CERT Vulnerability Note VN-98.07

                The CERT Coordination Center publishes vulnerability
                notes to provide information about vulnerabilities to
                the user community. Because our understanding of the
                scope of a vulnerability may change, information that
                originally appears in vulnerability notes may later
                become part of an advisory or a vendor-initiated
                bulletin. Vulnerability notes may also be updated from
                time to time.

                Date: Friday, October 2, 1998

                Topic: Back Orifice

                Recently, a Trojan horse program referred to as Back
                Orifice has received a great deal of
                publicity. Although Back Orifice is a potentially
                serious problem, the CERT/CC has received few reports
                of its use. As of the date of this Vulnerability Note,
                we have received less than fifty reports of attacks
                and probes relating to Back Orifice, which represent
                less than 2.5% of the reports we have received since
                Back Orifice was published.

                How It Works

                Because it is a Trojan horse, users must install Back
                Orifice themselves or be tricked into installing
                it. It can be disguised in a variety of ways and is
                ostensibly positioned as a "remote administration
                tool."

                Basically, Back Orifice works as a client-server
                program, with the intruder controlling the
                client. Once the Trojan horse is on the user's system,
                the client (which may be running anywhere on the
                Internet) can access the affected system with the
                privileges of the user who inadvertently installed it.

                Look for It

                Although CERT/CC has not completed testing of the
                products listed below, and does not and cannot ensure
                the claims of their manufacturers, the manufacturers
                of the following products claim that the following
                products can detect, and in some cases remove, Back
                Orifice.

                     Mcafee
                     http://www.nai.com/download/updates/updates.asp 
                     Norton AntiVirus 2.0 for Windows 95
                     http:/www.symantec.com/nav/fs_nav5-95nt.html 
                     RealSecure 2.5
                     http://www.iss.net/prod/rs.html 

                Protect Yourself

                Because the intruder can make changes to the victim's
                machine after installing Back Orifice, removing Back
                Orifice from your system is not necessarily enough to
                prevent further intrusions. If you find Back Orifice
                installed on your system, we encourage you to recover
                by taking the steps outlined below:

              A. Prepare 
               1. If you have a security policy, consult it 
               2. If you do not have a security policy 
                 i. Consult with management 
                 ii. Consult with your legal counsel 
                 iii. Consider contacting law enforcement agencies 
                 iv. Notify others within your organization 
                3. Document all of the steps you take in recovering 
               B. Regain control 
                1. Disconnect the compromised system(s) from the network 
                2. Make a complete copy of the compromised system(s) 
               C. Analyze the intrusion 
                1. Look for modifications made to system software and
                   configuration files
                2. Look for modifications to data 
                3. Look for tools and data left behind by the intruder 
                4. Review log files 
                5. Look for signs of a network sniffer 
                6. Check other systems on your network 
                7. Check for systems involved or affected at remote sites 
               D. Contact the CERT/CC and other sites involved 
                1. Follow the guidelines outlined in
                   http://www.cert.org/tech_tips/incident_reporting.html
                2. Contact the CERT Coordination Center 
                3. Obtain contact information for other sites involved and
                   contact them
               E. Recover from the intrusion 
                1. Reinstall your operating system from distribution media 
                2. Disable unnecessary services 
                3. Install all vendor security patches. See
                   http://www.microsoft.com/security/
                4. Consult CERT advisories, summaries, and
                   vendor-initiated bulletins
                5. Use caution when restoring data from backups,
                   since it may contain data already altered by the intruder
                6. Change passwords 
  
                F. Improve the security of your system and network
                   using the lessons learned
                G. Educate your users about the dangers of
                   executing unknown programs or email attachment
                H. Reconnect to the Internet 
                I. Update your security policy 
                 1.Document lessons learned from being compromised 
                 2.Calculate the cost of this incident 
                 3.Incorporate necessary changes (if any) in your
                   security policy

                Below is a list of pointers to additional information
                about Back Orifice:

                     http://www.iss.net/xforce/alerts/advise8.html 
                     http://www.microsoft.com/security/bulletins/ms98-010.asp