At the time I worked for the University, and every student had a completely open public IP address. Needless to say a lot of people were getting nailed by this.
We actually built a scanner that would specifically check for this vulnerability, and then automatically shut off your ethernet port until you called us and asked us to help you turn it back on.
It wasn't even much of a trojan or a backdoor. BO announced itself as a RAT and that was exactly what it did.
BO was a virus as much as an OpenSSH server is a virus. It actually provided some pretty useful remote administration tools that weren't available for consumer versions of Windows until Windows NT became the standard.
Most people tend to have a weird assumption if it's detected by an anti-virus scanner, whatever it is, is a virus even though the A/V tool will give it a different classification.
Or, when they asked "Want to see my picture?" after starting a conversation through the 'random' chat option of ICQ (which only had a user status icon of 'Available for random chat' to indicate it was actually random).
The attacker would send you a file ICQ called 'mypic.jpg', with a button 'Open file' below the name. Most users weren't aware that ICQ would just cut off any characters from a filename that were too long to display. So 'mypic.jpg _ _ _ _ _ _ _ _ _ _ .exe' would just show 'mypic.jpg'.
If you click 'Open', BackOrifice would install invisibly and delete the original installing file. You would be confused and look for the picture after 'Open' just did nothing, but it wouldn't be on the disk. So you message the attacker back with "Oh I didn't get it." and they send you some other, actual jpg, 'mypic.jpg' and you forget all about it.
This was before UAC, before Zone.id and Mark of the Web marking programs as 'Dangerous files' if they came from the internet. So no confirmation was required to execute. No firewall came up saying "Hey this is trying to access the internet".
And it could do everything CDC said it could. View a screen, look through files, access their camera, control their desktop.
I'm sure someone at MS eventually regretted their statements because the initial response then doesn't reflect their reaction over the long term:
> "Back Orifice" does not expose or exploit any security issue regarding Windows, Windows NT, or the Microsoft BackOffice suite of products.
> Users of Windows 95 and Windows 98 following safe computing practices (including not installing software from unknown and untrusted sources) are not at risk.
> As far as demonstrating an inherent security vulnerability in the Windows platform, this is simply not true. "Back Orifice" could introduce security vulnerabilities in the system on which it is installed, but, as with all other software, a user must make the choice to install it.
Anyway, BackOrifice is why you now get so many pop-ups trying to run an executable from the internet.
Wow. Totally unprofessional when you compare it with today's security bulletin standards. This downplays risks and blames the user. Was this common back then?
Wow. Apparently, respecting user freedom and personal responsibility is now "unprofessional".
I haven't seen a more blatant exposure/confirmation of the deep-seated authoritarian control-freak mindset that has permeated the whole computing industry.
Yes, back then it was common and expected that users were responsible for their own decisions. Now the industry is taking away that freedom and telling them it's for their own good.
> I haven't seen a more blatant exposure/confirmation of the deep-seated authoritarian control-freak mindset that has permeated the whole computing industry.
Can I use this as a testimonial? Chill... at least if you want me to discuss this further.
> Yes, back then it was common and expected that users were responsible for their own decisions.
You do not chose and decide to be victim of a scam. At least I presume the "if you wouldn't have downloaded hacker stuff from weird websites you wouldn't have caught malware" was as wrong back then as it is now and is just shifting the blame to the user.
I find this an incomprehensible position. I've used computers 25 years. I've worked professionally with them for 10+ years. I know more about the runtime and workings of a computer than any of the architects, tech leads, or principal engineers at my company. I don't know how a computing device works fully. 99% of people working in 'tech' don't. So 99% of the professionals aren't to this standard, and we expect end users to be?
What percentage of car drivers are fully qualified vehicle inspectors?
Do you know how to fully use your phone? Would you be aware if pegasus spyware was installed?
> What percentage of car drivers are fully qualified vehicle inspectors?
AFAIK, all car drivers are required to go through specialized training, and pass through periodic skill examinations. You should not be (and are legally forbidden from) operating a car if you don't know how to use it.
Not in the US, at least not anywhere I've lived. The only regular re-examination is an eyesight test. There is no skill testing after the initial license issuance, and there won't be unless the license status is fully lost - waiting too long after expiration, revocation, that sort of thing.
The only regular re-examination is an eyesight test.
And, at least in the state of WA, that "eyesight test" consists of a checkbox on a form that says, "Your eyes aren't shit, are they?". I've checked that box, and I overheard a person well past retirement age tell the same story at a restaurant. I get regular eye exams, but I don't know about the guy at the restaurant.
The last time I took a physical skills test was 40-some years ago. The last time I took a "written" test was...I don't know, ten years? And guess what? I still remember getting a question wrong on that test (despite having lived in WA for over ten years at the time), and what do you know, TIL something about WA road laws. They should test me (and everyone else) more often, and not make half the questions "how much can you drink and still safely drive?"
