Information Virus

Back Orifice Back Door

There have recently been accusations that the Back Orifice windows GUI client contains code which reports the results from subnet scans via http to www.netninja.com. As the sole author of both the server and the client, I should know better than anyone else what is in the code. I have attempted to answer some questions concerning these issues:

Is this possible?

It would be very easy to code either the client or the server to send any information it wanted to any address on the internet. Since the client is already listening on a UDP port (to receive responses packets from the servers) it would also be possible to implement all the functionality of the BO server in the client. With a simple port scan, you could determine the port the client is listening on and send commands. Is this likely? Making a tcp connection to a static address is not very sly. It would be very easy to determine who the information is being sent to (in this case, supposedly www.netninja.com) and being the known publisher of this well known piece of software that did this, we would probably be getting into legal issues, and definitely ethical issues.

President Clinton issued Executive Order 13088 back on June 9, 1998, which creates basic trade sanctions, freezing of Yugoslavian assets, etc...

As expected the Treasury Departments Office of Foreign Assets Control issued 73 licenses for exemptions to the order. These where reported in a Letter to Congress and they included such things as overflight fees for commercial airliners, for aid organizations to do their business there, diplomatic transactions, etc... Normal stuff.

The Excutive Order 13121 issued on April 30, 1999 changes the first order removing the provision for exceptions. But it also : "prohibits exports or reexports, directly or indirectly, from the United States or by a United States person, wherever located, of goods, software, technology, or services to the Federal Republic of Yugoslavia (Serbia and Montenegro)." Clinton summarized these changes in this letter to Congress dated May 1, 1999.

Now this could be interpreted to include prohibitions on providing telecommunications services like Internet connectivity. If you're an ISP in the US, and you sell bandwidth to someone who resells bandwidth to a Yugoslavian ISP, it would appear that you would be covered by this order and would be prevented from providing this service.

However, the International Emergency Economic Powers Act, whose text is available here and here, seems to indicate that the President DOES NOT have authority to regulate the following: "postal, telegraphic, telephonic, or other personal communication, which does not involve a transfer of anything of value". This can be interpreted to include Internet access.

Of course all of this only effects the United States. The European Union may enact their own sanctions.

OK, now the legal stuff is out of the way.

It would seem that this whole thing started when Loral Space & Communications, one of the biggest US satellite communication firms, had informed Belgrade provider "Informatika" that they would stop Internet services for all Yugoslavia providers who are linked to providers in the USA. They claimed that the decision was based on a Presidential Order from Bill Clinton. (It should be noted that this information comes from Yugoslavian ISPs)

Some reports have indicated that Loral Space & Communications has now decided not to disconnect Yugoslavia from the Internet, because of the protests from around the world that followed the announcement.

Other reports say that Loral Space & Communications is currently in negotiations with the Treasury Departments Office of Foreign Assets Control in an attempt to correctly interpret the law.

Even other unconfirmed reports indicate that UUNET was informed by the State Department last Thursday that all commerce to the republic of Yugoslavia was to be terminated. We have been unable to confirm this report.