Starting sometime in August and until the 21st, an application called "BOSniffer" was being offered for free download at http://members.xoom.com/bosniffer. It purported to detect, remove and prevent installation of the "back door" program Back Orifice. It's probably still being handed out. Its filename (the copy I obtained 20 Aug) was BOSNIFFER.ZIP (size 108,573 bytes) and it contained two files: BOSNIFFER.EXE (dated 17 Aug; 231,068 bytes) and README.TXT (18 Aug; 999 bytes). There might be other versions.

The author sez it's: "NOT ONLY a way to detect ppl using BO on your computer BUT also way top block them from being able to install it at all!!" Yessir, typos and all, we're sold on its virtues.

This helpful little utility doesn't work. In fact:

• It does not detect any form, type or instance of Back Orifice.
• It does not remove Back Orifice.
• It does not prevent a BO install.

It... IS ...Back Orifice!

BOSniffer is simply a copy of BO v1.2, packaged in a "wrapper" calculated for deception.

What It Does

When you run BOSNIFFER.EXE, it does all of the following:

• Places the usual Back Orifice companion file WINDLL.DLL in the Windows\System folder (8,192 bytes).
• Places a BO plugin named RUNSPEAK.DLL in the Windows\System folder (53,248 bytes).
• Places a string value in the Windows Registry key
  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
  which is named "MSIEM" and with the value " " (space).
• Creates a file named " "(space) in the Windows\System folder which is a copy of the BO server but it's non-functional. It does nothing, and like the Registry key is simply an artifact.
• Creates two files in the Windows TEMP folder with random names in the form, "~???????.TMP" -- the "?"'s are random letters.
  • Actual examples: ~DGJRBOM.tmp (178,308 bytes) and ~AGQNEZZ.tmp (10,752 bytes).
  • The larger of these two files is a copy of the BO server, configured to use the RUNSPEAK.DLL plugin.
  • The other is a little app that creates a dialog box on the desktop.

Now it's all installed, and runs as follows:

1. The BO server opens port 8080 and proceeds to listen. Its password is 1sdmo0.
   
2. BO starts RUNSPEAK.DLL and sends it these parameters:
   irc.lightning.net:7000:Hey MASTER where are u!!!
   
3. RUNSPEAK.DLL opens port 1077, and connects to IP address 209.51.160.6 (cyclone.lightning.net). It joins IRC channel #BO_OWNED and sends, "Psssst...Speakeasy just started up". Presumably, "Master" is lurking on that IRC channel, comfortably anonymous, waiting dutifully for his creation to call him. He sees your IP address, and he's got you dead to rights. It requires only a few keystrokes, perhaps even an automated script, for him to access your system.
   
   Other interesting little texts appear in the plugin, and are probably sent as well:
   
   DEAD COW!
   BO ButtPlugs and goodies...http://www.netninja.com/bo.html
   AJ Reznor: The pierced, tattooed grand master god of flame wars!
   Get raped!
   Who is John Galt?
   Yes, you too can own my box with this special introductory offer of $0.00!
   I'm sad to see Kontrol Faktory go away...
   Use Linux!
   This box is now property of the Illuminati.
   <<tap>> <<tap>> <<tap>>...Is this thing on?
   Where do *YOU* want to go today?!
   
   ("Speakeasy" appears to send a message 2-3 times a minute. I didn't leave it running very long.)
   
   
4. Meanwhile, the little 10K program shows the trusting user a cute dialog box on the desktop:
   
   The "Close ALL Programs!" bit is especially cute. Anything to make you waste time while "Master" gets into your password cache!
   
   If the user presses the button, it pretends to search and says,
   
   ... and makes you wait (oh, yes) while it draws a string of little dots, seeming to do its task. Then it proudly announces:
   
   That's all it does. No search. Nothing but take up the user's time and attention, and boost his misplaced confidence with illusion.
   
   When the dialog box is closed, the BO program and its plugin continue to run unseen.

So... that's the whole rotten tale. BOSniffer fools the user into false security, and proceeds to lay him open to cyber-rape by what must be a particularly cowardly and scummy character.

The guy's pretty clever. Funny, I always thought decent ethical standards ought to be a natural consequence of intelligence. Guess not.

The only good part is, after reboot BOSNIFFER.EXE has to be run again by the user in order to reopen the Orifice. The " " filename is invalid and doesn't execute on startup. This is probably merely a stupid error; it was undoubtedly meant to be a more lasting curse. But there's an easy workaround. There are surely dupes who have cleverly placed BOSniffer in their StartUp group.

As I see it, the diseased hacker-oid author of this betrayal needs a generous application of iron-pipe therapy by a large crowd of his "customers." If anyone knows his name (perhaps some of the above provides a clue), I'll be pleased to publish it.

Once I knew the facts, I posted this page (now revised), sent email to webmaster@xoom.com informing them of this Trojan, and encouraged others to do so. XOOM removed BOSniffer that same day, then a short time later re-posted the page with a pointer to this very page you're reading. My hat's off to XOOM.

If you were a BOSniffer victim, don't feel bad. But do learn from it.

The moral? Well, there are lots of lessons here. But one of the more obvious is, Don't download and run programs from an anonymously-owned page.

And, "things aren't always what they seem." And "knowledge is power."

Get knowledge. Be powerful. Read this and other things like it and be in command of your own machine.

Back to the Basics
PCHelp Home
BO Home