July 21, 1999 Web posted at: 3:44 p.m. EDT (1944 GMT) by Ellen Messmer

From...

INTERACTIVE Would you use a software package developed by a group that advocates hacking? Yes No View Results

LAS VEGAS (IDG) -- The hacker group Cult of the Dead Cow last week posted Back Orifice 2000, a free "tool" for seizing control of an NT-based network. But is this software evil - or good?

Unlike last year, when CDC unleashed its first version of Back Orifice and called it the hacker's best friend, this time the group wants you to believe Back Orifice is for legitimate use by network managers for remote administration.

CDC's bold assertion - and the fact that some CDC members admit to having "day jobs" at security vendors - highlights the Jekyll-and-Hyde nature of the security industry, which knows some of the best talent out there loves the darkness more than the light.

Over the raucous, drunken weekend of all-night parties and network hi-jinks that was the Def Con hacker convention, CDC got its moment in the limelight. With videos and a soundtrack bombarding the packed hall at the Alexis Park Hotel, 19 CDC members cavorted on stage and announced their latest achievement, Back Orifice 2000.

CDC urged the black-clad, tattooed Def Con audience - overwhelmingly twentysomething males - to "take control" with the client/server freeware they created.

According to Dildog, the software's main author, the freeware lets a remote user with the Back Orifice 2000 client secretly control any Windows desktop or server on which the Back Orifice 2000 server component has been installed.

CDC members make it clear they are motivated by a hatred for Microsoft's marketing power and take pride in knifing the underbelly of Microsoft products.

MORE COMPUTING INTELLIGENCE
	IDG.net home page
Network World Fusion home page
Free Network World Fusion newsletters
Reviews & in-depth info at IDG.net
		IDG.net's bridges & routers page
		IDG.net's hubs & switches page
		IDG.net's network operating systems page
		IDG.net's network management software page
Year 2000 World
Questions about computers? Let IDG.net's editors help you
Subscribe to IDG.net's free daily newsletter for network experts
Search IDG.net in 12 languages
News Radio
	Fusion audio primers
	Computerworld Minute

Unauthorized Windows users of all stripes are certain to exploit Back Orifice as a Trojan horse that can hide on the network. Creatively malicious individuals will extend the software's reach with third-party tools, since Back Orifice 2000 is built on open APIs.

But at Def Con, Dildog made the remarkable assertion that Back Orifice 2000 is for legitimate use, too, as "a remote administration tool for corporate America.

"It's just like other tools that cost a whole lot more, such as Symantec's pcAnywhere or Microsoft's System Management Server," he claimed. CDC even held a press conference at Def Con to try to convince the media that Back Orifice 2000 is kosher.

Is it? The security industry has overwhelmingly declared Back Orifice 2000 to be public enemy No. 1. CDC defenders, though, point out that if CDC were truly evil, it would be more clandestine in its labors.

Nonetheless, just about every antivirus software developer has declared Back Orifice 2000 to be a Trojan horse, and has upgraded its products to search for and destroy the freeware. The same efforts are underway by those making intrusion-detection products.

"It's just another Trojan horse for us," says Darren Kessner, Symantec's senior virus researcher. "Most Trojans are delivered as attachments in e-mail, and with our Norton Anti-Virus product, you now have an option to destroy or quarantine them in order to send them to our researcher."

Network Associates, IBM, Axent Technologies, Computer Associates and Internet Security Systems (ISS) are also of the mind that Back Orifice 2000, because of its stealth and origin, has to be treated as a threat.

"We wouldn't classify it as an administration tool - we'd classify it as a back door," says Chris Rouland, director of the ISS X-Force, the team that leaps into action to combat new security vulnerabilities. "It was developed to maliciously and stealthily install itself on a server. It even has what they call 'insidious mode' so you can't detect the traffic. It makes it look like a ping packet to subvert scanners. It's designed to fly in under the radar."

Other than garden variety hackers, the group most likely to use Back Orifice 2000 or a variation of it -- there will be many, since CDC intends to release the source code -- is the government intelligence community. Users might include the National Security Agency, the FBI or their foreign counterparts, which all conduct network surveillance. "I don't care," shrugs one CDC member, Tweetyfish. "It's for everyone."

Tweetyfish acknowledges that several CDC members have day jobs working for security firms, though he wouldn't say which companies. Many security vendors, particularly IBM, have a clearly defined policy against hiring known computer hackers. Nevertheless, the security industry strives to maintain some sort of contact with the hacker community to keep abreast of the latest exploits.

Though Axent categorizes Back Orifice 2000 as a threat, the company's manager of information services, Drew Williams, admits that the software is "interesting."

"Like any freeware code out there, you have to be both interested and cautious," he says. "If you want to learn about this technology, you'll want to hear both sides. But there's a tremendous ethical dilemma here."

Asked whether they would use Cult of the Dead Cow's tool, some network managers merely burst into laughter. Others grew thoughtful.

Bruce McCloud, systems engineer at the California Highway Patrol, says he is open to the idea of security freeware, such as the Satan network-scanner, released a number of years ago. But since Cult of the Dead Cow hasn't renounced computer hacking, he can't consider using Back Orifice 2000.

"They may be very talented, but as long as they're still advocating hacking, I would have to say no," McCloud says.

One network antidote for Back Orifice 2000 may be coming from Cult of the Dead Cow itself. One member, Sir Dystic, claims he will soon release software for detecting and eradicating the group's latest creation.