NetBus
BO's Older Cousin
Tuesday, 13 October 1998
Last Updated Wednesday, 25 November 1998 to include Version 1.7

Some Comments And Cautions

Here are some things to keep in mind about NetBus and indeed any trojans of its kind...

• Icons are subject to change. Applications exist that can alter icons in virtually any program file, not just NetBus. Don't rely on the icon for identification.
• Trojans of this kind must listen on a virtual port. NetBus will always reveal its presence by way of an open port, viewable with netstat.exe.
• Because of the above fact, many intruders delete netstat.exe from the victim's hard drive immediately upon gaining access. Creating a copy or two of netstat using other names is a good precaution against its loss. A regular check for the presence of netstat.exe, including the file's size and date, is advisable and is one means of spotting intrusions. I myself have implemented a check in my autoexec.bat which will spot any change of that file.
• Once access is gained, the more savvy intruder will often install other backdoors. These may include:
  • other backdoor trojans (there are at least 10 different remote-admin trojans I've identified, though NetBus and Back Orifice are by far in the most widespread use);
  • ftp or http daemons which open your drive(s) to access (these also open ports, by the way);
  • or he may enable resource sharing on the Net connection.
• I've found viruses in a surprising number of the files sent to me by readers of this site. It's impossible to know whether these infections were deliberate acts of the intruders, or a result of the victim's incautious habits. Either way, I urge YOU to obtain, use, update and maintain a virus scanner such as AVP.

The author of NetBus says, "NetBus was made to let people have some fun with his/her friends." He also says, "I hope NetBus (and similar programs like Back Orifice) will make more people aware of the security risks at their system." Unfortunately, NetBus allows far more access than a mere prank should ever require.

His point about security is however a very good one. Microsoft is clearly unconcerned about security issues except as they believe it will affect their bottom line. Microsoft routinely plays down genuine security threats and deals with them primarily as a PR problem. An example is its response to Back orifice; Microsoft has yet to offer any form of defense against BO while it proliferates across the Net -- while its effectiveness is a direct consequence of Windows 95's own user-friendly "features" that leave the average user unaware of -- and without control over -- activity on the dial-up connection. Moreover, so far as I know Microsoft has yet to even comment upon NetBus.

It falls upon users to be alert, resourceful and knowledgeable in order to protect themselves.

And what of those who want to try it out on their "friends"?

In his FAQ, the author also says:
"Q: Is NetBus illegal?
"A: Of course NOT! Is Format, FDisk and PC Anywhere illegal? - of course NOT! It's just your own actions that could be illegal."

You'll note he doesn't address the question in terms of ethics or morality. He is nonetheless nearly accurate in this statement. But depending upon where the victim and/or the NetBus "prankster" are located, computer trespass laws may apply which make any unwanted access at all into a crime; albeit not a serious one unless real damage has been done. You may wish to view this page which contains some of my efforts to evaluate the legal (US) and ethical aspects of such intrusions.

Incidentally, your ISP usually needs not wait for you to do anything illegal before they delete your account. Most ISPs are likely to cut you off quickly and permanently if they receive a complaint that you're using NetBus, BO or any other similar tool. Their terms of service usually give them this option and they'll take it without hesitation. Quite aside from issues of principle, they are concerned about their own liability. Once alerted to your abuse of their network, they become arguably liable for your actions and they will not risk a burdensome lawsuit for your paltry $20 monthly fee.

The communications of NetBus and programs like it are usually readily traced. Tools for just this purpose are beginning to see broad use.

However, for legitimate uses, NetBus now shows promise. With the improved password handling of v1.7, and its use of any configured port; along with its configurable requirement for access only from given IP addresses; NetBus is now worthy of consideration as a remote-admin tool for one's own personal or small-office systems.

But its security is not absolute. Given a determined attacker, even a carefully secured NetBus would eventually fall prey to an attacker using IP spoofing and/or a brute-force attempt to find its password.

How it Works

NetBus and other remote-admin trojans have two essential parts; a server (the part that resides on the victim's system) and a client (the application used to find and control the server). Features and functions vary, but the result is much the same; near-total loss of privacy and security with respect to your computer anytime it's on the Net. Once in place, these trojans open the victim to endless possibilities ranging from mere pranks to viruses, serious loss or theft of valuable or sensitive data, other trojans, and so on.

