Unscented Back Orifice?

Thursday, 20 August 1998

(Rewritten 22 Aug. Page erased by mistake.)

In response to my email to webmaster@xoom.com of this AM (21 Aug), XOOM.COM has removed BOSniffer and provided, in its place, a link to this page! Hopefully this will alert some of its unwitting users to the problem.
You're welcome, folks.

Starting sometime in August and until the 21st, an application called "BOSniffer" was being offered for free download at http://members.xoom.com/bosniffer. It purported to detect, remove and prevent installation of the "back door" program Back Orifice. It's probably still being handed out. Its filename (the copy I obtained 20 Aug) was BOSNIFFER.ZIP (size 108,573 bytes) and it contained two files: BOSNIFFER.EXE (dated 17 Aug; 231,068 bytes) and README.TXT (18 Aug; 999 bytes). There might be other versions.

The author sez it's: "NOT ONLY a way to detect ppl using BO on your computer BUT also way top block them from being able to install it at all!!" Yessir, typos and all, we're sold on its virtues.

This helpful little utility doesn't work. In fact:

It... IS ...Back Orifice!

BOSniffer is simply a copy of BO v1.2, packaged in a "wrapper" calculated for deception.

What It Does

When you run BOSNIFFER.EXE, it does all of the following:

Now it's all installed, and runs as follows:

  1. The BO server opens port 8080 and proceeds to listen. Its password is 1sdmo0.
  2. BO starts RUNSPEAK.DLL and sends it these parameters:
    irc.lightning.net:7000:Hey MASTER where are u!!!
  3. RUNSPEAK.DLL opens port 1077, and connects to IP address (cyclone.lightning.net). It joins IRC channel #BO_OWNED and sends, "Psssst...Speakeasy just started up". Presumably, "Master" is lurking on that IRC channel, comfortably anonymous, waiting dutifully for his creation to call him. He sees your IP address, and he's got you dead to rights. It requires only a few keystrokes, perhaps even an automated script, for him to access your system.

    Other interesting little texts appear in the plugin, and are probably sent as well:

    BO ButtPlugs and goodies...http://www.netninja.com/bo.html
    AJ Reznor: The pierced, tattooed grand master god of flame wars!
    Get raped!
    Who is John Galt?
    Yes, you too can own my box with this special introductory offer of $0.00!
    I'm sad to see Kontrol Faktory go away...
    Use Linux!
    This box is now property of the Illuminati.
    <<tap>> <<tap>> <<tap>>...Is this thing on?
    Where do *YOU* want to go today?!

    ("Speakeasy" appears to send a message 2-3 times a minute. I didn't leave it running very long.)

  4. Meanwhile, the little 10K program shows the trusting user a cute dialog box on the desktop:

    The "Close ALL Programs!" bit is especially cute. Anything to make you waste time while "Master" gets into your password cache!

    If the user presses the button, it pretends to search and says,

    ... and makes you wait (oh, yes) while it draws a string of little dots, seeming to do its task. Then it proudly announces:

    That's all it does. No search. Nothing but take up the user's time and attention, and boost his misplaced confidence with illusion.

    When the dialog box is closed, the BO program and its plugin continue to run unseen.

So... that's the whole rotten tale. BOSniffer fools the user into false security, and proceeds to lay him open to cyber-rape by what must be a particularly cowardly and scummy character.

The guy's pretty clever. Funny, I always thought decent ethical standards ought to be a natural consequence of intelligence. Guess not.

The only good part is, after reboot BOSNIFFER.EXE has to be run again by the user in order to reopen the Orifice. The " " filename is invalid and doesn't execute on startup. This is probably merely a stupid error; it was undoubtedly meant to be a more lasting curse. But there's an easy workaround. There are surely dupes who have cleverly placed BOSniffer in their StartUp group.

As I see it, the diseased hacker-oid author of this betrayal needs a generous application of iron-pipe therapy by a large crowd of his "customers." If anyone knows his name (perhaps some of the above provides a clue), I'll be pleased to publish it.

Once I knew the facts, I posted this page (now revised), sent email to webmaster@xoom.com informing them of this Trojan, and encouraged others to do so. XOOM removed BOSniffer that same day, then a short time later re-posted the page with a pointer to this very page you're reading. My hat's off to XOOM.

If you were a BOSniffer victim, don't feel bad. But do learn from it.

The moral? Well, there are lots of lessons here. But one of the more obvious is, Don't download and run programs from an anonymously-owned page.

And, "things aren't always what they seem." And "knowledge is power."

Get knowledge. Be powerful. Read this and other things like it and be in command of your own machine.

Back to the Basics
PCHelp Home
BO Home