The Netbus trojan is one of the most famous trojans around. Its authored by Carl-Frederik Neikter that is very similar to the “Back Orifice” trojan distributed by CdC. It allows ANYONE running the client portion to connect and control ANYONE running the server portion of it, WITH THE SAME RIGHTS AND PRIVILEGES AS THE CURRENTLY LOGGED ON USER!
According to Carl (Also known as “cf”) and verified by the ISS X-Force (Report at http://www.ntsecurity.net/scripts/loader.asp?iD=/security/netbus.htm ) it is capable of :
Show optional BMP/JPG image.
Swap mouse buttons.
Start optional application.
Play a wav file.
Show different kind’s of messages.
Shut down Windows.
Go to an optional URL.
Send keystrokes and disable keys.
Listen for and send keystrokes.
Take a screendump.
Increase and decrease the sound-volume.
Record sounds from the microphone.
Upload optional file.
Make click sounds every time a key is pressed.
This utility also has the ability to scan “Class C” addresses by adding “+Number of ports” to the end of the target address. Example: 255.255.255.1+254 will scan 255.255.255.1 through 255.
Netbus 2.0 removal
Check out David’s excellent site for Netbus Removal. It’s located at: http://www.davidm.8m.com/netbus.html If you use Irc chat, you ‘ll also want to check out this script by DavidM for detection and removal.
NetBus 1.5x removal
Find out the name of the NetBus-server (which is most often SysEdit.exe). Go to the tasklist and kill any suspicous process, If possible. If you can’t kill Patch.exe, go to 1.6 removal. After each kill, try connecting to port 12345 (telnet localhost 12345), and the moment you can’t do that anymore you have found the NetBus-server. Most often the NetBus-server starts every time your system (Windows) starts. Of course you can just delete the NetBus-server from your HD, but then you will get a irritating Windows-message at startup telling you that the program not could be started. So, before deleting NetBus-server from your HD you either delete the registry-key \HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run[Name of NetBus-server] or just run “NetBus_server_name /remove” which will do the same thing. Finally, restart the computer. The NetBus-server also consists of the KeyHook.dll file, which you probably find in the same directory (the DLL isn’t able to do anything on its own). If you don’t find it, someone has forgetten that it’s necessary for some of the features to work properly (for example the Listen-function).
NetBus 1.6 removal
Find out the name of the NetBus-server (which is most often Patch.exe). Run RegEdit.exe and lookup the registry-key \HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run. From that key you should be able to sort out the NetBus server program (again, most often Patch.exe) from others.The offending program normally ends with ” /nomsg”. When you’ve found the suspicous entry, do a file-search for “[Name of the NetBus-server].exe” on your system. Finally run “[Name of NetBus-server].exe /remove”. If you’ve run the NetBus server you should see that it just starts and ends quickly without any interaction. Wonderful. An easier approach is to use the NetBus-client (NetBus.exe) yourself, connect to localhost, choose “Server admin” and click on the “Remove server” button.
NetBus 1.7 removal
Netbus 1.7 was released to the public on 11/14/98. It is basically the same program as version 1.6, but with some new “features” described by Carl here:
Ultra-fast Port scanner.
Port Redirect – redirects data to another host and port.
Server setup – configures the server-exe with some options, like TCP-port and mail notification.
Application Redirect – redirects I/O from console applications to a specified TCP-port.
Possibility to restrict access to only a few IP-numbers.
Removal is essentially the same as 1.60, with the exception that the password (if there is one) is no longer written to the registry. All preferences (including password) are written to an .ini file which will have the same name as the program. Here’s an example patch.ini:
If IP logging is enabled (as it is in the above example), it will write all commands and IP addresses to IP.TXT. Another file (Read on, it’s pretty important) is called “Access.txt”. This file contains the list of IP addresses ALLOWED to connect to the Netbus server.
Therefore, the files to delete are: “Patch.exe”, “Patch.ini”, IP.TXT, as well as removing the startup portion from the registry.
The icon for Patch.exe no longer resembles a torch in windows explorer, now it resembles an Internet Explorer “Channel”. Preliminary results show pretty much the same footprint as 1.6, although now the port could be anything the attacker wants it to be. If you have anything YOU’D like to contribute to this, take a stroll on over to the discussion forum I’ve set up on this site located here.
