NT News Analysis

Last August, a group of ethical hackers who call themselves cult of the Dead cow (cDc) released Back Orifice (BO), a supposed remote administration tool for Windows. With BO, hackers can remotely control any Windows 95 or Win98 computer across a TCP/IP connection. As the cDc Web site puts it, "BO gives its user more control of the remote Windows machine than the user at the keyboard of the remote machine has."

Any action that you can perform at the local console, hackers can perform remotely, including editing the Registry and executing applications. In fact, BO provides more detailed process control than the local console, giving hackers the ability to spawn and kill processes at will. Hackers can also access any resource that you can access, including network resources.

The BO executable, which is only 120KB, is easy to use yet hard to detect. Hackers can attach BO to any executable, including self-extracting ZIP files. BO will install itself and then remove its installation files. The program will launch each time you boot the host computer, but it won't appear in the Task or Close Program list. As a result, if you download a self-extracting ZIP file that contains BO, you won't even know of BO's existence on your system.

You might be thinking to yourself, "But for this program to hurt me, a hacker would have to know the IP address of the infected machine. How would the hacker get that address?" If you've downloaded a file from the Internet, you've left an IP address trail. Even if you haven't, BO has yet another feature: It accepts third-party plug-ins.

One of the first plug-ins to appear is Butt Trumpet. (Although the names Butt Trumpet and BO are juvenile, they don't lessen the seriousness of the problems they can cause.) Butt Trumpet lets hackers send an email to a preset Simple Mail Transfer Protocol (SMTP) server's email address to identify the IP address of the system. SMTP email headers commonly include the route the message took from the sender's IP to the machine that receives it. An account set up on an anonymous remailer or a Web-based mail host (such as Hotmail) can ensure the anonymity of hackers. Once hackers establish BO on one machine in a network, they can propagate BO throughout the network with little trouble.

One scary feature of this tool is that it requires no technical skills to use. Anyone who can create a self-extracting ZIP file can create a BO attack. Hackers needed technical skills to exploit most of the security holes previously found in Windows.

At press time, Microsoft was downplaying the significance of the potential problems that BO can cause. Microsoft states, "Back Orifice does not pose a threat to users of Windows 95 or Windows 98 who follow reasonable and safe Internet computing practices, such as not installing software from unknown and untrusted sources....There is no threat to customers of Windows NT Workstation or Windows NT Server; the program does not run on the Windows NT platform. The author[s] of Back Orifice do not directly claim that their product poses any threat to Windows NT, even though it seems to be implied." You can read Microsoft's full response at http://www.microsoft.com/security/bulletins/ms98-010.htm.

At least one vendor, Fresh Software, has released a product it claims automatically detects and removes BO. For more information about the product, AntiGen 1.0, go to http://www.arez.com/fs.

—David Chernicoff

Yet Another Xeon Delay
In the past 6 months, I've reported so many different Xeon delays in NT News Analysis that I've assigned the phenomenon an acronym: YAXD. Pronounced yawks-dee, this acronym stands for Yet Another Xeon Delay.

This time around, Intel is delaying the 450MHz version of the NX chipset until early 1999. This critical release supports 4-way symmetric multiprocessing (SMP) with the new 2MB Level 2 cache version of the Xeon CPU and up to 8GB of RAM.

The 450NX delay comes on the heels of a similar setback with the 400MHz version of the same NX chipset. That delay cost server vendors dearly. Major players, such as Compaq Computer, are only now bringing their 4-way, 400MHz (with 512KB to 1MB Level 2 cache) NX-based systems to market, even though the vendors announced the systems last spring.

Intel is denying the rumor that the delay is a result of a bug in the chipset. Instead, Intel claims that the delay is the result of conducting more extensive compatibility tests. According to company officials, Intel wants to test as many configuration permutations as possible because of the 450NX platform's likely popularity.

Chipset delays of this magnitude tend to have a ripple effect through an entire product line. Many industry analysts are predicting that a delay in the 450NX chipset might affect the introduction of Profusion, the long-awaited 8-way SMP platform. Although Intel officials deny a possible Profusion delay, at least one OEM customer claims to have heard that Intel will not release Profusion in the fourth quarter of this year as originally planned.

One introduction that the 450NX delay won't affect is the 450MHz (2MB Level 2 cache) Xeon CPU for workstations. According to Intel, the new CPU and its supporting chipset are on track to debut in systems by year's end.

Xeon will be the newest addition to an already crowded Pentium II processor family. With so many models to choose from and with high-end performance separated solely by clock speed and cache size, many corporate customers are renewing their interest in the low-end of the P6 market (Celeron and its derivatives). This renewed interest translates into margin erosion for Intel. Unless Intel finds a way to drive high-end PC sales, Intel risks stalling the very market it is trying to rev up with its multichip strategy. (For information about workstation PC pricing, see "FTC Is Helping Keep Alpha Alive," page 40, and "Workstation vs. High-End PC Hardware," page 44.)

Although this news is bad for Intel and its OEM partners, it is good for consumers. It might mean lower prices for today's hottest systems.

—Craig Barth

   Previous  [1]  2  3  4  5  Next