Back Orifice Basics
for the Clueless and the Techie Alike

What is it?

Back Orifice is a program that can let unwanted people access and control your computer by way of its Internet link. It runs on Windows 95/98 systems.

Once installed, BO runs invisibly. It has to be run to be installed. But it is seldom recognizable to the victim.

BO can be packaged with legitimate software, attached to any program or file, or run all by itself. It installs itself quietly, usually erasing the original, and opens an "orifice" into your system. It is configurable in a variety of ways.

BO allows a very high degree of access and control by the remote operator, who uses a simple pushbutton client program to access the "server" on your machine. Once "in" your system he can perform practically any function of your computer, most of them without any outward indication to the user at the console. He can see passwords, run a DOS session, use your computer as a relay point for communications (so as to make himself untraceable), read your mail, track your keystrokes... and lots more.

BO has existed in broad and increasing use since about 3 August 1998. Read my introductory BO page for more.

BO represents a significant development in Net security for the ordinary user. Unlike past tools of the hacker trade, it can implement access to a remote system with unprecedented ease. Whereas intrusion tactics were mainly the province of highly-skilled techies in the past, BO has effectively placed this power in the hands of potentially millions of marginally-skilled people. With a little coaching, any 12-year-old could learn to use BO.

While it installs and runs very quietly, Back Orifice is nonetheless not an extremely stealthy application. It yields readily to fairly simple methods of detection and removal. It depends upon the user's unawareness of its presence, and to get installed, it generally requires a lack of caution, misplaced trust, or simply an unawareness of risks on the part of its victims. Unfortunately, those very traits are typical of a large proportion of Internet users. Where Back Orifice is concerned, what you don't know most certainly can hurt you.

BO was released in version 1.2 and so far I haven't seen any other versions (please please please send me a copy if you have or even suspect you have, any earlier version!). It can be expected to evolve, and other tools like it will inevitably appear. Only vigilance coupled with some basic skills are a reliable defense against this form of intrusion. It behooves every Netizen who values his data or privacy to learn to do what Microsoft (quite irresponsibly, I think) didn't contrive to do for him: monitor that Internet link.

Do I have it?

Maybe! But probably not yet, statistically speaking. The program has been circulating broadly only since the 3rd of August. It's just getting started. If you make a practice of exchanging or accepting program files sent or offered to you by individuals, as many people often do, you're at significant risk.

However, if you have recently installed nothing but commercial software from CDs, or applications from sources in which you have high confidence (such as Netscape or Microsoft products from the companies' own sites for example), you almost certainly don't have it.

How Can I tell?

Presently, there is one totally reliable dead giveaway. BO typically requires an entry in the Windows Registry in order to be invoked on startup. It can be set up to start other ways, but it always makes that entry anyway, every time it is run. The exact entry can vary, but it is always in one place. Follow these instructions to look for it. There will be something in that key. This won't actually locate every possible BO however; so I encourage you to read this page too, technically challenging though it may be.

Another direct giveaway is a file named windll.dll which BO places in the Windows\System folder every time it runs. (This is a sort of sub-program which implements BO's keyboard logging. BO works fine without it, so removal of this alone is not a solution.)

The most direct evidence of BO's presence is its activity on your Dial-Up Networking connection. Unfortunately, with its oh-so-friendly and simple graphical interface, Microsoft has carefully insulated Win95/98 users from their own machines' network functions. But there are tools on hand in almost all machines which allow

  • monitoring of the Internet link,
  • examination and editing of Windows' vital Registry setup,
  • and for some, direct inspection of all running applications.

These are basic but powerful tools, easily utilized yet totally unknown to most users. This page explains them.

But Microsoft has kindly provided us all one little telltale. Most Win95 setups place an icon in the system tray which shows send/receive activity on the Internet link by way of two little lights. For most, those little lights are the only outward sign of Net activity. A busy intruder will set those lights flashing, just as your browser does. He may also trigger hard drive activity. If you see a lot going on that seems inappropriate, be very suspicious.

However, those little lights aren't worth much as a network monitor! If BO is running, it takes mere seconds for an intruder to access all cached passwords and view most of your system's vital statistics. He may have all he wants in moments and be gone. You almost certainly wouldn't notice and there is absolutely nothing you could do.

Reliable utilities to help find and remove BO are beginning to appear. So far I have found two -- BODetect and Back Orifice Eliminator -- which work well. However, BO can be expected to evolve and change to elude these utilities; and other programs like it will surely appear. The usual game of leap-frog is to be expected, as with viruses. A few victims, perhaps many, must emerge before each new threat is discovered and countermeasures created.

