we just used. There are other things
you can do to customize how BO2K behaves upon installation. A fuller
description of these options are available in the Command Reference section of
this website. If you are installing under Windows NT, BO2K copies itself into
the c:\winnt\system32 directory (if permissions allow it to do so) and renames
itself. That's it. Wasn't very
difficult, was it..?
Step Three: Start Up The Client
First start the client by
running the tool. It should open, and maximize itself. First things first, we
want to create a new server connection. So we click on the little computer
button in the left hand side of the server list window at the bottom.
This pops up a dialog where
you can define the parameters of the machine that you want to contact. You'll
want to put in a name for this connection (doesn't matter what it is) in the
'Name of this server' field. Next, put in the server's IP address:port pair. We
have to specify the port, since we reconfigured the server, and didn't change
the defaults for the client. So we type in aaa.bbb.ccc.ddd:18006, replacing the
letters with the real IP address of the server. Connection type should be
TCPIO, encryption should be XOR, and authentication should be NULLAUTH. When you're
done, hit 'OK'.
One you've hit OK, the
server command client pops up for this server. You can minimize and restore the
server command client by double-clicking the server name in the server list box
at the bottom.
Step
Four: Configure the Client
Since we installed the
BO_PEEP plugin in the server, in order to communicate with it properly we need
to install the same plugin into the client. To do this, we go to the 'Plugins'
menu option and the choose 'Configure...'.
This pops up a dialog to
insert and remove plugins and configure basic setting, much like the BO2KCFG
tool, but this time it's for the client. This dialog also doesn't modify any
executables. It stores the configuration in the registry.
So, we hit the 'Insert...'
button and choose the bo_peep.dll file. This adds the BO_PEEP plugin and puts
the options in the tree control below. We didn't reconfigure BO_PEEP on the
server side, so we won't have to configure it here. Just hit 'Done'.
Step
Five: Connect To The Server and Fool Around
Simply hit the 'Connect'
button on the Server Command Client. It should sit there for a second, and then
spit out the version number of the server it has connected to in the output
window at the bottom of the command client. After connecting, you can pick commands
out of the 'Server Commands' tree control. When you choose a command, the
parameters for the command will appear in the right of the box. Some parameters
are optional, as indicated by either brackets [], or something like (opt). All
other parameters must be filled in with valid values.
To send a simple ping
command, open the "Simple" folder in the tree control, and click on
the 'Ping' command. Now, click on the 'Send command' button. If the ping was
successful, a ping reply message should be issued from the server, and will
appear in the output window.
Step
Six: Try Using The Plugin
To use the plugin, go to the
Plugins menu option, and you'll notice that there is now a 'BO Peep' submenu.
This was added when you inserted the plugin into the client. Select the
'VidStream Client' sub-menu item. It should pop up a happy little blue box.
Before we can connect,
though, we need to start the VidStream service on the server side. So we go to
the BO Peep folder in the server command client's command list, open it, and
choose the "Start Vidstream" command. A number of options will
appear. Type the value '8' into the FPS box. Type '160,120' in the
'Xres,Yres[,NET][,ENC][,AUTH]' box. Then hit 'Send command'. The server should
respond, telling you what address you need to connect to in order to get the
video stream.
Click on the connect button
on the VidStream client, and you'll be presented with a connection dialog. The
number in the box is the default VidStream port. Modify the address to include
the appropriate IP address (as returned by the server). Such as:
aaa.bbb.ccc.ddd:15151. All of the other options should be their correct
defaults. Hit the OK button and you should connect. If you mistyped something,
got the port/address wrong, or picked the wrong network
type/encryption/crypto-key, then it won't connect. But it all goes well, you'll
see a little window into the other machine's desktop. Congrats!
Well that's it for the tour,
you should be able to figure out lots of other things on your own!
Back Orifice 2000 FAQ
General Topics
1.
What is BO2K?
Where can I get it?
You can get BO2K from the BO2K website in the downloads section at http://www.bo2k.com .