Oof. In the half dozen states I've lived in, it's an actual vision test. It's not a very good one and I've managed to squint my way through it to keep the corrective lenses required marker of my license...but I did have to correctly report what I saw to renew my license.
If you drive a car down a railway track is it your fault or the sat nav's fault for saying "turn left"
We expect certain minimum skill in operating equipment
Now open an email and have it silently install exploiting a bug in your mail client/browser/network stack, that's one thing. That wasn't this though, this was some software which did exactly what it said on the tin.
Oh no, it totally got bundled into different files using other tools with creative names like saranwrap and silkrope whose job it was to disguise the software, and after it was installed silently replace the bundled executable with an ordinary unbundled one to stymie attempts at further analysis.
I'm not certain what GP is on about. There were copious ways to distribute (deliberately payload) infected files back in the day and it was common windows user practice to just download and run executables (especially if they appeared to be installers from reputable-seeming websites) and zero free virus scanning or firewall options were available: all were for pay and all were terrible. None certainly shipped with Windows itself.
Plus as mentioned elsewhere plenty of third party software like ICQ enabled benign-seeming mechanisms to view documents which could be exploited to instead run infected executables.
This depends what you mean by "security bulletins". In general, Microsoft did stop publishing from their traditional, hand written format a while back.
The closest you get this is sort of thing now, which is completely automated and frequently wrong, and assumes you know what CVE you were searching for.
One of the bigger vulnerabilities in recent times was Printnightmare, where they did write ups like this due to visibility. I don't feel it actually says much.
There were a lot of Twitter threads about the shitstorm that I can no longer find back when all their bulletins changed formats, but the general reason was moving their "good" bulletins behind an E5 license. Which again, I know some people consider "professional".
So to actually answer your question, here's a screenshot from a paywalled security bulletin. You can see from the scrollbar I'm near the top, and the "Recommendations" are all Defender features (with "apply patch" almost a hidden detail). The statement about configuring AMSI is not a Sharepoint recommendation, it's a Windows security feature originally tied into Defender.
And everything from here on in this security bulletin on to Sharepoint vulnerabilities - of which very little useful technical information is presented - is about Defender.
Of course, not just the EDR, the first point is about EASM, a feature licensed on top of Defender. The detection hunting details further down require a P2 license on top of that to be able to use.
Despite all that, it's not a fair comparison. I can't find anything in the E5 portal that is a reflection of this thread, where MS respond to a backdoor people are installing on their own.
Thanks for taking the time to elaborate... and for the insights! I don't know why my initial post is received that aggresively, maybe I miscommunicated something.
I only know the mostly autogenerated MSN Developer Resources. not helpful.
“Windows 95 and Windows 98 offer security features tailored to match consumer computer use. This consumer design center balances security, ease of use, and freedom of choice. The security features in Windows 95 and Windows 98 enable consumers to create a safe computing environment for themselves while preserving their freedom to choose which sites they visit and what software they download. However, neither operating system is designed to be resistant to all forms and intensities of attacks.”
That is some fantastic marketing spin! Microsoft should be somewhat ashamed for writing this.
46 comments
[ 4.6 ms ] story [ 96.7 ms ] threadAt the time I worked for the University, and every student had a completely open public IP address. Needless to say a lot of people were getting nailed by this.
We actually built a scanner that would specifically check for this vulnerability, and then automatically shut off your ethernet port until you called us and asked us to help you turn it back on.
Good times.
At risk of being a pendant, BO wasn't self-replicating so it isn't a "virus" - it was just a trojan/backdoor utility.
BO was a virus as much as an OpenSSH server is a virus. It actually provided some pretty useful remote administration tools that weren't available for consumer versions of Windows until Windows NT became the standard.
The attacker would send you a file ICQ called 'mypic.jpg', with a button 'Open file' below the name. Most users weren't aware that ICQ would just cut off any characters from a filename that were too long to display. So 'mypic.jpg _ _ _ _ _ _ _ _ _ _ .exe' would just show 'mypic.jpg'.
If you click 'Open', BackOrifice would install invisibly and delete the original installing file. You would be confused and look for the picture after 'Open' just did nothing, but it wouldn't be on the disk. So you message the attacker back with "Oh I didn't get it." and they send you some other, actual jpg, 'mypic.jpg' and you forget all about it.
This was before UAC, before Zone.id and Mark of the Web marking programs as 'Dangerous files' if they came from the internet. So no confirmation was required to execute. No firewall came up saying "Hey this is trying to access the internet".
And it could do everything CDC said it could. View a screen, look through files, access their camera, control their desktop.
I'm sure someone at MS eventually regretted their statements because the initial response then doesn't reflect their reaction over the long term:
> "Back Orifice" does not expose or exploit any security issue regarding Windows, Windows NT, or the Microsoft BackOffice suite of products.
> Users of Windows 95 and Windows 98 following safe computing practices (including not installing software from unknown and untrusted sources) are not at risk.
