Press Contact: The Deth Vegetable
cDc Minister of Propaganda veggie@cultdeadcow.com
[July 19th, San Francisco] The CULT OF THE DEAD COW (cDc) publicly challenges Microsoft Corporation to voluntarily
recall all copies of its Systems Management Server network software. In addition, cDc calls for the antivirus industry
to respond with signature scanning for SMS files.
"Hypocrisy" is such an ugly word. So instead, why don't we just chalk this one up to Do-What-We-Say-Not-What-We-Do?
Microsoft evidently dislikes our new tool so much that they've taken to complaining about one of its key features. We're
talking about Back Orifice 2000, and the feature in question is its stealth mode.
Microsoft has claimed that BO2K is a malicious tool with no legitimate use. Their primary evidence is BO2K's stealth
feature, which gives you the option to run the server on the remote machine without it being evident to anybody sitting
at that machine.
In fact, here's what they're saying right now on the Microsoft Security Advisor website:
BO2K is a program that, when installed on a Windows computer, allows the computer to be remotely controlled by another
user. Remote control software is not malicious in and of itself; in fact, legitimate remote control software packages
are available for use by system administrators. What is different about BO2K is that it is intended to be used for
malicious purposes, and includes stealth behavior that has no purpose other than to make it difficult to detect.
http://www.microsoft.com/security/bulletins/bo2k.asp
Now, we concede that on its face, this sounds like a valid criticism. Being able to operate a remote admin tool without
the person at the other end knowing that it's running on the machine seems downright devious. (Keep in mind that BO2K's
stealth feature is an OPTION, which is in fact disabled by default.)
Maybe Microsoft is right; perhaps this stealth feature in and of itself is enough to brand it a hacker tool with no
redeeming social value.
But then, what are we to make of Systems Management Server (SMS)?
SMS is Microsoft's remote admin tool for Windows. As it happens, SMS has a nearly identical stealth feature. As a matter
of fact, they explain this feature in a Word document available from the Microsoft website:
Security
Of all the operations that Systems Management Server allows you to do on a client, remote control is possibly the most
"dangerous" in terms of security. Once an administrator is remote controlling a client, he has as many rights and access
to that machine as if he were sitting at it. Added to this, there is also the possibility of carrying out a remote
control session without the user at the client being aware of it. Thus, it is important to understand the different
security options available and also to understand the legal implications of using some of them in certain
jurisdictions."
Visible and Audible Indicators
It is possible to configure a remote control from a state where there is never any visible or audible indication that a
remote control session is under way. It has been made this flexible due to customer demands ranging from one end of this
spectrum to the other. When configuring the options available in the Remote Tools Client Agent properties, due notice
must also be taken of company policy and local laws about what level of unannounced and unacknowledged intrusion is
permitted."
http://www.microsoft.com/smsmgmt/techdetails/remote.asp
Notice that? Microsoft's own tool has the same evil capability as BO2K.
Now, Microsoft did not invent surreptitious desktop surveillance; there are other products on the market that perform
these functions. Microsoft is just the largest supplier of the technology, as SMS comes bundled with each copy of Back
Office.
Why is it that Microsoft can offer a tool having this illegitimate functionality without any moral qualms, but when WE
do it, they throw a hissy fit? Well... we have a hunch.
"Microsoft wants to keep everybody talking about the evil software from us crazy computer hackers. So they paint BO2K as
a dangerous application with no constructive uses," says Reid Fleming (cDc). "We beg to differ."
BO2K doesn't exploit any bugs in the Windows operating system that Microsoft is willing to categorize as such. So in
order to convince the public that BO2K is a solely destructive tool, Microsoft is forced to criticize the tool's feature
set. Evidently whoever dreamed up this press strategy was unaware of Systems Management Server and its stealth feature.
Of course, there's another possibility. Microsoft sells SMS for cash money. Meanwhile, BO2K is free. (It's also open
source, and better constructed any way you measure it: size, efficiency, functionality, security.) Maybe this is just
another example of Microsoft's alleged anticompetitiveness?
"BO2K, like SMS, is a powerful software tool. Like any powerful tool, it can be used either responsibly or
irresponsibly," says Count Zero (cDc). "For Microsoft to claim that BO2K has no legitimate purpose is ridiculous. Their
own SMS tool has nearly the same functionality as BO2K, and Microsoft is happy to let you pay $1,000+ for it."
Regardless of their motivations, Microsoft is selling software which does many of same things as Back Orifice 2000,
including the pernicious ability to run hidden from the user. And if stealth mode is what makes BO2K a malicious
program, then Microsoft's Systems Management Server is a malicious program too.
Consequently, we challenge Microsoft to recall all copies of the SMS administration tool, because its featureset
contains stealth capability. This feature clearly illustrates that their software has no legitimate use. Furthermore, we
urge all antivirus vendors to include signatures for SMS in their scanner utilities.
Back Orifice 2000 is available for download free of charge from http://www.bo2k.com/.
APPENDIX
Equally hypocritical quotes from Microsoft about Back Orifice:
"Users who are tricked into getting this thing installed on their system are vulnerable to the attacker, who can then
do anything that the victim can do -- move the mouse, open files, run programs, etc. -- which is little different from
what legitimate remote-control software can do. Back Orifice, however, is designed to be stealthy and evade detection by
the user."
"In fact, it really ends up doing bad things -- that’s what a Trojan horse does. Back Orifice falls into that category
because it is intentionally designed to hide itself from detection. The creators claim that this is a useful
administration tool, but it doesn’t even prompt people when it installs itself on the system. It doesn’t warn them that
it’s getting installed. And, once it’s installed, it makes the system available to other people on the Internet. That is
a malicious act."
"It’s incomprehensible why a tool like this would be created. [...] [T]here’s no purpose for this tool other than
harming actual users of software products."
-- Jason Garms, lead product manager for Windows NT security Microsoft's prefabricated interview, 8-July-1999
The CULT OF THE DEAD COW (cDc) is the most influential group of hackers in the world. Formed in 1984, the cDc has
published the longest running e-zine on the Internet, swallowed swords, made waffles, and so on.
For more background information, journalists are invited to check out our Medialist at
http://www.cultdeadcow.com/news/medialist.htm.