Hackers set to convene, unleash NT Trojan horse

Security companies and network administrators cleared their weekend schedules and prepared to address the threat of the latest version of the BackOrifice hacking tool being released at the DefCon show in Las Vegas.

At last year's DefCon, the group Cult of the Dead Cow (cDc) and a member code-named Sir Dystic, released BackOrifice as a Trojan horse program that once activated can provide remote access to Windows 95 and Windows 98 client machines. This year at DefCon, the cDc has promised to release a new version, called BackOrifice 2000 (BO2K), with the capability to access Windows NT machines, and will provide open source of the code.

This has led several security companies to try to head off any attacks on users as soon as possible.

"We're trying to make a point with our customers that we're putting out electronic news alerts to let them know we are going to be working here around the clock," said Gordon Twilegar, director of security strategies for Computer Associates International. "It's going to be a very serious situation . . . there is no doubt. We need to make sure that everyone is aware."

Some network security administrators who had to protect their systems from the original version of BackOrifice are taking this new release very seriously.

"These tools scare me. They can be used for industrial espionage or information loss where information can be stolen without us knowing about it," said a security manager at a Fortune 500 oil company, who wished not to be named. "We are concerned because these tools let you set up a hacking location somewhere on the network, somewhere inside the firewall, to do what ever you want."

The cDc has put up a site at with a quote from Microsoft regarding the first version of BackOrifice not affecting Windows NT, along with the statement: "Let's try this again."

"They clearly have an attitude toward showing Microsoft their vulnerabilities," said Bob Oisen, vice president of marketing at Network-1, a provider of network security software and design in Massachusetts. "We also gathered other pieces of information from the hacker community that this thing is going to be bigger and meaner than the last generation of BackOrifice."

Network-1 and other security vendors intend to provide fixes to the attack as soon as they get a copy of the code.

"The battle plan is to do extensive [testing] on it here," said Avi Fogel, CEO at Network-1. "We probably will find that BackOrifice 2000 will have additional features besides just being an NT version of last year's product."

That the cDc intends to release the tool as open source also worries security experts, because variations or combinations of the tool with viruses such as Melissa will be much easier to create. CA's Twilegar expects several variations of the tool to appear before the weekend is over.

"Because it is being distributed as open source, I'm sure we're going to be seeing a lot of different versions of it," Twilegar said. "It has a high probability of mutating only because the source code is freely available. Anytime you have a tool like this where the source code is distributed, the probability and the risk is very high."

Some analysts said they believe the release of such tools has both positive and negative aspects.

"On the negative side, clearly you put that technology out there and sites that aren't keeping themselves current are exposed," said Phil Schacter, director of the network strategies service at the Burton Group in Utah. "The positive spin is showing there are security holes in Microsoft's latest products, [which] puts increased pressure on Microsoft to fix those holes."

Nevertheless, analysts, administrators, and vendors agree that it may be a very busy weekend for users while DefCon attendees are meeting.

"[IT managers] need to evaluate their systems and make sure they are ready to deploy the new [intrusion] signatures," Twilegar said. "You need to be around this weekend just in case; it's the prudent thing to do."

BackOrifice 2000, which is intended as a pun on the name of Microsoft's BackOffice server suite, was written by cDc "code monster" Dildog, with input from Sir Dystic.

The Cult of the Dead Cow could not be reached for comment.

Additional information on DefCon can be found at The Cult of the Dead Cow is at