The NetBus server is about 4 times as large as the Back Orifice server, and generally less "stealthy." Unlike BO, NetBus is not designed to attach virus-like to legitimate files or applications.

Like BO, the NetBus server can have practically any filename. The usual way it is installed is by simple deception; the program is sent to the victim, or offered on a website, and falsely represented as something it is not. Occasionally it may be included in a setup package for a legitimate application and executed in the process of that setup.

The unsuspecting victim runs the program either directly or by way of the application used as camouflage, and it immediately installs itself and begins to offer access to intruders.

There are now three versions of NetBus in circulation; version 1.5x (usually 1.53), version 1.6, and version 1.7.

With the release of v1.70 in mid-November of 1998, Netbus has become a much more capable tool, offering without question the most comprehensive access and control of any of the trojans of its class.

Although v1.7 undoubtedly is or will be in broadest use, my emails indicate all of them are in circulation. I've included details of all three versions here.

By default, the v1.53 server is named SysEdit.exe. It may often be renamed. Its size is 462K (473,088 bytes). With its icon, it looks like this:

When this program is run, it remains where it is and nothing appears to happen. However, it is running, just without any obvious indication. If you then attempt to delete the file, Windows won't allow it, and says:

Run without added parameters, v1.53 is not persistent; that is, it will not execute on its own when the computer is restarted. It does make changes to the Registry; it creates the keys
HKEY_CURRENT_USER\SYSEDIT, where SYSEDIT is the filename before the extension;
HKEY_CURRENT_USER\NETBUS;
and
HKEY_CURRENT_USER\NETBUS\Settings
and places a series of values in the Settings key as shown:

These settings are subject to change by the remote user, who may also add a value named "ClientPwd" in order to set a password which will be required for remote access.

For more on the Registry Editor, see this page which shows its use in relation to Back Orifice.

If NetBus 1.53 is run with the /add parameter, it will place an entry in the Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run containing the full pathname of the server file, as follows:

The Name entry will always contain the part of the filename prior to ".exe," with or without spaces, and all capitalized. In this case it's SYSEDIT. The result of this entry is that the NetBus server is quietly run by Windows each time the computer restarts; it becomes persistent. If it's removed, the server will no longer run on the next reboot.

The v1.53 server opens two TCP ports numbered 12345 and 12346. It listens on 12345 for a remote client and apparently responds via 12346. It will respond to a Telnet connection on port 12345 with its name and version number.

The remote user (that's polite language for the morally-bankrupt creep who is usually at the other end) has a program which looks like this:

With pushbutton ease, the operator can do a great many things, most of which are clearly evident on this console display. A document which accompanies v1.53 and explains its functions in detail is HTMLized here.

For some of its functions, v1.53 requires a file named KeyHook.dll, which must be placed with it, usually in the Windows directory.

NetBus v1.53 is not extremely stealthy, but it is certainly functional and effective.

By default, the v1.60 server is named Patch.exe. It may often be renamed. Its size is 461K (472,576 bytes). With its icon, it looks like this:

v1.60 has been changed from the 1.5x version in some very significant ways. Some of these changes parallel the behavior of Back orifice and render it much more stealthy.

When this program is run, it remains where it is and nothing appears to happen. Unlike v1.53, it can then be deleted uneventfully. However, it is running! It copies itself to the Windows directory (unless it's there already), extracts from within itself a file called KeyHook.dll and activates both programs.

Run without added parameters, v1.60 is persistent; that is, it will execute on its own when the computer is restarted. It makes changes to the Registry; it creates the keys
HKEY_CURRENT_USER\PATCH, where PATCH is the filename before the extension; and by default, it places a value in the key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run containing the full pathname of the server file as follows:

The Name part will always contain the part of the filename prior to ".exe," with or without spaces, and it is always capitalized. In this case it's PATCH. The result of this entry is that the NetBus server is quietly run by Windows each time the computer restarts. If this entry is deleted, the server will no longer run on the next reboot. Note the "/nomsg" parameter which is always present by default.

Version 1.60, like v1.53, also creates the Registry keys
HKEY_CURRENT_USER\NETBUS;
and
HKEY_CURRENT_USER\NETBUS\Settings
and places basically the same series of values in the Settings key.