Network packet captures indicate that the password scheme is padded by one byte (From Ver 1.6) and uses a local file comparison from \%systemroot%\patch.ini. Gibby had the right idea in using a random character generated crack in Netbuster. If you’ve run the Netbuster crack, you’ll notice it could take forever to crack a good password scheme. If you want to protect yourself from this version, create a file using notepad called “Access.txt” with only the IP 127.0.0.0.1 or some other invalid string at the top line, save it to your Windows or WINNT directory (also called “%systemroot%”) make the file attribute “read only”, and reboot. This will keep Netbus 1.7 users from accessing your computer using Netbus 1.7. And if someone tried to slip Netbus 1.7 on your computer, it won’t matter because they can’t connect to you. For the “computer illiterate” or “notepad impaired”, I’ve provided one here. If you are using Explorer, right click, “Save Target As” and save to your Windows or WINNT directory. If you are using Netscape, “Shift-Left-Click” to the same directory. On a personal note, I find it comical that one well placed text file renders this program useless (Even Via Telnet).
Netbus 2.0 Pro
This may very well be Carl’s way of saying “I’m sorry guys, things got way out of hand”. It appears to be a valid remote administration program. I won’t say that it is impossible to trojan this, but it would be very difficult to do so. To activate the “server” portion it requires either user intervention for acceptance, admin rights to “put” the necessary registry entries on the “server” or access to the local host. It IS in the download section for evaluation. For the full report on this one click here
Removing Via The Registry
Here’s a pretty thorough page with screenshots on how to edit the registry for this. (Novices be VERY careful, if you don’t know what you are doing I strongly advise you to find someone who does..)
Fun with Telnet (Version 1.60)
As the password encryption scheme is kind of primitive, Netbus 1.60 is also relatively easy to hack from Telnet by telnetting to port 12345. Once there, you are greeted with a response of “Netbus 1.xx”. Any password will be accepted if it is offset with a padded “1”. such as: Password;1;Password .You will at that point see “Access”. Type in “ServerPwd;Password” and the password will be reset to “Password”. The telnet session will seem hung, but the password is now changed. If you simply need information, “GetInfo;1” will suffice. You will have to enable local echo on the telnet client so see what you are typing to accomplish this. PLEASE, NO MORE EMAIL ASKING ME HOW TO DO THIS. As a side note, it’s kind of humorous to read the death threats and stuff emailed to me for revealing this ankle-biter “secret”.
There is a specific game called “Whackamole” that when run also installs the server portion of this trojan. I have not tested it but one can make assumptions this can arbitrarily be installed using the “Buffer Overrun” exploit described at: http://www.microsoft.com/ie/security/?/ie/security/oelong.htm. You can find the original report by myself and The ISS X-Force’s findings here as well as more removal procedures. As the official web site for NetBus tends to move around quite a bit, I’ve provided the trojan “game” here for analysis.
“John” has released whackjob version 2.0, running on Port 20043 with the “added feature” of automatically clearing the log file every time the PC is rebooted. Even the author of Netbus (Carl-Fredrik Neikter) is concerned. He contacted us for our thoughts on how to make the next release non-trojanable.
“John” (aka ecoli) just released “whackjob2” which needless to say is MUCH more dangerous than the previous releases.
FILES AND DIRECTORIES ADDED: (4)
REGISTRY KEYS ADDED: (1)
REGISTRY KEY VALUES ADDED: (2)
It also added Rundll32:Reg_SZ:rundll2.dl_ to HKLM\SW\MSoft\Windows\CurrentVer\Run (InCtrl3 did not catch this.)
Size of server (rundll2.dl_)= 624,640
It is preconfigured to run “invisible” on port 20043 with the password of “ecoli”.
Password capturing is possible from the client side with the “registered version”.(Crack is freely distributed all over the internet. A couple of morons even tried it posting to the discussion forum on my site..) By deleting these reg keys it is disabled after reboot. This “little ditty” comes hot on the heels of MSNBC doing a story on Cf’s “turn around”. (http://www.msnbc.com/news/242902.asp)
You can find an excellent article on this by Mark Joseph Edwards by clicking here and selecting the 2/24/99 article.
