BO2K Brouhaha

Should you beef up your defenses against the world’s best-known Trojan? Yes, but the enemy is neither BO2K nor its primary target, Windows NT. It’s all of us...and the lack of a reliable trust model in every operating system.

By Richard Thieme

How much of a threat does BO2K really pose to networked computing? The fact that BO2K was better known than the Goodyear Blimp less than a week after its introduction may be an indication.

Now 15-years-old, Cult of the Dead Cow is one of the oldest and most conspicuous hacking clans in the underground scene, and DefCon VII, the annual Las Vegas convention for computer hackers, received more media coverage than the Balkan War. From DefCon I, when 100 hackers met face-to-face at a Vegas hotel for the first time, DefCon has grown to 3,000 strong, including not only the burgeoning legions of hacker wannabes but mainstream journalists, corporate recruiters, federal law enforcement and various other "white hat" security types from the government and private sector. The choreographed introduction of BO2K to an overflow crowd cheering on the bovine-masked marauders was in itself anything but a stealthy event. In short, BO2K is the worst-kept secret in infosecurity.

On another level, BO2K is the latest weapon in the ongoing war between hackers and Microsoft, whose Windows NT is a leading corporate operating system. Many hackers have a passion for exposing and exploiting security holes in NT. BO2K wouldn’t be a threat, they say, if Microsoft only provided the security that corporate America thinks it does, or if computer users exercised a minimal level of due diligence.

Within the first week after the release of BO2K, security software vendors and cDc were engaged in a predictable round of claims and counter-claims. First came BO2K. Then came vendors’ claims that they can detect and eliminate the Trojan. Then came the response that a polymorphic Trojan, changing signatures every time it is used, can avoid detection. Not so, said the vendors, who claimed to have countermeasures that deal with polymorphic compression. And so on.

Whatever else it might be, BO2K is a Rorschach test onto which all interested parties are projecting some truth and a lot of self-interest. Of course security vendors emphasize the threat posed by the tool and the efficacy of their countermeasures. Of course Microsoft emphasizes the evil that crackers do. Of course cDc emphasizes the holes in distributed computing (in general) and Windows NT (in particular) which make every remote administration tool a two-edged sword.

Although Microsoft labeled the cDc a dangerous band of hackers with evil intentions, they also said that BO2K was not a serious threat, because numerous programs like it already exist. Dildog agrees, noting that Microsoft’s SMS does pretty much what BO2K does, but in a much messier fashion. SMS is larger and far clunkier, and much harder to hide from the user — yes, SMS also has a function allowing users to hide it’s operation, even though that feature is often used to identify BO2K as a hacking tool.

Although Microsoft is an easy target for another pie in the face, the bigger issue, according to Dildog, one of the primary architects of BO2K, is that software in general has no reliable trust model. "We need some kind of committee or organization to address the issue of Trojan horses in general," he says. "There are hundreds of Trojans out there--check any Web site that documents viruses, worms and Trojans--and as individual hard drives increasingly become interfaces to the Internet, users can’t possibly know who or what to trust."

Microsoft’s "authenticode" addresses the "who" by authenticating who wrote the program, but not what the program does. And anyway, the "who" can be spoofed. In the current environment of ubiquitous distributed computing, no operating system provides a solution to the problem of stealthy executables. Such a solution can be layered on the operating systems that already exist, Dildog adds, using a system-level auditing sandbox to run suspect programs to see what they’ll do before they’re loaded into the system. "We hope BO2K will be a catalyst to stir the industry into action," he says.

In the meantime, should enterprise security folks be worried about BO2K? Well, yes and no. The program is both a powerful hacking tool--particularly if network users are lazy, complacent or committed to mischief–and a powerful tool for security and remote administration. It is the nature of distributed computing itself that makes tools like BO2K double-edged, and that’s why the real problem is more complex than name-calling: How to create tools for secure remote administration in a safe, open manner.

Richard Thieme (rthieme@thiemeworks.com), a contributing writer for Information Security, speaks, writes, and consults on the human dimensions of technology and the work place.

BO2K Brouhaha originally appeared in the August 1999 issue of Information Security magazine (http://www.infosecuritymag.com) ©1999. All rights reserved.

BACK