Good offense is best defense against Back Orifice

The Cult of the Dead Cow has done a marvelous publicity job. Before Back Orifice 2000's release, the Internet hummed with speculation. The good news is that this new code represents only a small incremental step in PC attack capability. Back Orifice 2000 doesn't exploit vulnerabilities in Windows; it exploits vulnerabilities in your people.

Programs such as Back Orifice create backdoors on Windows PCs. A component runs in the background, waiting for a TCP connection. A remote graphical user interface (GUI) client can start and stop applications; delete, copy or change files; capture keystrokes; dump the screen; and even monitor an attached video camera or microphone.

Although a self-replicating backdoor is likely - especially given the availability of Back Orifice's source code - such hostile code, or "malware," has not yet appeared. Most backdoor infections are in the form of Trojan horses. Screen savers, video games and greeting cards are common on the 'Net, but sometimes a double click results in a surreptitious hostile code installation.

Backdoors listen patiently for connection requests. Their convenient GUI management interfaces can scan a range of IP addresses, automatically finding exploitable hosts. Virtually every IP address reachable on the Internet is regularly scanned.

Firewalls aren't a cure-all for malware. They can reduce successful connection attempts, but hostile code that connects back out from inside a firewall is becoming more common.

Fortunately, while covert code continues to proliferate, effective countermeasures do as well. No single countermeasure is adequate in isolation, but a multipronged approach involving careful systems management and user education is effective.

Install antivirus software on all desktops, configure them to provide real-time protection and ensure that the virus definition files are automatically updated monthly. Virus-wall products that scan incoming e-mail are also useful. Use a different brand of antivirus product on the mail scanner, and remember that antivirus software can only detect known hostile code.

Practice good system administration and only allow users access to what they need. Malware typically exploits the victim's own system privileges. Don't let your NT administrators receive mail or execute office automation software using the same account they use for systems management.

The best defense is user awareness. Train users not to execute software sent through e-mail - even if it's from a reliable source. If users access your LAN remotely through the Internet, then your LAN can be attacked if any remote PC ends up with a back door on it. Prepare your laptop users as well and keep their antivirus software current.

The hostile code threat will continue to steadily increase, and no magic bullet can protect your organization. Fortunately, you can survive hostile code by following best practices for administration and user training.

Heiser is a security consultant in the Falls Church, Va., office of International Network Services, a global provider of network consulting and software solutions. He can be reached at jay_heiser@ins.com.