|Unscented Back Orifice?
Thursday, 20 August 1998
(Rewritten 22 Aug. Page erased by mistake.)
In response to my email to firstname.lastname@example.org of this AM (21 Aug), XOOM.COM has removed BOSniffer and provided, in its place, a link to this page! Hopefully this will alert some of its unwitting users to the problem.
You're welcome, folks.
Starting sometime in August and until the 21st, an application called "BOSniffer" was being offered for free download at http://members.xoom.com/bosniffer. It purported to detect, remove and prevent installation of the "back door" program Back Orifice. It's probably still being handed out. Its filename (the copy I obtained 20 Aug) was BOSNIFFER.ZIP (size 108,573 bytes) and it contained two files: BOSNIFFER.EXE (dated 17 Aug; 231,068 bytes) and README.TXT (18 Aug; 999 bytes). There might be other versions.
The author sez it's: "NOT ONLY a way to detect ppl using BO on your computer BUT also way top block them from being able to install it at all!!" Yessir, typos and all, we're sold on its virtues.
This helpful little utility doesn't work. In fact:
It... IS ...Back Orifice!
BOSniffer is simply a copy of BO v1.2, packaged in a "wrapper" calculated for deception.
What It Does
When you run BOSNIFFER.EXE, it does all of the following:
Now it's all installed, and runs as follows:
So... that's the whole rotten tale. BOSniffer fools the user into false security, and proceeds to lay him open to cyber-rape by what must be a particularly cowardly and scummy character.
The guy's pretty clever. Funny, I always thought decent ethical standards ought to be a natural consequence of intelligence. Guess not.
The only good part is, after reboot BOSNIFFER.EXE has to be run again by the user in order to reopen the Orifice. The " " filename is invalid and doesn't execute on startup. This is probably merely a stupid error; it was undoubtedly meant to be a more lasting curse. But there's an easy workaround. There are surely dupes who have cleverly placed BOSniffer in their StartUp group.
As I see it, the diseased hacker-oid author of this betrayal needs a generous application of iron-pipe therapy by a large crowd of his "customers." If anyone knows his name (perhaps some of the above provides a clue), I'll be pleased to publish it.
Once I knew the facts, I posted this page (now revised), sent email to email@example.com informing them of this Trojan, and encouraged others to do so. XOOM removed BOSniffer that same day, then a short time later re-posted the page with a pointer to this very page you're reading. My hat's off to XOOM.
If you were a BOSniffer victim, don't feel bad. But do learn from it.
The moral? Well, there are lots of lessons here. But one of the more obvious is, Don't download and run programs from an anonymously-owned page.
And, "things aren't always what they seem." And "knowledge is power."
Get knowledge. Be powerful. Read this and other things like it and be in command of your own machine.