2. Who wrote BO2K? Why was it written?
BO2K was written by DilDog of the Cult of the Dead Cow. Many of the commands that BO2K comes with were directly ported from Sir Dystic's original Back Orifice source code. It was written with a two-fold purpose: To enhance the Windows operating system's remote administration capability and to point out that Windows was not designed with security in mind.
3. Is this a 'hacker tool', or is it an
'administration tool'?
This tool, like other tools you might have around the house can be used legitimately, or it can be used to harm people. You can take a hammer and beat people in the head with it. Doesn't mean we need to go around beating people in the head with hammers to teach them that they should watch out for maniacs wielding hammers. Imagine a whole world of people that don't know a hammer from sponge, let alone what a hammer is good for, and you'll find what situation we're in here. Hackers can use it to hack. Administrators can use it to make their lives a lot easier. Administrators, be responsible with this tool. End-users, don't trust random people on the internet, and they won't hit you with a hammer... Too bad it has to be this way, but Microsoft wasn't thinking of making the computer foolproof when they put together their operating systems.
4. What is BO2K good for? What are the
legitimate uses for it?
Remote administration.
Administration of many Windows boxes through encrypted channels. Performing
common tasks on many machines without having to walk over to each and every one
of them. Controlling a Windows machine that is many miles away with the kind of
flexibility that UNIX users have enjoyed for decades, without a ridiculous VPN
setup.
5. How big is BO2K, anyway? Gimme statistics.
Well, the BO2K server
without any plugins installed is ~100K. Nice small footprint. The client
software is ~500K. Large, bulky, MFC, GUI. That's why :). The whole suite will
fit on a single 1.44MB floppy disk.
6.
Are there
licensing terms for BO2K? How much does it cost?
It costs nothing. Freeware. It's also open source. It's available under the GNU Public License. For end users, the license is simple. Use it, distribute it. Don't claim that you wrote it, because you didn't. We also aren't going to support the software. We don't have ANY manpower to do so. So, if you can't figure it out with everything we've put on this web site, you're shit out of luck. For developers, more detail about source code usage is available in the Developers Corner FAQ.
7.
What about the Triple-DES plugin? Tell me about export controls.
The strong encryption
provided by the Triple-DES plugin is only available in the United States. The
US still has antiquated laws in place that keep citizens and corporations from
exporting encryption that is already available in other countries anyway. The
reasons why these export restrictions are still in place are beyond me. This
probably stems from the fact that the US Government, on the whole, fears
technology because they don't understand it. It would be in the best interest
of America, for these laws to go away, and stay away. They only stifle
scientific development, and free thought and speech.
Compatibility Topics
8.
What does it run on? What do I need to use BO2K? Hardware requirements?
Operating system?
BO2K will currently run on
Windows 95, Windows 98, Windows NT, and Windows 2000 systems. All of the
various parts of the BO2K suite have been testing and found to be working on
all of these platforms. It only runs on Intel platforms at the moment. Since
everything is open source, hopefully more support for other operating systems
and environments will be added.
9.
Will clients exist for other operating systems?
Well sure, why the hell not.
We did it for the UNIX command line client for the original BO. There were even
a number of TCL GUIs for Back Orifice running around out there. We'll try to
make a more concerted effort to collect what people develop and put it on the
BO2K website.
10.
What about servers? Can I control a Mac from my Linux box?
Well sure! Well.. not yet.
But someday. There's no reason why the server couldn't be ported. To Mac, to
Linux, to BeOS, to CP/M. Have fun. Develop and be prolific. We dare ya.
11.
What are the differences between BO2K and the original BO? Is it backward compatible?
BO2K is an almost complete rewrite of the original Back Orifice. It sports a much heftier plugin architecture that can extend every little part of the system in any way. By default, BO2K comes with the capability to talk over TCP as well as UDP, and supports strong encryption through plugins. Commands have also been added, upgraded and fixed, especially in the areas of file transfer and registry handling.