|
|
This document describes how hackers will employ Back Orifice in order to break into your machine. setup Back Orifice allows configuration with a specific port number and password in order to avoid detection. Luckily, the majority of hackers aren't too bright and skip this step, making Back Orifice relatively easy to detect (as virtually any traffic on port 31337). Smart hackers, however, configure their own password and override some well known port such as DNS (53). Traffic on port 31337 is noticed immediately by firewalls as Back Orifice, but traffic on port 53 is usually not logged at all. installation The first problem a hacker faces is getting Back Orifice on the machine. Back Orifice doesn't break into machines itself, but instead provides remote access once the machine has been broken into. Some techniques a hacker might use are: - Windows sharing
- A large number of machines have "File and Print Sharing" enabled. This frequently provides a means for the hacker to copy Back Orifice onto the machine. In order to be useful, the pogram must be run. Therefore, the hacker must play some tricks on the remote machine, such as copying it to the startup folder or naming it the same as some other program the user is likely to run. In order to prevent this attack, make sure that "File and Print Sharing" is disabled.
- e-mail
- The most frequent compromise due to Back Orifice is due to people e-mailing the victim the program. The prevalence of greeting-card style programs has made people unwary. If you don't run an executable that somebody sends you, you cannot be infected.
- USENET
- Similar to e-mail, hackers might post programs to newsgroups containing Back Orifice.
- chat rooms
- In chat rooms using such programs as IRC or ICQ, a hacker might attempt to send someone Back Orifice.
discovery Because of the nature of infection described above, a hacker rarely knows exactly where the victim is. Therefore, the attacker has to scan the Internet looking for the victim. Usually, the attacker has some clue, such as which ISP or which city the victim lives in. Back Orifice allows the attacker to configure a range of IP addresses and scan that range with "PING". There are now numerous Back Orifice "lure" programs that configure themselves on port 31337, so hackers using this port are easily caught. Hackers who have configured separate passwords or ports are much harder to catch during this discovery process. exploitation Once the hacker has infected and found the victim, the hacker has complete control over the victim's machine. The software is not very user friendly, so that hacker usually only carries out a few operations. Some typical attacks the hacker will carry out are: - screenshots
- Downloads a picture of the screen so that the hacker can see what the user is doing.
- keyboard capture
- Captures all keystrokes to a file so that the hacker can not only steal data (from what the user types in), but also username and account information when they log on to trade stocks, pay bills, or telecommute.
- file transfer
- Read files directly off the disk. These could be sensitive files like tax information, or just "voyeur" type data like the browser history logs (to see if the victim has been surfing porn sites).
- bounce
- The most important possibility for the hacker is to install a "plugin" that will allow them to "bounce" attacks through the victim's computer. This allows the hacker to now attack machines throughout the Internet (such as against the FBI or Pentagon) without being caught, because the attacks appear to be coming from the victim, not the hacker who is one step removed.
|
