|
<<
^
>>
Date: 1998-08-05
Micro/soft ferngesteuert: Back Orifice follow/up
-.-. --.- -.-. --.- -.-. --.- -.-. --.- -.-. --.- -.-. --.-
q/depesche 98.8.5/3
updating 98.8.5/2
Micro/soft ferngesteuert: Back Orifice follow/up
Sogar die coolen NT/Inschinöre rund um ntbugtraq.com machen
sich ihre Nacht/gedanken, obwohl sie das
win95-98/spezifische "Back Orifice" eigentlich nichts
angeht.
Vielleicht, weil das trojanische Client/Programm mit <125 Kb
so winzig ist, dass es sich ziemlich leicht verstecken
lässt?
Vielleicht, weil BO auch hinter Firewalls ´funktioniert?
Vieleicht, weil ein normaler Virenscanner darauf nicht
reagiert?
Vielleicht auch, weil eine NT/Version als Follow/up nicht
ganz undenkbar ist?
Wer BO suchet, wird es nächst toten Kühen finden:
http://www.cultdeadcow.com
-.-.- --.- -.-.- --.- -.-.- --.-
Though not specific to NT security there has been much talk
about Back Orifice lately. I've played around with it a bit
and here is a way to find it and get rid of it.
Default installation: Installs a 122k - 123k file called "
.exe" in c:\windows\system with a modified date of 7/11/95.
Changes
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\Default
from blank to " .exe". Transmits data on UDP Port 31337 -
it's in the readme
An attacker can modify these defaults to be anything they
like but if you check the registry entries under
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
and find one you are not familiar with (not the task
scheduler, not a virus scanner, etc) that runs a 122k - 123k
file (does not have to be an exe) from your
c:\windows\system folder, it might be worth investigating
further. The file could probably be padded to be a
different size or the code could be modified to mutate its
size to help hide it. There was some speculation in some of
the media reports that a virus detection program might be
able to detect the program in action. Network Associates
McAfee Virus Scan did not set off any alarms. Maybe another
virus scanner will view the program's actions as suspicious?
Unless there are hidden "features" (still letting it run
behind a firewall logging all traffic on the Back Orifice
machine as a test to see if there is more to it) it is just
a useful remote admin tool in a semi-GUI box that can be
custom packaged to take advantage of existing Win9x security
flaws.
relayed by ways of http://www.ntbugtraq.com
from jimst@enteract.com
-.-.- --.- -.-.- --.- -.-.- --.-
TIP
Download free PGP 5.5.3i (Win95/NT & Mac)
http://keyserver.ad.or.at/pgp/download/
-.-.- --.- -.-.- --.- -.-.- --.-
- -.-. --.- -.-. --.- -.-. --.- -.-. --.- -.-. --.- -.-. --.-
edited by
published on: 1998-08-05
comments to office@quintessenz.at
subscribe Newsletter
- -.-. --.- -.-. --.- -.-. --.- -.-. --.- -.-. --.- -.-. --.-
<<
^
>>
|
|
|
|