Defcon Live!

Adam L. Penenberg, 07.16.99

???ILDOG, A MEMBER OF THE HACKER GROUP ‘CULT OF THE Dead Cow,’ is lounging in his hotel suite, a smile smeared on his face. Being Las Vegas in July, the temperature outside is 100 degrees, but Dildog is air-conditioned cool. The unveiling of his latest software upgrade for Back Orifice-a not-so-subtle dig at Microsoft’s Back Office-was a success, a raucous party that had more in common with a heavy metal concert than a software release.

A gaggle of groupies, most of them in their twenties and dressed in noir black, with tattoos, piercings and scraggly hair, wait for him. They sit cross-legged on the carpet, availing themselves to a well-stocked minibar piled high with bottles of vodka, bourbon, whiskey.

Of the 3,000 hackers, crackers, geeks, “scene whores” (hacker groupies), computer security professionals, journalists, undercover cops and federal agents who attended this year’s Defcon hacker convention, 2,000 of them crammed into a conference room at the Alexis Park Hotel to watch the “BO2K” release. Last year, Cult of the Dead Cow had chosen Defcon to release the first version of its Back Orifice. Written by fellow Cult member Sir Dystic, it works on Windows 95 and 98 machines by secretly creating a backdoor so that a remote user can control all functions on those computer. The upgrade Dildog coded is designed to work with networks that run on Windows NT, and it hides itself extremely well.

While software makers, computer security companies, antivirus makers and law enforcement say the release of BO2K is just a way for hackers to legitimize illegal computer intrusions, Dildog claims he is just trying to point out potential problems with Microsoft’s software. Computer security companies are “afraid to admit that their detection system is horribly and possibly irreparably flawed,” he says. “[They] give people the impression their software ‘raises the bar’ against the average hacker. Unfortunately, this also fools people with really critical networks into thinking that this software is sufficient to protect them. People trusting this stuff to protect them from Trojan horses are in for a surprise.”

Cult of the Dead Cow members didn’t come all the way to Las Vegas to disappoint, and they didn’t. They kicked off the conference with a laser-light show, culminating in a deafening electronic moo sound. The crowd roared. Then, while Dildog and his associates explained their don’t-blame-us-if-Microsoft-products-suck philosophy, a CD-ROM label was projected on the wall behind them, a cow head spinning and spinning.

At the end of the presentation, Cult members flung some two-dozen CD-ROMS containing the Back Orifice update. The crowd surged forward. Antivirus makers and computer security company reps watched closely, hoping to later corral someone with a copy. The first one to crack the program would win bragging rights, their names in a press release, perhaps even a mention in some magazine or newspaper articles as heroes who thwarted the evil intentions of the Cult of the Dead Cow hacker gang.

An employee of ISS, the big-time computer-security company based in Atlanta, Ga. threw himself into the mob and somehow snagged a copy. Within 24 hours, the company would crack parts of the program and release an application that could identify it.

At the time, Dildog didn’t know this, and even if he had he wouldn’t have cared. In an earlier Internet conversation, an ISS employee approached him and asked how much of a bribe it would take for him to pass the company an advance copy of the software, he claims. As a joke, the Cult sent back a note saying it would take $1 million and a monster truck. ISS denies the company ever offered money for the software.

Although ISS has been more than happy to play up the fact that it can detect the software, Dildog says he fully expected that companies would not only reverse engineer it, they would soon come up with a removal tool. That is why he released his software as “open source.” That means hackers the world over can tweak the code to suit their needs.

For every new version that hits the Net, computer security companies will have to create new ways to counter it. Although antivirus makers have been pretty good at picking up polymorphic versions of the same program, it will be interesting to see what the overall impact of BO2K will be. Often, network administrators forget to apply the latest versions of antivirus software, or incorrectly configure parts of their network, leading to holes that would enable BO2K to fester.

Already, BO2K has made it on to some hacker sites, bugs and all. Some users say the program has a tendency to crash and some files were improperly coded. But in the next couple of weeks or so, Cult of the Dead Cow plans to fix any glitches and post the new and improved program on its web site. From previous experience, Dildog knows that BO2K will then spread like a virus, morphing into perhaps dozens of different versions.

The group claims it counted more than 300,000 downloads of the original Back Orifice, which ran solely on Windows 95 and 98 and was spread primarily by E-mail attachment. Who knows how many other copies were spread friend-to-friend, hacker-to-hacker, “cracker”-to-victim?

Back in his hotel suite, Dildog’s cool is slightly interrupted. When told some hackers who had attended his BO2K launch thought the spectacle undermined his credibility and made him look arrogant, he sniffed, “I never said I wasn’t arrogant. Besides, why shouldn’t every software release be like a rock concert?”

Copyright 1999 Adam L. Penenberg (