BackOrifice Copycat Tool Adds NT Compatibility

• 10/07/1998

"There is … a program available on the Internet called NetBus, with functionality similar to BO, and in some ways more advanced than BO," reads a Sept. 10 X-Force vulnerability alert distributed on the Windows NT Security mailing list sponsored by Internet Security Systems Inc. (ISS, Atlanta, www.iss.net). "NetBus has been available for some time now, but its widespread use as a hacking tool has not occurred until recently. Unlike BO, NetBus will run on Windows 95/98 and NT," reads the report.

But in contrast to the industrywide uproar that accompanied CDC’s introduction of the BO utility, NetBus has thus far received very little attention. The Windows NT Security Website (www.microsoft.com/security) sponsored by Microsoft Corp. featured a Windows NT Security bulletin in the wake of BO’s introduction, but no such bulletin accompanied the announcement of NetBus, even though the latter tool is applicable to both the Windows 95/98 and Windows NT operating systems, whereas the former utility is intended ostensibly for Windows 95/98 machines only.

According to ISS’ X-Force security bulletin, NetBus includes many of the features of BO -- and more. "NetBus … allows the remote user to do most of the functions BO can do, as well as open/close the CD-ROM drive, send interactive dialogs to chat with the compromised system, listen to the system's microphone (if it has one), and a few other features," the security bulletin says.

Using NetBus, an unscrupulous hacker can surreptitiously control a Windows 95/98 or Windows NT computer across a TCP/IP connection by TELNETing to port 12345 on a localhost. Like BO, NetBus is a stealthy Trojan program that can be installed without an end user’s knowledge and doesn’t appear in the Windows NT Task Manager or on the Windows 95/98 program list that is invoked when the CTRL-ALT-DEL key sequence is simultaneously depressed.

Because NetBus uses TCP for communication and always uses ports 12345 and 12346 to listen for connections, administrators can use the Windows NETSTAT.EXE command to ascertain whether or not NetBus is installed on a system, the X-Force bulletin indicates. "Issue the command 'netstat -an | find "12345"‘. Then, start the Windows telnet program and connect to localhost at port 12345. If NetBus is installed, a string similar to 'NetBus 1.53' or 'NetBus 1.60 x' will be displayed when you connect."

NetBus' protocol is not encrypted, and hackers can set a password on the NetBus server, the location of which password is stored in the registry as plain text at HKEY_CURRENT_USER\Patch\Settings\ServerPwd. In addition, the ISS X-Force bulletin indicates that there is a backdoor in NetBus that will allow anyone to connect with no password. By default, the NetBus server is called Patch.exe, but it can be renamed.

While NetBus ostensibly is a more powerful tool than BO because it runs on Windows NT, ISS maintains that it has the advantage of being more easily discovered. "NetBus provides a richer feature set than BO, works on Windows NT, but is easier to detect than BO since it will always use TCP port 12345 and provides a banner with the NetBus version when you connect via telnet," the X-Force security bulletin concludes.

"While NetBus itself is a problem, now other hackers are capitalizing on a few things, such as the fact that security people want to know about this program, so they will download it," explains David Bovee, a security engineer with Internet and Web services provider Verio Northwest (Beaverton, Ore.). Bovee notes that in this case administrators can often circumvent the very protective measures that they already have in place to keep end users from introducing unknown software onto enterprise networks. "In addition, if a person is not circumspect enough, he or she may download this 'Trojan' by accident [and install it on his or her network]."

NetBus is available at http://surf.to/netbus .