BO's Older Cousin
Tuesday, 13 October 1998
Last Updated Wednesday, 25 November 1998 to include Version 1.7
|Description||Version 1.5||Version 1.6||Version 1.7||Removing NetBus|
as are any of the other remote-admin trojans, is
dangerous to you in direct proportion to the value and
sensitivity of the information on your computer, and the
importance of your system's integrity to your life and
Like Back Orifice, NetBus allows a remote user to access and control your machine by way of its Internet link. The two are closely similar in many ways, distinctly different in others.
One very important fact: NetBus runs under the NT operating system as well as Win95/98. At this writing, Back Orifice is not a threat to NT users, but NetBus is and always has been, since it first appeared in early 1998.
NetBus was written by a Swedish programmer, Carl-Fredrik Neikter <firstname.lastname@example.org>, in March 1998. Version 1.5 in English appeared in April. NetBus apparently received little media attention but it was in fairly wide use by the time BO was released on 3 August. In late August, NetBus version 1.60 was made available.
Until about 22 October, the author maintained an "official" NetBus page at http://the-alliance.ml.org/netbus/, where NetBus 1.60 was available for download. The site has apparently disappeared. He offered instructions for removal at http://the-alliance.ml.org/netbus/remove_1.html (v1.5x) and http://the-alliance.ml.org/netbus/remove_2.html (v1.60), which I have copied to my site -- links to my copies are on the right. A very short and not very educational FAQ was at http://the-alliance.ml.org/netbus/faq.html, and is also reproduced on site.
NetBus has grown rapidly in use, apparently in part because of the widely publicized launch of Back Orifice, which drew attention to tools of this kind and undoubtedly attracted thousands of new hacker-wannabes to the game. I now see almost as much email about NetBus as BO, and very frequently both trojans are installed and running in the victim's computer at the same time. Undoubtedly many attackers seek to establish multiple means of entry once access has been gained.
Tricks with the CD tray (it opens and closes the tray on command or at timed intervals) and the mouse (it controls or positions the mouse pointer and swaps the functions of the left/right buttons) are among the sure signs of a NetBus attack. Back Orifice doesn't do these things.
I suspect NetBus is the tool of choice for many intruders, who are likely to use the smaller, sneakier BO primarily as a means to get NetBus into the victim's system. NetBus is easier to use than BO and lends itself well to annoying pranks, which are surely dear to the hearts of the power-crazed delinquents who are undoubtedly its most devoted users.
In sum, NetBus is stealthy enough to reside unnnoticed on the vast majority of Netizens' systems. It is sophisticated yet almost incredibly easy to use; and thoroughly prone to serious misuse. Its first versions operated on a predictable port, but that is no longer the case with v1.7. Version 1.6 was easily accessed despite password protection, but that's no longer the case for 1.7. This is perhaps an improvement for the victim's sake; it is now very difficult for random invaders to find and enter the NetBus backdoor.
step-by-step instructions for finding and removing NetBus
will be added in due time. Meanwhile, several links are
included here for that purpose; and the descriptions on
this page alone should be enough for most affected users
to regain control of their systems.
The Internet Security Systems (ISS) X-Force Alert of 10 September 1998 contains many technical details of NetBus and Back Orifice.
The Official NetBus Page by the author of NetBus
The Back Orifice "Backdoor" Program, a description of Back Orifice with links to many details and help with detection and removal
Removal of NetBus v1.5x -- the author's instructions, copied from his former website.
Removal of NetBus v1.60 -- the author's instructions, copied from his former website.
NetBus FAQ -- copied from the author's former website.
Some Comments And Cautions
Here are some things to keep in mind about NetBus and indeed any trojans of its kind...
The author of NetBus says, "NetBus was made to let people have some fun with his/her friends." He also says, "I hope NetBus (and similar programs like Back Orifice) will make more people aware of the security risks at their system." Unfortunately, NetBus allows far more access than a mere prank should ever require.
His point about security is however a very good one. Microsoft is clearly unconcerned about security issues except as they believe it will affect their bottom line. Microsoft routinely plays down genuine security threats and deals with them primarily as a PR problem. An example is its response to Back orifice; Microsoft has yet to offer any form of defense against BO while it proliferates across the Net -- while its effectiveness is a direct consequence of Windows 95's own user-friendly "features" that leave the average user unaware of -- and without control over -- activity on the dial-up connection. Moreover, so far as I know Microsoft has yet to even comment upon NetBus.
It falls upon users to be alert, resourceful and knowledgeable in order to protect themselves.
And what of those who want to try it out on their "friends"?
In his FAQ, the author also says:
"Q: Is NetBus illegal?
"A: Of course NOT! Is Format, FDisk and PC Anywhere illegal? - of course NOT! It's just your own actions that could be illegal."
You'll note he doesn't address the question in terms of ethics or morality. He is nonetheless nearly accurate in this statement. But depending upon where the victim and/or the NetBus "prankster" are located, computer trespass laws may apply which make any unwanted access at all into a crime; albeit not a serious one unless real damage has been done. You may wish to view this page which contains some of my efforts to evaluate the legal (US) and ethical aspects of such intrusions.