> As far as demonstrating an inherent security vulnerability in the Windows platform, this is simply not true. "Back Orifice" could introduce security vulnerabilities in the system on which it is installed, but, as with all other software, a user must make the choice to install it.
Anyway, BackOrifice is why you now get so many pop-ups trying to run an executable from the internet.
Getting backdoored isn't a problem with the OS if you install the backdoor yourself
I haven't seen a more blatant exposure/confirmation of the deep-seated authoritarian control-freak mindset that has permeated the whole computing industry.
Yes, back then it was common and expected that users were responsible for their own decisions. Now the industry is taking away that freedom and telling them it's for their own good.
Can I use this as a testimonial? Chill... at least if you want me to discuss this further.
> Yes, back then it was common and expected that users were responsible for their own decisions.
You do not chose and decide to be victim of a scam. At least I presume the "if you wouldn't have downloaded hacker stuff from weird websites you wouldn't have caught malware" was as wrong back then as it is now and is just shifting the blame to the user.
You should not be operating a computing device if you don't know how to use it. This was true back then and it continues to be true now.
What percentage of car drivers are fully qualified vehicle inspectors?
Do you know how to fully use your phone? Would you be aware if pegasus spyware was installed?
AFAIK, all car drivers are required to go through specialized training, and pass through periodic skill examinations. You should not be (and are legally forbidden from) operating a car if you don't know how to use it.
Not in the US, at least not anywhere I've lived. The only regular re-examination is an eyesight test. There is no skill testing after the initial license issuance, and there won't be unless the license status is fully lost - waiting too long after expiration, revocation, that sort of thing.
And, at least in the state of WA, that "eyesight test" consists of a checkbox on a form that says, "Your eyes aren't shit, are they?". I've checked that box, and I overheard a person well past retirement age tell the same story at a restaurant. I get regular eye exams, but I don't know about the guy at the restaurant.
The last time I took a physical skills test was 40-some years ago. The last time I took a "written" test was...I don't know, ten years? And guess what? I still remember getting a question wrong on that test (despite having lived in WA for over ten years at the time), and what do you know, TIL something about WA road laws. They should test me (and everyone else) more often, and not make half the questions "how much can you drink and still safely drive?"
You don't need to know how a computing device works fully to know not to execute exe files you find lying around.
We expect certain minimum skill in operating equipment
Now open an email and have it silently install exploiting a bug in your mail client/browser/network stack, that's one thing. That wasn't this though, this was some software which did exactly what it said on the tin.
Didn't know that. Thanks for telling me instead attacking me like OP :/
I'm not certain what GP is on about. There were copious ways to distribute (deliberately payload) infected files back in the day and it was common windows user practice to just download and run executables (especially if they appeared to be installers from reputable-seeming websites) and zero free virus scanning or firewall options were available: all were for pay and all were terrible. None certainly shipped with Windows itself.
Plus as mentioned elsewhere plenty of third party software like ICQ enabled benign-seeming mechanisms to view documents which could be exploited to instead run infected executables.
I do agree some types of people would find that "professional " but I won't be one of them ..
Not that I can't imagine Microsoft actually doing that...
The closest you get this is sort of thing now, which is completely automated and frequently wrong, and assumes you know what CVE you were searching for.
https://msrc.microsoft.com/update-guide/vulnerability/CVE-20...
One of the bigger vulnerabilities in recent times was Printnightmare, where they did write ups like this due to visibility. I don't feel it actually says much.
https://msrc.microsoft.com/blog/2021/08/point-and-print-defa...
There were a lot of Twitter threads about the shitstorm that I can no longer find back when all their bulletins changed formats, but the general reason was moving their "good" bulletins behind an E5 license. Which again, I know some people consider "professional".
So to actually answer your question, here's a screenshot from a paywalled security bulletin. You can see from the scrollbar I'm near the top, and the "Recommendations" are all Defender features (with "apply patch" almost a hidden detail). The statement about configuring AMSI is not a Sharepoint recommendation, it's a Windows security feature originally tied into Defender.
https://ibb.co/WV1HN3q
And everything from here on in this security bulletin on to Sharepoint vulnerabilities - of which very little useful technical information is presented - is about Defender.
Of course, not just the EDR, the first point is about EASM, a feature licensed on top of Defender. The detection hunting details further down require a P2 license on top of that to be able to use.
Despite all that, it's not a fair comparison. I can't find anything in the E5 portal that is a reflection of this thread, where MS respond to a backdoor people are installing on their own.
I only know the mostly autogenerated MSN Developer Resources. not helpful.
Code red, slammer, iloveyou etc all spread through security bugs, but I don’t think BO did?
I remember some of them at least thought the apogee of fun was opening and closing at somewhat random times the CD-ROM tray.
Further back we had Phalcon/Skism, and similar. Later on I guess we had the various torrent-releasers with shifting memberships, feuds, and similar.
That is some fantastic marketing spin! Microsoft should be somewhat ashamed for writing this.