[ISN] Using JAVA to deliver BO

From: mea culpa (jerichoat_private)
Date: Tue Aug 18 1998 - 03:56:33 PDT

  • Next message: mea culpa: "[ISN] It's payback time, say Mainland hackers"

    Forwarded From: Nelson Murilo <nelsonat_private>
                              Monday, August 17, 1998
                         Back Orifice Hostile Applet Alert 
    A hostile Java applet that contains the widely publicized hacker tool
    called "Back Orifice" has been discovered on a Java consulting firm's
    WebSite. Back Orifice was designed as an application by the hacker group,
    Cult of the Dead Cow, and was debuted last week at the Def Con hacker
    conference. This application can remotely monitor and control Windows 95
    and Windows 98 systems. It also has the power to add and delete files,
    directories and registry entries. 
    The interesting twist to the Back Orifice application came recently when
    it was embedded in a Java applet and dynamically installed in the browser
    environment. While this was only a "demonstration applet," it did point
    out the growing trend of taking public domain code and changing the code
    to create a different type of attack or delivery method. This trend makes
    it virtually impossible for a security administrator to maintain adequate
    levels of protection -- the many mutations of public code can be endless.
    This is a growing trend on the Internet today, where there are "how to
    hack" sites popping up with everything from how to build denial of service
    attacks to stolen digital certificates from respected software companies.
    The most recent well-known attack using exploited public code was the
    Pentagon "teardrop" attack. 
    Throughout the last 10 days, many well-publicized security holes in
    Microsoft environments, Netscape and Eudora mail have been brought to
    light. Many of these problems are made more serious when combined with
    mobile code payloads. Buffer overflow problems are only really serious if
    the code delivered in the payload does something nasty. The upshot is that
    mobile code can be used to successfully attack and compromise many popular
    computing environments. Pervasive mobile code systems, especially
    JavaScript and ActiveX, make exploitation of subtle security holes much
    Dr. Gary McGraw, co-author of the forthcoming book, "Securing Java: 
    Getting down to business with mobile code," and Vice President of Reliable
    Software Technologies, http://www.rstcorp.com, offers this perspective: 
    "Mobile code poses a real threat to any computing environment. One way to
    lessen your security exposure is to manage mobile code extremely
    carefully. New features in Java can help you do this when used wisely. 
    Bringing this point even closer to home is the fact that the hacker tool
    called Back Orifice, which completely compromises Windows platforms, can
    now be installed using mobile code." 
                       Back Orifice Applet Delivery Details: 
        1. Although this is a demonstration only, this applet's technique can
           very easily be revised by others with malicious intent to incur
           significant damage to your computers and environment.
        2. The applet is signed and "trusted" with a digital signature, yet
           it can still do damage. While digital signatures are an important
           part of your security model, most security breaches are
           nonetheless still carried out by trusted sources. Plus, fraudulent
           digital signature certificates are already easily available from
           several hacker sites. Security solutions that rely on digital
           signature checking alone will not be effective against this applet
           injecting Back Orifice, or against other versions of this attack.
        3. Those of you with Finjan mobile code security in place are
           protected in this case. SurfinShield and SurfinGate solutions
           block this type of applet.
    We will continue to update our customers and partners about additional
    malicious mobile code. Please be sure to check Finjan's Web site for the
    latest information on security breaches. To reduce chances of applet
    proliferation, we are not including a link to the applet at this time. For
    further information on the nature of Back Orifice in general, please see
    Subscribe: mail majordomoat_private with "subscribe isn".
    Today's ISN Sponsor: New Dimensions International [www.newdimensions.net]

    This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:01:18 PDT