What is it?

Back Orifice is a program that can let unwanted people access and control your computer by way of its Internet link. It runs on Windows 95/98 systems.

Once installed, BO runs invisibly. It has to be run to be installed. But it is seldom recognizable to the victim.

BO can be packaged with legitimate software, attached to any program or file, or run all by itself. It installs itself quietly, usually erasing the original, and opens an "orifice" into your system. It is configurable in a variety of ways.

BO allows a very high degree of access and control by the remote operator, who uses a simple pushbutton client program to access the "server" on your machine. Once "in" your system he can perform practically any function of your computer, most of them without any outward indication to the user at the console. He can see passwords, run a DOS session, use your computer as a relay point for communications (so as to make himself untraceable), read your mail, track your keystrokes... and lots more.

BO has existed in broad and increasing use since about 3 August 1998.

BO represents a significant development in Net security for the ordinary user. Unlike past tools of the hacker trade, it can implement access to a remote system with unprecedented ease. Whereas intrusion tactics were mainly the province of highly-skilled techies in the past, BO has effectively placed this power in the hands of potentially millions of marginally-skilled people. With a little coaching, any 12-year-old could learn to use BO.

While it installs and runs very quietly, Back Orifice is nonetheless not an extremely stealthy application. It yields readily to fairly simple methods of detection and removal. It depends upon the user's unawareness of its presence, and to get installed, it generally requires a lack of caution, misplaced trust, or simply an unawareness of risks on the part of its victims. Unfortunately, those very traits are typical of a large proportion of Internet users. Where Back Orifice is concerned, what you don't know most certainly can hurt you.

Do I have it?

Maybe!  The program has been circulating broadly only since the 3rd of August 1998. If you make a practice of exchanging or accepting program files sent or offered to you by individuals, as many people often do, you're at significant risk.

However, if you have recently installed nothing but commercial software from CDs, or applications from sources in which you have high confidence (such as Netscape or Microsoft products from the companies' own sites for example), you almost certainly don't have it.

How Can I tell?

Presently, there is one totally reliable dead giveaway. BO typically requires an entry in the Windows Registry in order to be invoked on startup. It can be set up to start other ways, but it always makes that entry anyway, every time it is run. The exact entry can vary, but it is always in one place. See detecting Back Orifice page

Another direct giveaway is a file named windll.dll which BO places in the Windows\System folder every time it runs. (This is a sort of sub-program which implements BO's keyboard logging. BO works fine without it, so removal of this alone is not a solution.)

The most direct evidence of BO's presence is its activity on your Dial-Up Networking connection. Unfortunately, with its oh-so-friendly and simple graphical interface, Microsoft has carefully insulated Win95/98 users from their own machines' network functions. But there are tools on hand in almost all machines which allow

• monitoring of the Internet link,
• examination and editing of Windows' vital Registry setup,
• and for some, direct inspection of all running applications.

These are basic but powerful tools, easily utilized totally unknown to most users.

But Microsoft has kindly provided us all one little telltale. Most Win95 setups place an icon in the system tray which shows send/receive activity on the Internet link by way of two little lights. For most, those little lights are the only outward sign of Net activity. A busy intruder will set those lights flashing, just as your browser does. He may also trigger hard drive activity. If you see a lot going on that seems inappropriate, be very suspicious.

However, those little lights aren't worth much as a network monitor! If BO is running, it takes mere seconds for an intruder to access all cached passwords and view most of your system's vital statistics. He may have all he wants in moments and be gone. You almost certainly wouldn't notice and there is absolutely nothing you could do.

Reliable utilities to help find and remove BO are beginning to appear. So far I have found two -- BODetect and Back Orifice Eliminator -- which work well. However, BO can be expected to evolve and change to elude these utilities; and other programs like it will surely appear. The usual game of leap-frog is to be expected, as with viruses. A few victims, perhaps many, must emerge before each new threat is discovered and countermeasures created.

I think you'll agree, it's always preferable not to be one of those victims.

I don't have it.
How do I avoid it?

There is a LOT of advice out there on the Net about avoiding viruses, trojans, backdoors and other headaches that can be caused by malicious or intrusive programs. For ordinary Net users, I offer TWO (2) really important and really do-able pieces of advice.

Naturally there's plenty more to know, but these are the biggies, the Two Golden Rules of Home PC Security:

1. Don't run programs from any source you don't trust completely.
2. Buy and use decent and up-to-date virus-protection software. It will include checks and solutions for almost all potential attacks. Presently, Norton AntiVirus finds but doesn't remove BO. McAfee appears oblivious to it so far. But all of them will surely upgrade to handle BO in due time; many have already rushed to announce the fact.
   
   And I would toss in a third and fourth for good measure:
   
3. Be knowledgeable about your computer.
4. Stay informed about security issues.

These last two aren't really optional if you plan on long-term security. And you may as well realize that no matter what you do nor what you know, a networked computer is never one hundred percent secure against all possible intrusion.

I have BO.
What now?

It's Gone!
NOW what?

Your only safe assumption now is that your system has been invaded. Someone probably has some or all of your passwords, and may have obtained any or all of the information of value your computer contained.

Furthermore, you must assume that other mischief may have been done. Every sort of prank, malicious program or virus is a possibility, because with BO, the intruder had TOTAL access.

Here's a handful of recommendations:

• Implement a solid solution to repeated "infections" with BO. As of late August, most of the major anti-virus apps have been updated to spot BO, and some of them will also remove it. But I recommend adding BODetect to your StartUp group as an added measure. Update your BODetect as improvements appear, and if equal or superior tools become available, use them.

Once you know your system is secure (well, secure from BO v1.2 in particular at least), you must assess the damage potential. This is purely your own judgment call; it may be extremely serious or a trivial concern. If you do little more than browse the Net and exchange a few not-too-personal emails, play games or the like, you may be virtually unharmed by any conceivable intrusion. But if you store anything of a sensitive, personal, confidential or otherwise exploitable nature on your system, you may have no choice but to assume the worst. It might be wise to try thinking like a Bad Guy to determine what might be exploitable. Examples:

• Passwords
• Credit card numbers
• Banking or other financial records
• Communications from others sent in confidence
• Encryption keys

Scan for viruses. Good software for the purpose is not a huge expense. In cases where security and system stability are of utmost importance, you might have to consider a complete re-installation of your operating system and all software. In such cases too, the data you preserve or import from the affected machine must be considered suspect and should be scanned with a good and up-to-date utility.

• Change your passwords. At very least, call your ISP and change your Net account password. It's a favorite trick to use another's account to perform additional intrusions.
• Inform others who may be at risk. For instance if you're an accountant or lawyer, the data on your system could be incredibly sensitive. Intensely personal emails might qualify for this concern. It may be vital to their interests to tell those whose secrets may be out.

Is BO useful?

It most certainly can be! This ingenious program has a number of very legitimate uses.

BO is an effective countermeasure against BO itself.

Because the BO server is such a small file, and a snap to install, it can be e-mailed by a service professional to a client in need of help. The remote system needs only be functional enough and its operator skilled enough to receive and run the file. Then a support person can enter and perform his magic from afar without ever leaving his swivel-chair.

Because BO can be configured securely (with password protection), it's not (apparently) a risk if used briefly and with knowledge and consent. By itself it does no damage to the host system. It's readily disabled and/or removed by the remote operator, whereby he can leave the system inaccessible even to himself.

There are other handy functions. BO can provide Telnet access, either for a very limited purpose or for command-line control of a system; and HTTP access, whereby the host instantly becomes a perfectly serviceable Web server.