Does Back Orifice Backfire On Its Users?

Thursday, September 10, 1998

With thanks to
Chris Benson,
Bill Machrone,
and especially Art Upton, who as far as I know was first to make this discovery.

UPDATE 13 Sept

Immediately after my Usenet posting on the subject, my BO client ceased to act as I have described below. Despite repeated attempts, I have been unable to duplicate this behavior, although initially I observed it repeatedly.

Bill Machrone queried Netninja's "Brian Enigma" on this, and on 12 Sept received a reply and quoted it in email to me. I've asked Bill and Brian for permission to web that email, and as it is granted, I'll post it here with my response.

Essentially , Brian offers explanations that suggest other causes for these observations and says he is not connected to the cDc except for some recent contacts. However his explanations do not fit the cases I observed, and in the quoted text Bill sent, Brian did not directly deny the alleged connections to his site.
 

Some very interesting information about the BO client's behavior has come to light.

Last evening (9 Sept), I received an email from Chris Benson, the creator of BODetect. He said:

Speaking of Bill Machrone, I did send him an email this morn, thanking him for the article, and he sent me some interesting info, which I quote:

"By the way, I just discovered that when the BOclient is used to scan a subnet, it sends its findings and other data back to www.netninja.com via http:// post on port 80."

I replied that I thought that may be a plugin running on his system, to which he said:

"I'm not so sure that this behavior is the result of a plugin. One of our readers sent me this:

'Have your techs use an Ethernet sniffer to verify this. Set up the sniffer to look at the IP of the boclient machine. put in an IP address like 171.3.4.* and press the send button. BO Client will scan the sub-net for BOservers, then send four http packets to www.netninja.com.' "

(Bill Machrone is vice president of technology for Ziff-Davis and a columnist for PC Week Magazine (Up Periscope) who has recently mentioned this site and Chris' BODetect in his column. Bill has identified his perceptive reader as Art Upton.)

I immediately acted on this fascinating tidbit of information.

Here's what I did...

In Win95, I set up the GUI client to scan a series of subnets.

I opened a DOS window and entered the command:

netstat -a -n 1>ns.txt

That makes netstat output a status at one-second intervals, and feed the results to the textfile ns.txt.

Then I ran both the sweep and netstat simultaneously.

When it was done, I examined ns.txt to see what netstat had reported. For the first maybe 20 seconds or so, nothing odd. All the reports looked like this:


A Bit of Background...

Back Orifice really consists of two programs. The secretive server program resides in the host system of some usually-unwitting Netizen. The client program is used to communicate with BO servers on remote systems. It is the tool of the "remote administrators" who're causing so much havoc with BO.

In order to locate its victims - er, servers, the client program can perform ping sweeps. A ping is analogous to the familiar ping sound used by submarines. A packet of data, a sort of inquiry, is sent to a targeted address. If a BO server is online at that address, listening on the specified port, and if the ping packet contains the right password (if one is required), there will be a response. When there's a response, the client reports upon it to the operator. To facilitate locating servers, the client can sweep a series of IP (Internet Protocol) addresses, potentially many thousands of them. Every computer on the internet, including yours right now, has an IP address.

Just what you'd expect. My IP address was 206.159.43.55, with the BO client running its pings on port 1677, and the usual normal activity on ports 0, 137, 138 and 139.

Then this happened!:

Who and what is at the address 209.25.3.113? I ran nslookup. It returned this:

Name: WWW.netninja.com
Address: 209.25.3.113

There it is in a nutshell. The BO client is talking to www.netninja.com.

At this point I know the client's GUI (Win95) version at very least behaves this way. I'll test the DOS client shortly and Chris says he's working on the Unix version. I've already done some checking to see if BO does anything like this under other circumstances. So far it hasn't. But as I understand it, it could be sending practically anything anywhere using the UDP protocol.

I suspect it may only report to netninja when it gets a "hit" on its ping sweep. I'll confirm whether that's true.

There is nothing unusual about my copy of BO. It was downloaded from the cDc site.

The obvious most likely conclusion is that BO is reporting to its creators on every vulnerable system it finds. It could very well be sending passwords as well as the server's IP address and the port number on which it is running. It could also, by this transmission, serve to reveal the IP address and perhaps other information about the system running the client program.

The implications are staggering. With every BO client in the world reporting to them, Netninja -- whoever they are -- could be amassing a vast database of systems containing BO servers. What do they intend to do with it?

Perhaps someone should ask them.