Sign In Sign-Up

Welcome!

Close

Would you like to make this site your homepage? It's fast and easy...

Yes, Please make this my home page!

No Thanks

  Don't show this to me again.

Close

WHAT IS NETBUS?

Netbus is a so-called trojan horse, similar to Back Orifice, but slightly different - it works not only under Windows 95/98, but also Windows NT. If Netbus server has been installed on your computer, someone can take control over it using Netbus client on theirs.

HOW DOES IT WORK?

Netbus consists of two parts: a server (which has to be installed on the victim's computer), and a client (installed on the intruder's computer). The two communicate using TCP/IP protocols.
Netbus also has the option to find a computer with an active Netbus server at random.

This is how the client looks like:

HOW CAN MY COMPUTER GET INFECTED WITH NETBUS?

Netbus is usually spread with a file named PATCH.EXE, but be aware that this file can be renamed. (e.g. CATCH.EXE) Once the file has been run, it makes an entry in Windows registry at:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
How can this happen? For example: you are chatting with someone. They send you an .exe file, and trick into running it. As soon as you do that, Netbus server is installed on your computer, the intruder connects his client with your server - and VOILA, he has access to everything on your computer!

You can get the file also by downloading it from the internet, via e-mail, or any other means.

WHAT CAN SOMEONE DO TO YOUR COMPUTER USING NETBUS?

1. Open/close the CD-ROM tray once or in intervals (specified in seconds);
2. Show optional BMP or JPG image (full path allowed);
3. Swap mouse buttons - the right button gets the left button's functions and vice versa;
4. Start optional application (full path allowed);
5. Play optional WAV sound-file (full path allowed);
6. Point the mouse to optional coordinates;
7. Show a message dialog on the screen and allow the user on remote system to answer it;
8. Shutdown Windows, reboot, logoff or power off;
9. Go to an optional URL within the default web-browser;
10. Send keystrokes to the active application on the target      computer;
11. Listen for keystrokes on remote system and save them to file;
12. Get a screenshot from remote computer;
13. Return information about the target computer;
14. Upload any file to the target computer or update the server part of NetBus;
15. Increase and decrease the sound-volume;
16. Record sounds that the microphone catch - to listen what happens in the room where remote computer is;
17. Make click sounds every time a key is pressed;
18. Download and deletion of any file from the target system;
19. Blocking certain keys on the remote system keyboard;
20. Password-protection management of the remote server;
21. Show, kill and focus windows on remote system.
 

I THINK MY COMPUTER HAS BEEN INFECTED WITH NETBUS. HOW DO I MAKE SURE OF THAT?

1. You have to check your registry. (here are the instructions) If you do find it there, you can also delete it, as instructed. (WARNING! Users not used to working with registry should consult an expert! Deleting the wrong file could cause Windows to not work properly)

2. Delete the file that infected your computer.

COMPUTER INTRUSION IS ILLEGAL IN MOST COUNTRIES ! You should check the laws in your country. If your computer has been broken into, report this to the authorities! Remember, in that case, DO NOT delete anything. If you delete the files, you are destroying the evidence, and therefor making it impossible to trace the intruder!
 

  MORE INFO ON NETBUS:
________________________________________________________________________________________________

Privacy Software Corporation Security Advisory
Tuesday, September 1, 1998

NETBUS INTERNET TROJAN HORSE PROGRAM
 

SYNOPSIS:

A Swedish programmer has released a Windows 95/98 trojan horse program named "Netbus." Netbus consists of a client program called Netbus which is run on a remote computer to gain access to any computer connected to a TCP/IP network or the internet. An executable server program is required to be installed on the victim's computer to permit the remote site access to the victim's computer in a manner similar to Cult of the Dead Cow's "Back Orifice" program. As is the case with "Back Orifice," this program exploits security vulnerabilities in the Windows 95 and Windows 98 platform and does not function on Windows NT systems at the time of this advisory. "Netbus does infect and affect NT systems. Our own internal research has proven this, and we have received many reports of Netbus intrusion into customer's NT systems." (written in mail from Privacy Software Corporation CEO as of November 10, 1998) Reported delivery modes include transfer through IRC and AOL chat rooms, email file attachments, exploits of security holes in browsers and email programs and physical installation on machines.

The server program for the Netbus trojan horse can be given any name by the party who places it on the victim's machine which makes it difficult, but not impossible to identify after it has been installed. The server is provided under the name of PATCH.EXE but exploiters of this trojan horse program are reminded that they should change the name of the server program or package it within another innocuous program for delivery and installation on the victim's machine.

Privacy Software Corporation's "BOClean version 2.01" software, designed to detect and defeat the "Back Orifice" trojan horse program, is fully effective in removing the Netbus server regardless of the filename or manner of delivery and, as is the case with "Back Orifice," can also disable this program instantly upon detection. BOClean version 2.01 will also remove the files and registry hooks without the need to disconnect from the internet or reboot the victim's machine. This precludes the risks of registry editing and possible loss of data and permits the victim to remove the program and continue their use of a TCP/IP connection without loss of work or time.

