SMBRelay: The Program Which Gave Microsoft a Headache for More Than 7 Years

In 2001, Cult of the Dead Cow, a US hacker group released SMBRelay. The group started in 1984 and created waves all over the world numerous times through its controversial software releases. The SMBRelay project was the brainchild of Josh Buchbinder. The hacker world knows him by the name Sir Dystic. He wrote SMBRelay in less than two weeks. He also authored Back Orifice, which was released in 1998. Similar to Back Orifice, SMBRelay too was focused on Microsoft Windows systems.

SMBRelay is an SMB MITM attack tool written mainly in C++. An MITM attack or a Man-in-the-Middle attack is an attack which allows the attacker to sit in the middle of a communication stream between two unsuspecting parties. Through an MITM attack, the attacker can read, store, or alter the information coming from the source and simply forward it to the destination. It’s a concept known to even novice hackers. SMBRelay is not an average MITM tool. It uses some pretty advanced tactics which set it apart from other run-of-the-mill MITM tools. SMBRelay requires administrator privilege to run. Xfocus Team, a non-profit organization focused on security research, has a detailed article which explains in great depth how SMBRelay works, it “receives a connection on port 139, connects back to the connecting computer’s port 139, and relays the packets between the client and server of the connecting Windows machine, making modifications to these packets when necessary”. The interesting thing is it is impractical to block port 139 as it is used for NetBIOS sessions. The software has in-built support for multi-threading and is capable of handling multiple connections at the same time. It generates new IP addresses in sequence and removes an IP address when target host gets disconnected. SMBRelay stores transmitted NTLM password hashes in a text file named hashes.txt (NTLM stands for NT LAN Manager, a network security protocol suite from Microsoft). The format used is suitable for later cracking by a program such as L0phtcrack. SMBRelay is run with the smbrelay command. It gives the best results with machines such as Windows NT and Windows 2000. The compatibility with 9x and ME is not good. It cannot work with NTLMv2 which uses 128-bit encryption. A second version of the program, SMBRelay2 was released later which is compatible with “any protocol NetBIOS is bound to.”

In an interview with The Register, a world-renowned online tech outlet, Sir Dystic lambasted Microsoft for not taking care of well-known protocol flaws to ensure backward compatibility. He added that merely having a firewall does not offer any protection against the security flaw. Now comes the hilarious part. SMBRelay was launched on March 21, 2001. It took Microsoft more than seven years (2792 days, to be exact) to write a patch. The security bulletin MS08-068 was published on November 11, 2008. The patch fixes the vulnerability in the MS Server Message Block (SMB) Protocol. The bulletin mentioned that the vulnerability allowed remote code execution and an attacker who had successfully exploited the vulnerability was able to “install programs; view, change, or delete data; or create new accounts with full user rights.” The update was rated as Important. Discussions on hacker blogs and platforms stand evidence to the fact that SMBRelay still remains a tool of interest for security researchers.

Back Orifice 2000: A Step Beyond Back Orifice

The launch of Back Orifice 2000 was announced at DEF CON 7th Edition in 1999. BO 2000 was originally developed by Christien Rioux (DilDog), a member of Cult of the Dead Cow. He was in the development team of L0phtCrack or LC, Windows password audit and recovery tool. In 2006, he co-founded Veracode, a Massachusetts-based application security company. He is also the Chief Scientist in Veracode.

BO 2000 is a step up over its predecessor Back Orifice, which was developed by Josh Buchbinder (Sir Dystic) and launched at DEF CON 6th Edition in 1998. It contains several advancements over its predecessor. The first and most important of them is increased scope. Back Orifice had support for only Windows 95 and Windows 98. In addition to those two, BO 2000 has support for Windows NT, Windows 2000, Windows XP, & Windows Vista. BO 2000, also known as BO2K, has a leaner structure. It includes large organizations in its scope whereas its predecessor’s scope was limited to individuals and small businesses. BO 2000 comes as a server-client duo and has a modular structure which makes it easy for users to add additional features. It also comes with a configuration utility which helps to configure the server application. It is difficult for network monitoring software solutions to detect its presence. It has real-time keystroke logging and real-time desktop viewing feature. It supports strong encryption.

