NetBus, another back door program, is very functionally similar to Back Orifice, but also allows a malicious user to open/close the CD-ROM drive, send interactive dialogs to chat with the compromised system and listen to the target system's microphone (if one is installed). NetBus uses TCP for communications. Version 1 always uses ports 12345 and 12346 to listen for incoming connections, while version 2 can use any port but uses 20034 by default. And, like Back Orifice, NetBus allows the installer to assign a password to the program. NetBus, unlike the Back Orifice program, will also run on Windows NT.
SubSeven and Glacier are newer back door programs. Both programs change the registry to ensure that they are started every time the system is rebooted. Once running, SubSeven could allow an attacker to gain access to cached information such as passwords, to play audio files, or to capture screen shots of the target system. The latest version also joins an IRC channel, which informs attackers that the system has been infected. Once Glacier is running, it listens on port 7626 for connections from the Glacier client. Anyone with a Glacier client can connect to the Glacier server and take control of the system.
DRAT is another new back door program. It changes the registry so that it is started up every time a .bat or .exe file is executed. Once DRAT is installed on a system, any remote user who knows the port and password (if any) can take control of the system using an ordinary telnet client. DRAT uses TCP for communications, and always listens for connections on port 48 and uses port 50 for file transfers.
qaz.worm is a combination trojan, worm, and backdoor. When it infects a machine, it installs itself as notepad.exe, renaming the original notepad program note.com, and alters the registry so that it will start up on bootup. It runs a pair of server processes (and then proceeds to call the original notepad program); one server process tries to spread the worm to other file shares, the other acts as a minimal backdoor, allowing someone to upload and run files (i.e. to install a more functional backdoor). Details may be found at the virus libraries of McAfee or F-Secure.
There are many other back door programs besides the ones described above. Please see the X-Force Windows Backdoor Update for information about other back doors.
The full implications of these back door programs can not be easily assessed. It is interesting to note that the Back Orifice program has been downloaded over 200,000 times from the Cult of the Dead Cow's web site alone. In a few months, literally millions of copies of these programs may be floating around the Internet - installed, configured and silently working. The release of Back Orifice and NetBus has ushered in a new era in hacking. Historically, hacking has been the province of those with enough knowledge and dedication to find and exploit vulnerabilities in certain operating systems and programs - a relatively small group of people to be sure. Now, though, using "turnkey" hacking programs such as Back Orifice and NetBus, anyone with an Internet connection and even the most basic understanding of computing and the Internet can wreak havoc on target systems and networks. The chances that you will be a victim of such an exploit rises with each download.
The above paragraph deals mainly with threats from external users. But, internal users may also decide to employ these programs. In such cases, defending against attacks involve limiting access to machines to only those who are authorized to use them. The use of access and BIOS level passwords may help, as well as limiting physical access to machines. Sometimes, though, even the most thoughtful security procedures will not prevent a malicious user from infecting a system on the network. Fortunately, there are procedures for detecting and removing Back Orifice and NetBus once they have been installed. Read ISS's Windows Backdoor Alert for detailed information on these detection and elimination procedures.
Note: Several programs purporting to remove Back Orifice and NetBus carry trojan horse programs. The most popular of these "cleaner" programs is named bosniffer.exe. Under no conditions should this program be run. If at all possible, removal should be done manually. If this is not feasible or possible, stick with cleaner programs developed by known vendors, such as McAfee, Norton, etc.
Glacier and DRAT are a little more tricky to remove because simply deleting the program will render all .bat and .exe files unusable. Fortunately, DRAT has a built-in self-removal mechanism which you can use if it is not password protected. Otherwise, you can still remove the back door, but the procedure is more complicated. See the posting to securityfocus incidents for DRAT removal information, and CIAC Bulletin L-077 for Glacier removal information.
Removal procedures for other backdoors can be found in the X-Force Windows Backdoor Update.
Information on SubSeven version 2.1 can be found in NIPC Advisory 00-056.
Information on Glacier can be found in CIAC Bulletin L-077.
Information on DRAT can be found in a posting to the securityfocus incidents mailing list.
Information on all other backdoors can be found in the X-Force Windows Backdoor Update.