Information Virus
                     Back Orifice Back Door

   There have recently been accusations that the Back Orifice windows GUI
   client contains code which reports the results from subnet scans via
   http to www.netninja.com.  As the sole author of both the server and the
   client, I should know better than anyone else what is in the code.  I
   have attempted to answer some questions concerning these issues:

   Is this possible?

   It would be very easy to code either the client or the server to send
   any information it wanted to any address on the internet.  Since the client
   is already listening on a UDP port (to receive responses packets from the
   servers) it would also be possible to implement all the functionality
   of the BO server in the client.  With a simple port scan, you could
   determine the port the client is listening on and send commands.

   Is this likely?

   Making a tcp connection to a static address is not very sly.  It would
   be very easy to determine who the information is being sent to (in this
   case, supposedly www.netninja.com) and being the known publisher of this
   well known piece of software that did this, we would probably be getting
   into legal issues, and definitely ethical issues.

   Is this true?

   Neither the Back Orifice client nor the server contain any back door,
   master key, or hidden agenda.  Previous to when NetNinja began
   developing BUTT Plugs, I had never heard of enigma or netninja, and would
   certainly have no reason to send them any data.

   Why should we believe you?

   You shouldn't.  Although these claims are false, they are entirely
   possible.  Back Orifice was intended to be an example of what could be
   done with unfriendly code.  You may feel safe because you're running a
   program which says it will protect you against BO, but keep in mind
   that it does nothing to protect you from programs LIKE BO.  BO was not
   difficult to write, and anyone with minimal coding skills could write
   a similar program for ANY operating system which lacks the proper
   security to restrict a programs access to your computer and information.  In
   fact,  most 'virus' scanners which check for BO do NOT check for other KNOWN
   trojan type programs already available (such as NetBus).  It is also
   possible to change BO or put it in an encrypted wrapper so that these
   programs can not detect it.

   You should absolutely scrutinize any software you run, from
   LEGITIMATE SOURCES OR NOT.  When you run any piece of software, you
   should ABSOLUTELY check to make sure it does not do anything it doesn't tell
   you about.  A sniffer is the best way to determine if any network traffic
   is happening behind the scenes.  If you see data going to any address you
   haven't requested a connection to, you should be absolutely suspicious.

   However, nobody has been able to provide actual logs of the supposed
   packets being sent to www.netninja.com.

   When I first presented BO at Defcon, I was asked the question:
   "Does Back Orifice contain a back door?" to which I replied
   "Now would I do a thing like that?"

   This obviously made a lot of people paranoid (rightfully so) and I'm
   sure immediately sparked the idea that BO COULD contain a back door.
   However, until actual proof has been seen, you have as much reason to believe us
   as anyone else who is telling you otherwise.

   Why would someone say BO is back doored?

   The idea that BO might be hazardous to the user has already kept a
   fairly large percentage of people who have heard of BO from actually
   downloading and running it.  Propagating this rumor will certainly increase that
   percentage.  Many security companies and individuals have released or
   updated packages to protect users from BO, but there are still hundreds
   of thousands of vulnerable users who have never HEARD of BO who are at
   risk.
   Perhaps this is an attempt to reducing the number of curious users who
   might check out BO and try to use it on unsuspecting victims.  Just
   days after we released BO, Microsoft declared that on the machine they were
   testing BO on, CPU and network activity picked up in the middle of the
   night.  Much less publicized was the fact that they later realized
   that this increase in activity was due to a networking command which had
   been sent to that machine by Microsoft employees.  It is unclear to me who
   first decided that information was being sent to www.netninja.com, but
   due to the lack of actual proof, I can only assume this was an attempt to
   intentionally spread disinformation.

   Who is NetNinja/Brian Enigma and what is their relationship with cDc?
   www.netninja.com is a site on which some BUTT Plugs (plugins for BO)
   are distributed.  These plugins were not written, checked or verified by
   members of the cDc and could do absolutely anything to your system.
   Some of these plugins do things like connecting to irc and reporting the
   location of a server machine to a public channel and sending the ip
   address of the server machine to an email address.  This is NOT
   functionality built into BO, BO must be packaged and configured with
   one of these plugins for any of this to happen.  The BO server alone never
   sends data anywhere but in response to a client.

   Know your computer, know the software you run, watch your data,
   and know what's going on well enough to realize when something is
   doing what it's not supposed to.

   -Sir Dystic