VERSION (1.7 Trojan)
I guess he’s not done folks. Here’s the latest on this, straight from his site formerly located at http://www.angelfire.com/nj/ecolisecurity
“Game.exe – This program is a trojan that installs the netbusv1.7 server when executed without the user knowing – It does this in the background while also bringing up a simple little game where you beat moles over the head.
It is an advanced trojan that installs very secretly and can outsmart most antivirus and netbuster detector programs. When this game is executed, netbus is going to be real tough to get rid of.
Distribute it as you wish but take full responsibiltiy for your actions, it is not intended for illegal purposes. Test it with antivirus and detector programs and let me know of any that clean it and I’ll revise the program to beat it – Remember to reboot the PC once or twice and try to connect to the netbus server after a program tells you it cleaned it. I’ve tested many and all fail to clean it after running this program – email me at [email protected]
It should be used with the Netbus v1.7 client and uses port 12631 and the password is ecoli. Use at your own risk. Enjoy. Ecoli.”
You can evaluate this trojan by clicking here. You can quick check for it here. (Select “Run this file from it’s current location”)
BIG NOTE: As with any Netbus 1.7 trojan, IT CAN BE RENDERED USELESS WITH A WELL PLACED TEXT FILE! So if you think you may be vulnerable to the 1.7 trojan, download Access.txt to your WINDOWS or WINNT directory. Read above on version 1.7 for more info on the “miracle text file”.
If you choose to download any of these, BE EXTREMELY CAREFUL to not install it inadvertently on yourself unless you are fully capable of knowing and removing it. A few stray people have accused me of making this available for the purpose of being able to connect to their system. Nothing could be further from the truth. I have helped hundreds of people personally since this site went up. The reason I DO post the programs here is because I do not believe in security through obscurity. While it IS true that all IP traffic is logged at this site, I have devoted considerable effort in my spare time (what little I DO have) to helping people get rid of this crap. A few reasons come to mind here: It is not a real “hack”. There used to be a day years ago when the term “hacker” had a positive spin. It was someone who experimented with systems and security just to see how it worked for the sheer joy of learning something on your own, not causing harm or damage to anything that didn’t belong to you. For example, have you ever figured out something difficult (whatever situation), all by yourself with absolutely no help from anyone by experimentation and said to yourself “Damn, I’m Good..”? No? Maybe you forgot about pounding that screwdriver through the oil filter to use as a wrench, or the first time you poured club soda on the stain without anyone telling you about it. No one but you should “own” your system. As a systems administrator, I’ve seen enough of this on a large scale to make me wanna puke McNuggets. Special note to SA’s: Have you scanned YOUR network lately? You may be surprised at the results..
Online scan for Netbus
If you prefer not to check whether you have Netbus via the registry, you can use Bitdefenders free online virus scan at: http://www.bitdefender.com/scan/licence.php to check for and remove the Netbus trojan.
Want to have a little fun with the people who were connecting to your computer before you removed NetBus? Itching for a little “Payback”? Download NetBuster. It simulates the NetBus server, you see who’s connecting and you can send THEM messages and play tricks on them. This is the version that runs under NT/95/98. Thanks to author Hakan Bergstrom. His site is located here , and always has the latest version.Click HERE to download from this site. The latest version according to Gibby is compatible with and will even remove ALL VERSIONS of Netbus, Including the latest version 1.70.
– Folks, We have had some reports about PC’s being compromised while using Netbuster 1.31, Please refrain from downloading this version until we can confirm or deny these reports.Version 1.30 listed above does not seem to be affected at this time, although I will reconfirm that as well. That version has been pulled as well until this can be confirmed.
1/20/99- We have investigated this to my satisfaction, and there APPEARS to be no “backdoor” to this program. It is subject to DoS (Denial of Service) attacks by packet flooding, but as the author states you should never rely on this program for protection/removal. It is for amusement purposes only. A novelty, if you will.
As a final note: PROTECT YOURSELF! Learn how it works and you won’t become a victim.