Cult of the Dead Cow responds to Microsoft about Back Orifice

This is our response to Microsoft's damage control statement of 1998-Aug-04.
For a statement regarding our motives for releasing this tool, take a gander at our moral justifications.

last revision: 1998-Aug-10

Microsoft   cDc
On July 21, a self-described hacker group known as the Cult of the Dead Cow released a tool called BackOrifice, and suggested that Windows users were at risk from unauthorized attacks.   Actually, we released it on August 3rd.

Incidentally, it's been downloaded at least 35,000 times as of 11:55pm, August 7th.

Microsoft takes security seriously, and has issued this bulletin to advise customers that Windows 95 and Windows 98 users following safe computing practices are not at risk...   This is simply false. Our view is no degree of "safe computing practices" can compensate for the security bugs and lack of functionality in Windows 95 & 98.
...and Windows NT users are not threatened in any way by this tool.

The Claims About BackOrifice

  For the present. But remember that the tool has been around for less than a week.
According to its creators, BackOrifice is "a self-contained, self-installing utility which allows the user to control and monitor computers running the Windows operating system over a network". The authors claim that the program can be used to remotely control a Windows computer, read everything that the user types at the keyboard, capture images that are displayed on the monitor, upload and download files remotely, and redirect information to a remote internet site.   Back Orifice does not do anything that the Windows 95/98 operating system was not intended to do. It does not take advantage of any bugs in the operating system or use any undocumented or internal APIs. It uses documented calls built into Windows to do such things as:

  • Reveal all cached passwords. This includes passwords for web sites, dialup connections, network drives and printers, and the passwords of any application that stores user passwords in the operating system. (This Windows feature was implemented apparently so the user won't be inconvenienced by having to remember his passwords every time he uses his computer.)

  • Create shares hidden to the user and list the passwords of existing shares.

  • Make itself mostly invisible. Back Orifice does not appear in the control-alt-delete list of running programs, and can only be killed by a low level process viewer which Windows 95 does not ship with. To their credit, Windows 98 does ship with a process viewer, but it is not installed by default.
The Truth About BackOrifice  
BackOrifice does not expose or exploit any security issue with the Windows platform or the BackOffice suite of products.   Back Orifice has nothing to do, at all, with the Back Office suite. In fact, the Back Office suite only runs on NT, which isn't even supported by Back Orifice yet. Apples and Oranges.
BackOrifice does not compromise the security of a Windows network.   cDc would like to know where exactly Microsoft is getting its definition of 'compromise the security'.
Instead, it relies on the user to install it...   Back Orifice does not rely on the user for its installation. To install it, it simply needs to be run. Thanks to some actual exploits, there are several ways a program could be run on a windows computer, not only without the user's approval, but without the user's knowledge.
...and, once installed, has only the rights and privileges that the user has on the computer.   This is correct. Once installed, Back Orifice can only do what the user sitting at the computer could do, if he has programs that do everything that Back Orifice does.

This includes:

  • seeing what's on the screen
  • seeing what's typed into the keyboard
  • installing software
  • uninstalling software
  • rebooting the computer
  • viewing stored passwords
  • viewing and editing the system registry
  • connecting and disconnecting the machine to other network hosts using anyone's username & password
  • running arbitrary plugins or programs, which of course could employ any manner of exploit or attack
For a BackOrifice attack to succeed, a chain of very specific events must happen:  
  • The user must deliberately install, or be tricked into installing the program
  Not at all. Thanks to various security bugs and common system misconfigurations, there are often ways to deliver and execute arbitrary code on a Windows machine.

Even lacking such an exploit, it's easy enough to provide the average Windows users a reason for downloading & installing programs from untrusted sources. It happens all the time.

  • The attacker must know the user's IP address.
  Untrue. Back Orifice can sweep a range of IP addresses and network blocks to hunt for installations of its server software.
  • The attacker must be able to directly address the user's computer; e.g., there must not be a firewall between the attacker and the user.
  Incorrect. The mere presence of a firewall or proxy server is not in itself a complete solution.

For good, reliable protection for Windows machines on the internet, the cDc can recommend nothing better than a good, properly configured firewall. However, a firewall that permits ANY traffic is still a potential risk.

Back Orifice can communicate over any available port. Therefore, if the firewall lets through any UDP packets at all, two-way communication can be established.

As for file transfers originating at the remote machine, Back Orifice can use TCP to send data out through the firewall.

Not to mention the hundreds of thousands of Windows 95 and 98 boxes connected to the internet via a dialed connection through their local or national isp. For mass ip vendors like those, a firewall simply isn't reasonable. Most of the internet simply wouldn't be accessible anymore.