BO2K faced moral and legal questions from the experts. It did not take long for it to be categorized as a malware. F-Secure Labs categorizes it as a backdoor Trojan. McAfee Inc. profiles BO 2000 as a malware of type Trojan and subtype Remote Access. It also lists a lesser known alias of BO2K, Orifice2k.srv. Symantec Corporation detects it as a Trojan Variant. Microsoft too detects it as a Trojan with alert level Severe. Most of the big names in the antivirus industry have made detailed removal guide available for BO2K. The BO2K process uses various tricks to keep running on the remote system, one of them being repeatedly changing its process ID and spawning backup processes (processes which will ensure BO2K backdoor keeps running even if one process is killed). BO2K has been used by cyber criminals extensively. Although some publications such as Windows IT Pro were a bit positive about BO2K’s corporate future, in the September 2002 issue of Security Administrator Microsoft predicted, “its default stealth mode and obviously harmful intent mean the corporate world probably won’t embrace it anytime soon.” Microsoft’s firm stand against BO2K irritated Cult of the Dead Cow and they challenged Microsoft “to voluntarily recall all copies of its Systems Management Server network software.” ZDNet was strongly against the prevailing negative sentiment around BO2K.

Despite the controversial nature of the software, there is no uncertainty regarding the fact that BO2K was an example of excellent craftsmanship in software development. The developers thought of almost everything a person might need for seamless remote administration. The last stable release of BO2K was in 2007. A lot has happened since then. It’s time for Cult of the Dead Cow to start work on a new version of BO.

Back Orifice: The Controversial Remote Administration Tool

Some programs solve problems, and some create controversies. Josh Buchbinder’s Back Orifice falls in the second category. Back Orifice was designed as a remote administration tool but it ended up being classified as a malware. Back Orifice was launched at DEF CON 6th Edition on August 1, 1998. Developer Josh Buchbinder/ Sir Dystic is a member of the hacker group Cult of the Dead Cow which started in Texas, US.

The name Back Orifice is derived from Microsoft BackOffice Server, which was a server product bundle from Microsoft released in 1994 and discontinued in 2001. Back Orifice comprises two modules, one server module and one client module. The client module is used to control the server module running on a different machine. The client module is capable of performing a host of operations on the remote machine including execution of any application, keystroke logging, restarting, locking, file content viewing, file transfer in both directions (to and from the remote machine), and retrieval of screen saver password and cached passwords. It also supports screen capture, network traffic monitoring, and connection redirection. Third-party plugins can be easily added to the software. Back Orifice uses TCP & UDP protocols and runs on port 31337. Back Orifice works on local area networks and on the internet. It’s a freeware and is available for download on Cult of the Dead Cow official site. In order to install Back Orifice, first, the server application needs to be installed on the remote machine. The server application is a standalone executable file of around 122 KB. The application copies itself to the Windows system directory and adds a value carrying the server application filename to the registry. Back Orifice server module is compatible with Windows 95 & 98 but not with Windows NT.

The press release which was published from Cult of the Dead Cow during the launch mentions that the main goal of releasing the software in the public domain was to draw the attention of people to the serious security flaws of the Microsoft Windows operating system. It also criticized Microsoft for their lackluster attitude toward security. In spite of its noble motive, the software was categorized by the leading antivirus companies as a malware and it was not without reason. First, the server application deletes itself when executed. Second, the server application does not show up on the Windows task list. Third, it automatically starts every time Windows starts. Symantec Corporation explains, “the tool can be used by an unscrupulous user (e.g., the attacker) to compromise the security of a computer running Windows 95 or Windows 98, for example, to steal secret documents, destroy data, etc.” Due to its ease of use, Back Orifice was a favorite among wannabe hackers. It was used by hackers as a Trojan horse. Most antivirus solutions automatically detect and take appropriate action against Back Orifice. It can also be removed manually by running the MS-DOS command DEL C:\WINDOWS\SYSTEM\EXE~1.

Although it is arguable whether Back Orifice missed its intended goals, being accepted as a reliable remote administration tool and increasing security awareness among users, it will always be considered an important milestone in security research.