I think you'll agree, it's always preferable not to be one of those victims.

I don't have it.
How do I avoid it?

There is a LOT of advice out there on the Net about avoiding viruses, trojans, backdoors and other headaches that can be caused by malicious or intrusive programs. For ordinary Net users, I offer TWO (2) really important and really do-able pieces of advice.

Naturally there's plenty more to know, but these are the biggies, the Two Golden Rules of Home PC Security:

  1. Don't run programs from any source you don't trust completely.
  2. Buy and use decent and up-to-date virus-protection software. It will include checks and solutions for almost all potential attacks. Presently, Norton AntiVirus finds but doesn't remove BO. McAfee appears oblivious to it so far. But all of them will surely upgrade to handle BO in due time; many have already rushed to announce the fact.

    And I would toss in a third and fourth for good measure:
  3. Be knowledgeable about your computer.
  4. Stay informed about security issues.

These last two aren't really optional if you plan on long-term security. And you may as well realize that no matter what you do nor what you know, a networked computer is never one hundred percent secure against all possible intrusion.

I have BO.
What now?

Send your check or money order to... Heh-heh. Had you going there, eh? Here's how you get it OUT of your computer. It really isn't hard to do.

You can also use BODetect. It's easier than my instructs, and just as effective. But you should read my page anyway. You need more than a pushbutton solution; you need knowledge; BO is only the first of its kind.

BODetect is the first anti-BO utility I've seen that reliably spots and halts an open Orifice every time. I helped Chris Benson a bit with its testing; he closed a gap or two and I can't fool it anymore. He's got great plans for this nifty free (priceless?) utility. It may soon prove to be a near-perfect and well-automated solution; for the present it will really always close down BO -- but it may not track down and remove it if it's carefully hidden, so BO may persistently start up again on reboot.

So it is that BODetect, if it's used on every startup and perhaps at intervals while online, is a virtually 100% effective BO countermeasure. But only until, of course, a new BO variant appears. It's always a game of leapfrog.

BUT! Removing BO is just the beginning.

It's Gone!
NOW what?

Your only safe assumption now is that your system has been invaded. Someone probably has some or all of your passwords, and may have obtained any or all of the information of value your computer contained.

Furthermore, you must assume that other mischief may have been done. Every sort of prank, malicious program or virus is a possibility, because with BO, the intruder had TOTAL access.

Here's a handful of recommendations:

  • Implement a solid solution to repeated "infections" with BO. As of late August, most of the major anti-virus apps have been updated to spot BO, and some of them will also remove it. But I recommend adding BODetect to your StartUp group as an added measure. Update your BODetect as improvements appear, and if equal or superior tools become available, use them.
  • Once you know your system is secure (well, secure from BO v1.2 in particular at least), you must assess the damage potential. This is purely your own judgment call; it may be extremely serious or a trivial concern. If you do little more than browse the Net and exchange a few not-too-personal emails, play games or the like, you may be virtually unharmed by any conceivable intrusion. But if you store anything of a sensitive, personal, confidential or otherwise exploitable nature on your system, you may have no choice but to assume the worst. It might be wise to try thinking like a Bad Guy to determine what might be exploitable. Examples:
    • Passwords
    • Credit card numbers
    • Banking or other financial records
    • Communications from others sent in confidence
    • Encryption keys
  • Scan for viruses. Good software for the purpose is not a huge expense. In cases where security and system stability are of utmost importance, you might have to consider a complete re-installation of your operating system and all software. In such cases too, the data you preserve or import from the affected machine must be considered suspect and should be scanned with a good and up-to-date utility.
  • Change your passwords. At very least, call your ISP and change your Net account password. It's a favorite trick to use another's account to perform additional intrusions.
  • Inform others who may be at risk. For instance if you're an accountant or lawyer, the data on your system could be incredibly sensitive. Intensely personal emails might qualify for this concern. It may be vital to their interests to tell those whose secrets may be out.

It Won't Go Away!

You need some real know-how. Read my page Almost All The Ways to Find Your Back Orifice for more in-depth techniques for spotting BO. If you've read and used this, and your BO persists despite everything, email me and I'll do what I can to help.

But I'm Clueless!

There's no excuse for ignorance. If you're counting on that machine of yours to handle sensitive information, it's your responsibility to learn what you must in order to have control. If you can't make that stretch, keep your ledgers on paper and correspond with a typewriter. Use the computer for games and surfing and homework assignments.