Incidentally, your ISP usually needs not wait for you to do anything illegal before they delete your account. Most ISPs are likely to cut you off quickly and permanently if they receive a complaint that you're using NetBus, BO or any other similar tool. Their terms of service usually give them this option and they'll take it without hesitation. Quite aside from issues of principle, they are concerned about their own liability. Once alerted to your abuse of their network, they become arguably liable for your actions and they will not risk a burdensome lawsuit for your paltry $20 monthly fee.
The communications of NetBus and programs like it are usually readily traced. Tools for just this purpose are beginning to see broad use.
However, for legitimate uses, NetBus now shows promise. With the improved password handling of v1.7, and its use of any configured port; along with its configurable requirement for access only from given IP addresses; NetBus is now worthy of consideration as a remote-admin tool for one's own personal or small-office systems.
But its security is not absolute. Given a determined attacker, even a carefully secured NetBus would eventually fall prey to an attacker using IP spoofing and/or a brute-force attempt to find its password.
How it Works
NetBus and other remote-admin trojans have two essential parts; a server (the part that resides on the victim's system) and a client (the application used to find and control the server). Features and functions vary, but the result is much the same; near-total loss of privacy and security with respect to your computer anytime it's on the Net. Once in place, these trojans open the victim to endless possibilities ranging from mere pranks to viruses, serious loss or theft of valuable or sensitive data, other trojans, and so on.
The NetBus server is about 4 times as large as the Back Orifice server, and generally less "stealthy." Unlike BO, NetBus is not designed to attach virus-like to legitimate files or applications.
Like BO, the NetBus server can have practically any filename. The usual way it is installed is by simple deception; the program is sent to the victim, or offered on a website, and falsely represented as something it is not. Occasionally it may be included in a setup package for a legitimate application and executed in the process of that setup.
The unsuspecting victim runs the program either directly or by way of the application used as camouflage, and it immediately installs itself and begins to offer access to intruders.
There are now three versions of NetBus in circulation; version 1.5x (usually 1.53), version 1.6, and version 1.7.
With the release of v1.70 in mid-November of 1998, Netbus has become a much more capable tool, offering without question the most comprehensive access and control of any of the trojans of its class.
Although v1.7 undoubtedly is or will be in broadest use, my emails indicate all of them are in circulation. I've included details of all three versions here.
By default, the v1.53 server is named SysEdit.exe. It may often be renamed. Its size is 462K (473,088 bytes). With its icon, it looks like this:
When this program is run, it remains where it is and nothing appears to happen. However, it is running, just without any obvious indication. If you then attempt to delete the file, Windows won't allow it, and says:
Run without added parameters, v1.53 is not
persistent; that is, it will not execute on its own when the
computer is restarted. It does make changes to the Registry; it
creates the keys
HKEY_CURRENT_USER\SYSEDIT, where SYSEDIT is the filename before the extension;
and places a series of values in the Settings key as shown:
These settings are subject to change by the remote user, who may also add a value named "ClientPwd" in order to set a password which will be required for remote access.
For more on the Registry Editor, see this page which shows its use in relation to Back Orifice.
If NetBus 1.53 is run with the /add parameter, it will place an entry in the Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run containing the full pathname of the server file, as follows:
The Name entry will always contain the part of the filename prior to ".exe," with or without spaces, and all capitalized. In this case it's SYSEDIT. The result of this entry is that the NetBus server is quietly run by Windows each time the computer restarts; it becomes persistent. If it's removed, the server will no longer run on the next reboot.
The v1.53 server opens two TCP ports numbered 12345 and 12346. It listens on 12345 for a remote client and apparently responds via 12346. It will respond to a Telnet connection on port 12345 with its name and version number.
The remote user (that's polite language for the morally-bankrupt creep who is usually at the other end) has a program which looks like this:
With pushbutton ease, the operator can do a great many things, most of which are clearly evident on this console display. A document which accompanies v1.53 and explains its functions in detail is HTMLized here.
For some of its functions, v1.53 requires a file named KeyHook.dll, which must be placed with it, usually in the Windows directory.
NetBus v1.53 is not extremely stealthy, but it is certainly functional and effective.
By default, the v1.60 server is named Patch.exe. It may often be renamed. Its size is 461K (472,576 bytes). With its icon, it looks like this:
v1.60 has been changed from the 1.5x version in some very significant ways. Some of these changes parallel the behavior of Back orifice and render it much more stealthy.
When this program is run, it remains where it is and nothing appears to happen. Unlike v1.53, it can then be deleted uneventfully. However, it is running! It copies itself to the Windows directory (unless it's there already), extracts from within itself a file called KeyHook.dll and activates both programs.
Run without added parameters, v1.60 is
persistent; that is, it will execute on its own
when the computer is restarted. It makes changes to the Registry;
it creates the keys
HKEY_CURRENT_USER\PATCH, where PATCH is the filename before the extension; and by default, it places a value in the key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run containing the full pathname of the server file as follows:
The Name part will always contain the part of the filename prior to ".exe," with or without spaces, and it is always capitalized. In this case it's PATCH. The result of this entry is that the NetBus server is quietly run by Windows each time the computer restarts. If this entry is deleted, the server will no longer run on the next reboot. Note the "/nomsg" parameter which is always present by default.
