Back Orifice: The Controversial Remote Administration Tool

Some programs solve problems, and some create controversies. Josh Buchbinder’s Back Orifice falls in the second category. Back Orifice was designed as a remote administration tool but it ended up being classified as a malware. Back Orifice was launched at DEF CON 6th Edition on August 1, 1998. Developer Josh Buchbinder/ Sir Dystic is a member of the hacker group Cult of the Dead Cow which started in Texas, US.

The name Back Orifice is derived from Microsoft BackOffice Server, which was a server product bundle from Microsoft released in 1994 and discontinued in 2001. Back Orifice comprises two modules, one server module and one client module. The client module is used to control the server module running on a different machine. The client module is capable of performing a host of operations on the remote machine including execution of any application, keystroke logging, restarting, locking, file content viewing, file transfer in both directions (to and from the remote machine), and retrieval of screen saver password and cached passwords. It also supports screen capture, network traffic monitoring, and connection redirection. Third-party plugins can be easily added to the software. Back Orifice uses TCP & UDP protocols and runs on port 31337. Back Orifice works on local area networks and on the internet. It’s a freeware and is available for download on Cult of the Dead Cow official site. In order to install Back Orifice, first, the server application needs to be installed on the remote machine. The server application is a standalone executable file of around 122 KB. The application copies itself to the Windows system directory and adds a value carrying the server application filename to the registry. Back Orifice server module is compatible with Windows 95 & 98 but not with Windows NT.

The press release which was published from Cult of the Dead Cow during the launch mentions that the main goal of releasing the software in the public domain was to draw the attention of people to the serious security flaws of the Microsoft Windows operating system. It also criticized Microsoft for their lackluster attitude toward security. In spite of its noble motive, the software was categorized by the leading antivirus companies as a malware and it was not without reason. First, the server application deletes itself when executed. Second, the server application does not show up on the Windows task list. Third, it automatically starts every time Windows starts. Symantec Corporation explains, “the tool can be used by an unscrupulous user (e.g., the attacker) to compromise the security of a computer running Windows 95 or Windows 98, for example, to steal secret documents, destroy data, etc.” Due to its ease of use, Back Orifice was a favorite among wannabe hackers. It was used by hackers as a Trojan horse. Most antivirus solutions automatically detect and take appropriate action against Back Orifice. It can also be removed manually by running the MS-DOS command DEL C:\WINDOWS\SYSTEM\EXE~1.

Although it is arguable whether Back Orifice missed its intended goals, being accepted as a reliable remote administration tool and increasing security awareness among users, it will always be considered an important milestone in security research.