Oh, and write Microsoft a letter and ask them when they're going to make a more secure OS that gives the user greater control and visibility of his own machine's communications and vital functions.

I want revenge!

If you feel an impulse to track down and personally throttle the creep who Orificed you, you may as well realize you're probably not going to get any satisfaction. But IF you followed my instructions on detection and removal of BO, and IF you sent me your BO file according to my suggestions, maybe we can do something about it.

In fact, there may sometimes be ways to catch the culprit in the act. I intend to write this up in the near future. Meanwhile read this page.

Is BO useful?

It most certainly can be! This ingenious program has a number of very legitimate uses.

BO is an effective countermeasure against BO itself.

Because the BO server is such a small file, and a snap to install, it can be e-mailed by a service professional to a client in need of help. The remote system needs only be functional enough and its operator skilled enough to receive and run the file. Then a support person can enter and perform his magic from afar without ever leaving his swivel-chair.

Because BO can be configured securely (with password protection), it's not (apparently) a risk if used briefly and with knowledge and consent. By itself it does no damage to the host system. It's readily disabled and/or removed by the remote operator, whereby he can leave the system inaccessible even to himself.

However, because the BO client program sends packets which are recognizable to firewalls and anti-BO software in common use, it is inadvisable to use the ping-sweep function to find the system you wish to contact. There's a strong probability it will result in complaints to your ISP. The IP address of the host one wishes to service should be located using some other tool.

There are other handy functions. BO can provide Telnet access, either for a very limited purpose or for command-line control of a system; and HTTP access, whereby the host instantly becomes a perfectly serviceable (but open to anyone) Web server, which will allow upload as well as download.

Is it safe to use?

No one in his right mind could fail to be suspicious of Back Orifice. Its creator could have designed the program to do all manner of mischief. It is conceivable that it contains a "backdoor" of its own, perhaps even malicious code.

Although I have in the past seen behavior that might be attributed to BO which seemed suspicious, I've been unable to substantiate that it contained anything that could backlash on its users, aside from its very common hostile misuse.

The programmer intended Back Orifice for wide distribution and use, including by his own friends. He has identified himself to one and all. I consider it very unlikely he'd have wished to embed any form of destructive virus in Back Orifice. Can you imagine what his friends would do to him if it thrashed their systems? And with their skills, they would find out the cause in short order.

However, BO might conceivably play some nasty tricks on its more unwary or uninformed users.

In the final analysis, only expert examination of the program's code could tell for sure what's in there. Personally, I'm not a programmer of any great skill. Reading the program code of the BO server and client would be a huge project for me. Rather than go to such lengths I've decided it's a very high probability BO is marginally safe to use and to leave it at that.

Concerns remain about BO's security and its reliability for serious use.

The password encryption scheme is not strong, but combined with the fact BO may operate on any of over 65,000 TCP ports, it seems adequate to most purposes. My loose understanding of BO's encryption method suggests there is no universal password. But the security of its communications is far from foolproof. BO transmissions can be "sniffed," cracked without real difficulty, and read by the recipient or at relay points. Applications exist now which can decrypt its packets in a fraction of a second. Jammer is one example.

The UDP protocol used by BO is not a fully reliable method of Net communication. It's a sort of send-it-and-hope-it-gets-there protocol, whereby the transmission is made into packets and sent without regard for whether it arrives intact. It's merely a usually-adequate method of data transmission. BO depends upon UDP for some of its functions and for all its commands to and responses from the remote system.

Except when configured erroneously, the server program seems to run very reliably. I have however once seen it run in default mode on port 31337 with no password despite being configured for a particular port and password. The same server ran properly thereafter.

The GUI client runs without causing crashes (on my system) even when running a dozen or more simultaneous instances. There are a few bugs, some noted in the cDc materials and some others of minor consequence that I've observed. The GUI client can be crashed, deliberately or by reason of data corruption, if it receives certain erroneous data. The same may be true of the server. The program could use plenty of refinement, but it usually works well.

Overall, BO definitely isn't something to rely upon for high security nor for demanding applications. But as a legitimate tool, it has potential applications all the same, unmatched compactness, wonderful simplicity, many unique and powerful features, usually runs just fine; and it has an unbeatable price.

I advise against its use in general, but I'm sure some of you out there will wish to try using it as a handy utility. I would advise that if you choose to use it to contact or service a remote machine, you then remove it as soon as possible; and that you never make the assumption that either the client or the server end is secure while the program is running and online. I strongly advise against allowing either program to run online unattended.

BO Home
PChelp's Home