What Does This Mean for Customers Running Windows 95 and Windows 98?  
BackOrifice is unlikely to pose a threat to the vast majority of Windows 95 or Windows 98 users, especially those who follow safe internet computing practices. Windows 95 and Windows 98 offer a set of security features that will in general allow users to safely use their computers at home or on the Internet. Like any other program, BackOrifice must be installed before it can run.  
Clearly, users should prevent this installation by following good practices like not downloading unsigned executables, and by insulating themselves from direct connection to the Internet with Proxy Servers and/or firewalls wherever possible.   cDc remembers a day when PC software was written by anyone who had a creative idea for a cute, useful, interesting, or even just plain silly program and being able to share that program with friends who might also enjoy the program. It is unfortunate that the only software we're allowed to run now is written by large companies. It's a good thing we can still trust them not to do something unwanted to our computer!
Generally, computers running Windows 95 and Windows 98 are not vulnerable if:  
  • The computer is not connected to the outside world
  Unless someone on the inside wants control of your machine.

Perhaps your employer is using B.O. to keep track of its human resources. (As a matter of fact, in most states this would be entirely legal.) Or suppose one of your coworkers is just plain nosy.

In these circumstances, it doesn't matter if your computer is on the internet.

  • The computer is connected to the Internet through an Internet service provider that dynamically assigns IP addresses - as the vast majority of ISPs already do.
  Unless the dynamic address assigned is always in the same subnet, (as the vast majority of ISPs do). In which case, B.O. can scan a range of IP addresses to find your machine at its new address.
  • The computer is on a network with a firewall or proxy server between it and the attacker.
  See above ("firewalls").
What Does This Mean For Customers Running Windows NT?  
There is no threat to Windows NT Workstation or Windows NT Server customers; the program does not run on the Windows NT platform. BackOrifice's authors don't claim that their product poses any threat to Windows NT. Windows NT Workstation and Server offer a comprehensive set of security features that make it the best choice for business users' mission-critical applications.   Don't go upgrade to Windows NT just yet.

We will be releasing a Windows NT version as soon as we get around to installing that OS.

What Customers Should do

Customers do not need to take any special precautions against this program. However, all of the normal precautions regarding safe computing apply:

Customers should keep their software up to date and should never install or run software from unknown sources -- this applies to both software available on the Internet and sent via e-mail. Reputable software vendors digitally sign their software to verify its authenticity and safety. Companies should use the security features provided by Microsoft products, to prevent the introduction of this and other malicious software, and should monitor network usage to prevent insider attacks.   Rather than having to abstain from using non-big company "Reputable Vendor" software, how about providing some protection? How about the ability to monitor and even prevent disk and registry access so people can run software with confidence, so that even if the author has malicious intent, the software has become infected with an unknown virus or trojan, or there is a bug or malfunction, there is no damage it can do.

Incidentally, Microsoft is also falsely claiming that they tried to contact us regarding BO. On the contrary, Microsoft has repeatedly shown little interest when contacted about security holes in their products in the past. In general, they have needed to have their noses rubbed in it before acknowledging any problems.

cDc issued a preliminary press release about Back Orifice more than a month before releasing the software. A wider-distribution Press Release was issued on July 21st, more than a week before the demonstration at DefCon VI... and again, nothing from Microsoft.

Other than issuing silly statements to the press, among other things calling us irresponsible and comparing BO to Satan (again, apples and oranges), they have never contacted us. For over 3 days at Defcon, no one from Microsoft introduced or identified themselves to us. Immediately following our presentation, we were swarmed by the media and the curious... but no one from Microsoft.

It wasn't until August 4 that Scott Culp, Security Product Manager for Windows NT Server contacted us in e-mail:

Date: Tue, 4 Aug 1998 11:41:53 -0700
From: Scott Culp <>
To: "''" <>
Subject: BackOrifice

I recently received report of your BackOrifice tool, and would welcome an opportunity to talk with you about the tool and the security vulnerabilities you believe it exploits. Microsoft is interested in making our products as secure as possible for our customers, and I'd look forward to talking with you about this issue.

We immediately called him back. He was interested in learning about every vulnerability we knew of. "The biggest one we know of is Windows 95/98 itself," to which he agreed.

Later that same day, Microsoft issued another statement -- this time mentioning that they had tried to contact us and had gotten no response.

The goliath doth protest too much, methinks.

The fact remains that Back Orifice is only as dangerous as Microsoft's security is deficient.

How about a for-instance?

Win95/98 caches frequently-used passwords in clear-text, which BO has access to. This often includes passwords users use for their ISPs. But if one is to believe the missives which issue from the Microsoft Marketing Department, ISPs have nothing to worry about. Either that or ISPs across the globe should encourage all their customers to upgrade to NT?

Is Windows 95/98 the platform on which you perform 'secure' transactions? Is a Windows 95/98 platform an endpoint of your corporate VPN? If so, maybe you should be worried.

Back Orifice is a Rorschach for Microsoft credibility. Microsoft's own official response to us was issued as a marketing bulletin! Does anybody else besides cDc find it disturbing that the Marketing Department is running the show over there?

Oh, never mind. Forget we ever mentioned it. Listen to Microsoft; don't worry, be happy. Everything will be all right. Move along, there's nothing to see here.