Forwarded From: Nelson Murilo <nelsonat_private> [http://www.finjan.com/alert_back_orifice.cfm] JSA Finjan Monday, August 17, 1998 Back Orifice Hostile Applet Alert A hostile Java applet that contains the widely publicized hacker tool called "Back Orifice" has been discovered on a Java consulting firm's WebSite. Back Orifice was designed as an application by the hacker group, Cult of the Dead Cow, and was debuted last week at the Def Con hacker conference. This application can remotely monitor and control Windows 95 and Windows 98 systems. It also has the power to add and delete files, directories and registry entries. The interesting twist to the Back Orifice application came recently when it was embedded in a Java applet and dynamically installed in the browser environment. While this was only a "demonstration applet," it did point out the growing trend of taking public domain code and changing the code to create a different type of attack or delivery method. This trend makes it virtually impossible for a security administrator to maintain adequate levels of protection -- the many mutations of public code can be endless. This is a growing trend on the Internet today, where there are "how to hack" sites popping up with everything from how to build denial of service attacks to stolen digital certificates from respected software companies. The most recent well-known attack using exploited public code was the Pentagon "teardrop" attack. Throughout the last 10 days, many well-publicized security holes in Microsoft environments, Netscape and Eudora mail have been brought to light. Many of these problems are made more serious when combined with mobile code payloads. Buffer overflow problems are only really serious if the code delivered in the payload does something nasty. The upshot is that mobile code can be used to successfully attack and compromise many popular computing environments. Pervasive mobile code systems, especially JavaScript and ActiveX, make exploitation of subtle security holes much easier. Dr. Gary McGraw, co-author of the forthcoming book, "Securing Java: Getting down to business with mobile code," and Vice President of Reliable Software Technologies, http://www.rstcorp.com, offers this perspective: "Mobile code poses a real threat to any computing environment. One way to lessen your security exposure is to manage mobile code extremely carefully. New features in Java can help you do this when used wisely. Bringing this point even closer to home is the fact that the hacker tool called Back Orifice, which completely compromises Windows platforms, can now be installed using mobile code." Back Orifice Applet Delivery Details: 1. Although this is a demonstration only, this applet's technique can very easily be revised by others with malicious intent to incur significant damage to your computers and environment. 2. The applet is signed and "trusted" with a digital signature, yet it can still do damage. While digital signatures are an important part of your security model, most security breaches are nonetheless still carried out by trusted sources. Plus, fraudulent digital signature certificates are already easily available from several hacker sites. Security solutions that rely on digital signature checking alone will not be effective against this applet injecting Back Orifice, or against other versions of this attack. 3. Those of you with Finjan mobile code security in place are protected in this case. SurfinShield and SurfinGate solutions block this type of applet. We will continue to update our customers and partners about additional malicious mobile code. Please be sure to check Finjan's Web site for the latest information on security breaches. To reduce chances of applet proliferation, we are not including a link to the applet at this time. For further information on the nature of Back Orifice in general, please see http://slashdot.org/features/980730/0928237_F.shtml -o- Subscribe: mail majordomoat_private with "subscribe isn". Today's ISN Sponsor: New Dimensions International [www.newdimensions.net]
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:01:18 PDT