Version 1.60, like v1.53, also creates the
and places basically the same series of values in the Settings key.
For more on the Registry Editor, see this page which shows its use in relation to Back Orifice.
The v1.60 server opens two TCP ports numbered 12345 and 12346. It listens on 12345 for a remote client and apparently responds via 12346. It will respond to a Telnet connection on port 12345 with its name and version number.
The remote user has a program which looks like this:
With pushbutton ease, the operator can do a great many things, more even than v1.53 allowed. Among the new features are greatly expanded file-handling capabilities, an interactive message dialog, password setting and other server controls, and new ways to tamper with the keyboard. Most of its tricks are evident from this console display.
The v1.60 client will connect to older server versions. Newer controls don't work on older versions but it will function within the capabilities of the server. A document which accompanies v1.60 and explains its functions in detail is HTMLized here
By default, the v1.70 server is named Patch.exe. It may often be renamed. Its default size is 483K (494,592 bytes). With configuration added, its size increases, usually by a couple of hundred bytes. With its new icon, it looks like this:
When run, this version is apparently supposed to behave outwardly exactly like v1.60, and its Registry entries are also the same; see the description of v1.60 above for that information.
However, on my machines, v1.70 did not behave as it should. While it does, like v1.60, copy itself to the Windows directory, for some reason it does not execute the new copy. Instead it runs where it is, and only after the next reboot will the new copy be run. I presume this is a bug in the new version, which renders it far more likely to attract the attention of an unsuspecting victim, who will find the file can't be moved or deleted while it is in use by the system.
Also like v1.60, it creates the file KeyHook.dll in the Windows directory. Here it is with its icon:
By default, the v1.70 server opens two TCP ports numbered 12345 and 12346. It listens on 12345 for a remote client and apparently responds via 12346. It will respond to a Telnet connection on port 12345 with its name and version number. It can however be readily configured to use any other virtual port from 1 to 65534. The port configuration can be pre-set by the sender, and/or it can be changed from remote. It will also open the next-numbered port in sequence, which it apparently uses for responses to the client.
The remote user's client program looks like this:
When the v1.70 server is contacted by a remote user, it creates two files named Hosts.txt and Memo.txt and places them in the same directory as the running server. While these would normally appear in the Windows directory, in my test, when the server was run from the desktop and while the system had not yet rebooted, these appeared on the desktop. Also, if the server has been configured or instructed from remote to log its activity, it will create an additional file, named IP.txt. And finally, if the server file has been pre-configured by the sender, it will create yet another file, which it always places in the Windows directory. This will be named according to the filename of the server, [NAME].ini.
The functions of these files are as follows:
|Hosts.txt||Lists hosts that have contacted the server, if logging is enbabled.|
|Memo.txt||The remote user can leave a memo here for himself.|
|IP.txt||Lists all text and commands received on the port on which NetBus is listening, showing date, time and originating IP address.|
|[NAME].ini||Text of the configuration
information which is appended to a configured server
file, as follows (with examples):
When the NetBus client program is used to pre-configure a server, this same data is appended to the end of the server file in plain text.
This last file illustrates a new feature of NetBus 1.70. It can be instructed to send an email when it is run for the first time, to notify its owner of its installation. However, I was unable to make this email feature work on my copy.
Version 1.70 has been changed from v1.60 in two more very significant ways, both of which mirror functions of Back Orifice.
NetBus is now capable of redirecting input to a specified port to another IP address via the server machine. This means the remote user can do mischief on a third machine someplace on the Net, and his connection will appear to come from the redirecting address. This feature, truly useful as a tool for illegal computer trespass, makes a certifiable liar of Mr. Niekter, the creator of NetBus. He claims NetBus is intended only for legitimate remote administration and "to have fun" with one's "friends." There is virtually no conceivable legitimate cause for such redirections, and nothing "fun" about it when the trojan victim is prosecuted for computer crimes he did not commit.
In addition, NetBus now allows the assignment of an application to a TCP port. Most usually this is done with a command interpreter (command.com or Cmd.exe), giving free access to a DOS command line via telnet. Those familiar with DOS will know this gives the user very extensive control over the host machine. My tests show that most DOS applications requiring interactive input (such as edit.com) typically do not work on this connection, but all standard DOS commands work flawlessly, as does virtually any application that runs to completion on a single command line.
Although this new NetBus version apparently suffers from some bugs that render it less stealthy than its creator intended, it is nonetheless a powerful tool for the intruder. The bugs may induce some attackers to stay with v1.6 until they're corrected.
But in many instances with which I'm familiar, NetBus was NOT installed directly by the user. Back Orifice, very small and much more stealthy, is much better suited to subterfuge. It is often used as the means to upload NetBus onto the target machine. In such an instance, the bugs I've observed become insignificant.