Back Orifice

Category: Scare Discovered On: 01 Jan 2000
Type: scareUpdated On: 08 Jun 2006


The "Back Orifice administration tool" allows computers that are running the Back Orifice driver (BOSERVER in the software's own terminology) to be administered remotely by one of a pair of administration clients (a GUI version and a console version).

The administration client allows manipulation of most elements of a remote Windows 95/98 machine that has the BO driver installed, including registry entries, the file system, the process database, keystrokes typed and screen output.

Although this sort of control is offered by numerous existing commercial applications, Back Orifice, as its name suggests, carries additional baggage in its implementation which makes it an "undesirable application". For example, the driver software installs itself, by default, with an unusual name ("#.EXE", where # represents a space character). It also deletes the original installation file once the non-obviously-named driver is in place. Furthermore it claims to include a feature which allows the driver to be "bound", virus-like, to another program. Then, when this hybrid program is run, the driver silently installs itself with its unusual name before running the original program. This allows it to obfuscate both its invocation and its presence.

Administrators anticipating a legitimate use for Back Orifice on their network will probably want to bear in mind that the packets transmitted between Back Orifice clients and servers are easy to intercept and decode, even if BO's encryption is used. This means that illicit network snoopers will be able to intercept and recover BO sessions even on networks where BO is being used intentionally. Such snoopers will also be able to recover, from a BO packet session, the password used. This will allow them to connect directly to machines on the network in future.

In view of the above, we have assumed that no well-informed administrators will want to allow Back Orifice tools to be used on their network. We hope that although BO's notoriety may mean the tools will become more widespread than might be liked, it will also mean that users will be more easily encouraged not to accept and run any arbitrary programs they receive. We further hope that BO's notoriety will mean that administrators will be more likely to be on the lookout for it, and therefore that those trying to use it for malevolent purposes will be more likely to be caught out.

Please refer to the Back Orifice 2000 analysis for further details.

Threat Level

Threat Level:

Learn more