Microsoft Alerts Customers to Potential Security Threat

REDMOND, Wash., July 8, 1999 — On Saturday, July 10, a hacker organization dubbed The Cult of the Dead Cow is expected to release Back Orifice 2000, a software tool that potentially allows users to remotely monitor and control Windows and Windows NT-based PCs without the knowledge of the end user. Back Orifice 2000 is a new version of Back Orifice, which was released in July 1998, and threatened users of the Windows 95 and Windows 98 operating systems. As with all security issues, Microsoft is evaluating the threat, proactively communicating with customers, and working with third-party anti-virus and intruder-detection vendors to mitigate any serious effects.

PressPass spoke with Jason Garms, the lead product manager for Windows NT security at Microsoft, to discuss the Back Orifice issue. In addition to overseeing security efforts both in product development and customer education, Garms manages the Microsoft security response team. The response team receives customer alerts about suspected security threats, evaluates their validity and takes appropriate steps to share information and develop protection against potential dangers.

PressPass: What is Back Orifice 2000?

Garms: Back Orifice 2000 (BO2K) is a remote-access tool that was developed with the intent of harming users. We won’t know exactly what BO2K will do until it is released; we have been unable to obtain an early copy of it. But judging from the first version of Back Orifice, which was released last summer, it is a tool that has no legitimate purpose other than exposing users’ machines to people on the Internet. Users who are tricked into getting this thing installed on their system are vulnerable to the attacker, who can then do anything that the victim can do — move the mouse, open files, run programs, etc. — which is little different from what legitimate remote-control software can do. Back Orifice, however, is designed to be stealthy and evade detection by the user.

PressPass: How does BO2K differ from a virus?

Garms: BO2K is not self-replicating. It requires someone to physically install it on a system or use an alternative delivery mechanism, such as a
“Trojan horse.”
A hacker could potentially attach it to a virus, but obviously the Cult of the Dead Cow (CDC) people who created this realized that would easily land them in jail, as opposed to walking the line between producing legitimate and illegitimate software. The creation and distribution of viruses is against the law.

PressPass: What is a Trojan horse?

Garms: A Trojan horse is a piece of software that, once installed on a system, can damage that system. Typically, a Trojan horse requires a user to take some kind of action to install or run it on the system. For example, if I were to send you an e-mail with a Trojan horse attached, I might say,
“Hey, this attachment is a greeting card. Double-click to view it.”
In fact, it really ends up doing bad things — that’s what a Trojan horse does. Back Orifice falls into that category because it is intentionally designed to hide itself from detection. The creators claim that this is a useful administration tool, but it doesn’t even prompt people when it installs itself on the system. It doesn’t warn them that it’s getting installed. And, once it’s installed, it makes the system available to other people on the Internet. That is a malicious act.

PressPass: How alarmed should consumers and businesses be about this?

Garms: We believe that any threat of this nature should be taken very seriously. People can protect themselves from this kind of a program by observing standard safe-computing practices, including the use of anti-virus products. They can also exercise care when running executable programs downloaded from the Internet — again, not going to random sites and just downloading things. It’s very similar to other parts of our life. You wouldn’t simply accept candy from a stranger on the street and eat that candy. Similarly, as you traverse the Internet, you don’t want to take programs from people you don’t know or necessarily trust and install them on your system.

PressPass: What platforms will be affected by this new version of Back Orifice?

Garms: It’s unclear at this point, since BO2K has not been released yet and we and the anti-virus and intruder-detection vendors have not been able to obtain early copies. But according to CDC, the makers of this software, it will be usable on systems running Windows NT, Windows 95 and Windows 98. Our suspicion, although we have not been able to verify this, is that only system administrators will be able to install BO2K on a Windows NT-based system. So again, good computing practices will provide substantial protection to corporations running Windows NT.

PressPass: What steps is Microsoft taking to protect its customers?

Garms: We started earlier this week to provide preliminary information to our customers indicating that this tool will be available and that they’ll need to be careful about it. We’re also working with the anti-virus and intrusion-detection vendors to ensure that they’re on standby to produce product updates once Back Orifice 2000 is released, so that the security software and systems our customers are using today will be able to detect and remove this malicious piece of software should it be installed.

PressPass: Other than through third-party products, is there a way that users can determine whether BO2K has been installed on their PC or network?

Garms: Until we actually get a copy of Back Orifice 2000 and are able to take a look at it, we won’t be able to tell. We’ve seen claims from CDC that BO2K is intended to be stealthy — in other words, designed to hide itself and make it difficult to detect. The only explanation for that capability is the intent of harming users and making it an even more malicious program. So as soon as it is released, we’ll not only work with anti-virus and intrusion-detection vendors to ensure that they have tools that are up-to-date, but we’ll also do our own analysis of how this program works to provide additional information for our customers about how they can detect it on their systems.

PressPass: Is there a flaw in Windows or Windows NT security that allows outsiders to control PCs remotely?

Garms: Absolutely not. Rather, Back Orifice is a program you must install on your system. The flaw is actually Back Orifice itself. Again, this exact kind of program could be developed — in fact, has been developed — for all other kinds of computing platforms. If you install the software on your system, that software can potentially allow someone else to do all of the things that you could do on the system. So there are no flaws in the Windows operating system or in Windows NT that enable this to happen.

PressPass: Do you know why this tool was created?

Garms: It’s incomprehensible why a tool like this would be created. From my perspective, this is not a tool that targets technology — it’s a tool that targets and maliciously attacks end users. So there’s no purpose for this tool other than harming actual users of software products.

PressPass: How widespread was the use of the first version of Back Orifice, released last year?

Garms: It’s unclear. I am personally unaware of any major customers of ours who consider this to be a remote-administration tool as the folks who created it claim. Quite the contrary, they consider it a piece of malicious code. Unfortunately, there are some users who were duped by the press releases from the organization that released the software, and did install it on their systems.

PressPass: Where can people turn for updates about BO2K?

Garms: We’ll provide information shortly on http://www.microsoft.com/security/ . We will also continue to work with third-party vendors and other organizations to ensure that there is a large amount of information out there about Back Orifice 2000.

Related Posts