Back Orifice 2000: A Step Beyond Back Orifice

The launch of Back Orifice 2000 was announced at DEF CON 7th Edition in 1999. BO 2000 was originally developed by Christien Rioux (DilDog), a member of Cult of the Dead Cow. He was in the development team of L0phtCrack or LC, Windows password audit and recovery tool. In 2006, he co-founded Veracode, a Massachusetts-based application security company. He is also the Chief Scientist in Veracode.

BO 2000 is a step up over its predecessor Back Orifice, which was developed by Josh Buchbinder (Sir Dystic) and launched at DEF CON 6th Edition in 1998. It contains several advancements over its predecessor. The first and most important of them is increased scope. Back Orifice had support for only Windows 95 and Windows 98. In addition to those two, BO 2000 has support for Windows NT, Windows 2000, Windows XP, & Windows Vista. BO 2000, also known as BO2K, has a leaner structure. It includes large organizations in its scope whereas its predecessor’s scope was limited to individuals and small businesses. BO 2000 comes as a server-client duo and has a modular structure which makes it easy for users to add additional features. It also comes with a configuration utility which helps to configure the server application. It is difficult for network monitoring software solutions to detect its presence. It has real-time keystroke logging and real-time desktop viewing feature. It supports strong encryption.

BO2K faced moral and legal questions from the experts. It did not take long for it to be categorized as a malware. F-Secure Labs categorizes it as a backdoor Trojan. McAfee Inc. profiles BO 2000 as a malware of type Trojan and subtype Remote Access. It also lists a lesser known alias of BO2K, Orifice2k.srv. Symantec Corporation detects it as a Trojan Variant. Microsoft too detects it as a Trojan with alert level Severe. Most of the big names in the antivirus industry have made detailed removal guide available for BO2K. The BO2K process uses various tricks to keep running on the remote system, one of them being repeatedly changing its process ID and spawning backup processes (processes which will ensure BO2K backdoor keeps running even if one process is killed). BO2K has been used by cyber criminals extensively. Although some publications such as Windows IT Pro were a bit positive about BO2K’s corporate future, in the September 2002 issue of Security Administrator Microsoft predicted, “its default stealth mode and obviously harmful intent mean the corporate world probably won’t embrace it anytime soon.” Microsoft’s firm stand against BO2K irritated Cult of the Dead Cow and they challenged Microsoft “to voluntarily recall all copies of its Systems Management Server network software.” ZDNet was strongly against the prevailing negative sentiment around BO2K.

Despite the controversial nature of the software, there is no uncertainty regarding the fact that BO2K was an example of excellent craftsmanship in software development. The developers thought of almost everything a person might need for seamless remote administration. The last stable release of BO2K was in 2007. A lot has happened since then. It’s time for Cult of the Dead Cow to start work on a new version of BO.