For more on the Registry Editor, see this page which shows its use in relation to Back Orifice.

The v1.60 server opens two TCP ports numbered 12345 and 12346. It listens on 12345 for a remote client and apparently responds via 12346. It will respond to a Telnet connection on port 12345 with its name and version number.

The remote user has a program which looks like this:

With pushbutton ease, the operator can do a great many things, more even than v1.53 allowed. Among the new features are greatly expanded file-handling capabilities, an interactive message dialog, password setting and other server controls, and new ways to tamper with the keyboard. Most of its tricks are evident from this console display.

The v1.60 client will connect to older server versions. Newer controls don't work on older versions but it will function within the capabilities of the server. A document which accompanies v1.60 and explains its functions in detail is HTMLized here

By default, the v1.70 server is named Patch.exe. It may often be renamed. Its default size is 483K (494,592 bytes). With configuration added, its size increases, usually by a couple of hundred bytes. With its new icon, it looks like this:

When run, this version is apparently supposed to behave outwardly exactly like v1.60, and its Registry entries are also the same; see the description of v1.60 above for that information.

However, on my machines, v1.70 did not behave as it should. While it does, like v1.60, copy itself to the Windows directory, for some reason it does not execute the new copy. Instead it runs where it is, and only after the next reboot will the new copy be run. I presume this is a bug in the new version, which renders it far more likely to attract the attention of an unsuspecting victim, who will find the file can't be moved or deleted while it is in use by the system.

Also like v1.60, it creates the file KeyHook.dll in the Windows directory. Here it is with its icon:

By default, the v1.70 server opens two TCP ports numbered 12345 and 12346. It listens on 12345 for a remote client and apparently responds via 12346. It will respond to a Telnet connection on port 12345 with its name and version number. It can however be readily configured to use any other virtual port from 1 to 65534. The port configuration can be pre-set by the sender, and/or it can be changed from remote. It will also open the next-numbered port in sequence, which it apparently uses for responses to the client.

The remote user's client program looks like this:

When the v1.70 server is contacted by a remote user, it creates two files named Hosts.txt and Memo.txt and places them in the same directory as the running server. While these would normally appear in the Windows directory, in my test, when the server was run from the desktop and while the system had not yet rebooted, these appeared on the desktop. Also, if the server has been configured or instructed from remote to log its activity, it will create an additional file, named IP.txt. And finally, if the server file has been pre-configured by the sender, it will create yet another file, which it always places in the Windows directory. This will be named according to the filename of the server, [NAME].ini.

The functions of these files are as follows:

This last file illustrates a new feature of NetBus 1.70. It can be instructed to send an email when it is run for the first time, to notify its owner of its installation. However, I was unable to make this email feature work on my copy.

Version 1.70 has been changed from v1.60 in two more very significant ways, both of which mirror functions of Back Orifice.

NetBus is now capable of redirecting input to a specified port to another IP address via the server machine. This means the remote user can do mischief on a third machine someplace on the Net, and his connection will appear to come from the redirecting address. This feature, truly useful as a tool for illegal computer trespass, makes a certifiable liar of Mr. Niekter, the creator of NetBus. He claims NetBus is intended only for legitimate remote administration and "to have fun" with one's "friends." There is virtually no conceivable legitimate cause for such redirections, and nothing "fun" about it when the trojan victim is prosecuted for computer crimes he did not commit.

In addition, NetBus now allows the assignment of an application to a TCP port. Most usually this is done with a command interpreter (command.com or Cmd.exe), giving free access to a DOS command line via telnet. Those familiar with DOS will know this gives the user very extensive control over the host machine. My tests show that most DOS applications requiring interactive input (such as edit.com) typically do not work on this connection, but all standard DOS commands work flawlessly, as does virtually any application that runs to completion on a single command line.

Although this new NetBus version apparently suffers from some bugs that render it less stealthy than its creator intended, it is nonetheless a powerful tool for the intruder. The bugs may induce some attackers to stay with v1.6 until they're corrected.

But in many instances with which I'm familiar, NetBus was NOT installed directly by the user. Back Orifice, very small and much more stealthy, is much better suited to subterfuge. It is often used as the means to upload NetBus onto the target machine. In such an instance, the bugs I've observed become insignificant.

PCHelp Home
BO Home