Forwarded From: Nelson Murilo <nelson@pangeia.com.br>
[http://www.finjan.com/alert_back_orifice.cfm]
JSA
Finjan
Monday, August 17, 1998
Back Orifice Hostile Applet Alert
A hostile Java applet that contains the widely publicized hacker tool
called "Back Orifice" has been discovered on a Java consulting firm's
WebSite. Back Orifice was designed as an application by the hacker group,
Cult of the Dead Cow, and was debuted last week at the Def Con hacker
conference. This application can remotely monitor and control Windows 95
and Windows 98 systems. It also has the power to add and delete files,
directories and registry entries.
The interesting twist to the Back Orifice application came recently when
it was embedded in a Java applet and dynamically installed in the browser
environment. While this was only a "demonstration applet," it did point
out the growing trend of taking public domain code and changing the code
to create a different type of attack or delivery method. This trend makes
it virtually impossible for a security administrator to maintain adequate
levels of protection -- the many mutations of public code can be endless.
This is a growing trend on the Internet today, where there are "how to
hack" sites popping up with everything from how to build denial of service
attacks to stolen digital certificates from respected software companies.
The most recent well-known attack using exploited public code was the
Pentagon "teardrop" attack.
Throughout the last 10 days, many well-publicized security holes in
Microsoft environments, Netscape and Eudora mail have been brought to
light. Many of these problems are made more serious when combined with
mobile code payloads. Buffer overflow problems are only really serious if
the code delivered in the payload does something nasty. The upshot is that
mobile code can be used to successfully attack and compromise many popular
computing environments. Pervasive mobile code systems, especially
JavaScript and ActiveX, make exploitation of subtle security holes much
easier.
Dr. Gary McGraw, co-author of the forthcoming book, "Securing Java:
Getting down to business with mobile code," and Vice President of Reliable
Software Technologies, http://www.rstcorp.com, offers this perspective:
"Mobile code poses a real threat to any computing environment. One way to
lessen your security exposure is to manage mobile code extremely
carefully. New features in Java can help you do this when used wisely.
Bringing this point even closer to home is the fact that the hacker tool
called Back Orifice, which completely compromises Windows platforms, can
now be installed using mobile code."
Back Orifice Applet Delivery Details:
1. Although this is a demonstration only, this applet's technique can
very easily be revised by others with malicious intent to incur
significant damage to your computers and environment.
2. The applet is signed and "trusted" with a digital signature, yet
it can still do damage. While digital signatures are an important
part of your security model, most security breaches are
nonetheless still carried out by trusted sources. Plus, fraudulent
digital signature certificates are already easily available from
several hacker sites. Security solutions that rely on digital
signature checking alone will not be effective against this applet
injecting Back Orifice, or against other versions of this attack.
3. Those of you with Finjan mobile code security in place are
protected in this case. SurfinShield and SurfinGate solutions
block this type of applet.
We will continue to update our customers and partners about additional
malicious mobile code. Please be sure to check Finjan's Web site for the
latest information on security breaches. To reduce chances of applet
proliferation, we are not including a link to the applet at this time. For
further information on the nature of Back Orifice in general, please see
http://slashdot.org/features/980730/0928237_F.shtml
-o-
Subscribe: mail majordomo@sekurity.org with "subscribe isn".
Today's ISN Sponsor: New Dimensions International [www.newdimensions.net]
Received on Tue Aug 18 08:50:10 1998