The server program can also be removed manually if it is delivered in its native state with the default filename of "PATCH.EXE." Since the server program can be given any name, the registry will have to be examined to determine the name of the server program. A knowledge of legitimate registry entries in the particular machine is required in order to determine the key which contains the pointer to the Netbus server program. Once the added file is determined, the registry entry can be removed and the machine rebooted to permit deletion of the server file. A KeyHook.DLL file is also placed in the \WINDOWS or \WINDOWS\SYSTEM directory which replaces any copies of this file which may have been installed with other shareware legitimately. It will be necessary to replace the KeyHook.DLL file with a copy from the original install disks after removal.

While the server is a completely different design from "Back Orifice," its behaviors are similar as is the means of exploitation of the victim's machine. The server is similar to but not the same as the server used in the "Master's Paradise" exploit.
 

CAPABILITIES:

The Netbus server permits anyone using the Netbus client to remotely control the victim's machine. The capabilities of the Netbus program are not as significant as "Back Orifice" but Privacy Software Corporation has already received reports of this and similar trojan horse programs from BOClean customers in actual operation on their machines. We quote from the documentation shipped with the Netbus program below verbatim:

Open/close the CD-ROM once or in intervals (specified in seconds).
Show optional image. If no full path of the image is given it will look for it in the Patch-directory. The supported image-formats is BMP and JPG.
Swap mouse buttons the right mouse button gets the left mouse button's functions and vice versa.
Start optional application.
Play optional sound-file. If no full path of the sound-file is given it will look for it in the Patch-directory. The supported sound-format is WAV.
Point the mouse to optional coordinates. You can even navigate the mouse on the target computer with your own!
Show a message dialog on the screen. The answer is always sent back to you!
Shutdown the system, logoff the user etc.
Go to an optional URL within the default web-browser.
Send keystrokes to the active application on the target computer! The text in the field Message/text will be inserted in the application that has focus. (| represents enter).
Listen for keystrokes and send them back to you!
Get a screendump! (should not be used over slow connections)
Return information about the target computer.
Upload any file from you to the target computer! With this feature it will be possible to remotely update Patch with a new version.
Increase and decrease the sound-volume.
Record sounds that the microphone catch. The sound is sent back to you!
Make click sounds every time a key is pressed!
Download and deletion of any file from the target. You choose which file you wish to download/delete in a nice view that represents the harddisks on the target!
Keys (letters) on the keyboard can be disabled.
Password-protection management.
Show, kill and focus windows on the system.
The ability to turn on a microphone is particularly threatening as this could permit the perpetrator the ability to listen to room audio and in effect "bug" the victim's room without detection. The ability to monitor keystrokes is also of concern as is the ability to read and write files or possibly destroy the operating system.

MANUAL REMOVAL OF NETBUS SERVER:

The Netbus server will install its program in the registry under the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run key and may have a dos-like command switch such as /nomsg, /noadd or similar switch. In some cases this clue will not appear. The registry entry will point to the name of the file as the subkey name and will have as its value a pointer to the location where the server is installed.

It is necessary to remove the registry subkey first. It will not be possible to remove the program file while the server is running and you may also be prevented from shutting down the computer. A reboot will be required in order to restart the machine without the Netbus server being reloaded at which time the file pointed to in the registry can be removed without further risk.

As a result, care should be taken to back up your registry first as well as your programs and files in the event that removal of the registry entry results in damage to your system. Use of Privacy Software Corporation's "BOClean version 2.01" program will safeguard against this possibility by removing the program and its registry entries automatically without risk of damage.
 

COPYRIGHTED MATERIAL:

Copyright (c) 1998 by Privacy Software Corporation.

Permission is granted for the retransmission of this advisory by electronic means. It is not to be edited in any way without the express consent of Privacy Software Corporation. Requests to reprint this information in whole or in part should be directed to technology@privsoft.com.

Disclaimer: The information within this advisory may change without notice and is provided by Privacy Software Corporation AS IS. No warrantees, express or implied, are provided with respect to this information nor should any be construed by the transmission of this information. Any use of this information or its recommendations is solely at the risk of the user.

Contact Privacy Software Corporation at http://www.privsoft.com, http://www.nsclean.com, email to technology@privsoft.com. Copies of the Netbus distribution as captured by Privacy Software Corporation will only be provided to recognized security interests and responsible, recognized members of the press with the technical capability to conduct independent research on this trojan horse program or in the alternative, we will provide the URL where the programs can be obtained independently. Copies will NOT be provided by us to any other parties. Privacy Software Corporation reserves the right to refuse transmission without further explanation. Under the provisions of Privacy Software Corporation's customer and website privacy policies, we cannot divulge email from our customers regarding their experiences with these trojan horse programs nor can we divulge their identities under any circumstances.

Free updates are available to existing BOClean customers of Privacy Software Corporation to include coverage of this new trojan horse exploit. Copies of BOClean version 2.01 now shipping already contain these updates. BOClean customers should visit the BOClean support page at http://www.nsclean.com/supboc.html for further details.
***********************************************************************************************************
(copied from http://post.blackbox.at/fcweb/Computertalk_Hackers/BONetbus_Infos.htm )
_________________________________________________________________________________________________________________________________________________________
Links:
More info on NetBus
The homepage of Netbus' author