NetBus

Vulnerability Description

Brief description: NetBus is a Trojan horse that allows the installing user access to the system at a later time through the program.

Full description: NetBus allows the remote user to do most of the functions BackOrifice can do (specifically, it allows anyone who knows the listening port number and Back Orifice password to remotely control the host. Intruders access the Back Orifice server using either a text or graphics based client. The Back Orifice server allows intruders to execute commands, list files, start silent services, share directories, upload and download files, manipulate the registry, kill processes, list processes, as well as other options). NetBus also allows remote user to open/close the CD-ROM drive, send interactive dialogues to chat with the compromised system, listen to the system's microphone (if it has one), and a few other features.

Components: none

Systems: Windows NT 3.5.1, 4.0; Windows 95, 98

Effect(s) of exploiting: This allows Administrator access to the target system.

Detecting the hole:

    1. For NetBus 1.53:
    1. Look for a file called SysEdit.exe with 473,088 bytes. (The file may have a different name, in which case look for the keys in the next section; one of them will either be, or have, the right name.)
    2. Check for the following registry keys: HKEY_CURRENT_USER\SYSEDIT ("SYSEDIT" will be the base name of the NetBus executable, so if that is different this key will be too), HKEY_CURRENT_USER\NETBUS, and HKEY_CURRENT_USER\NETBUS\Settings. The key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run, may be added, in which case NetBus will run at boot time. (When NetBus is run, it needs to have the "/add" parameter given to run at boot time.)
    3. Check if TCP ports 12345 and 12346 are open. The v1.53 server listens on 12345 for a remote client and apparently responds via 12346. If they are, It will respond to a Telnet connection on port 12345 with its name and version number.
    4. Look for the file KeyHook.dll , most likely in the Windows directory. The v1.53 server requires this file for some of its functions.
    2. For NetBus 1.60 :
    1. Look for a file called Patch.exe with 472,576 bytes. (The file may have a different name, in which case look for the keys in the next section; one of them will either be, or have, the right name.)
    2. Check for the following registry keys: HKEY_CURRENT_USER\PATCH ("PATCH" will be the base name of the NetBus executable, so if that is different this key will be too), HKEY_CURRENT_USER\NETBUS, HKEY_CURRENT_USER\NETBUS\Settings, and HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run.
    3. Check if TCP ports 12345 and 12346 are open. The v1.60 server listens on 12345 for a remote client and apparently responds via 12346. If they are, It will respond to a Telnet connection on port 12345 with its name and version number.
    4. Look for the file KeyHook.dll , most likely in the Windows directory. The v1.60 server requires this file for some of its functions.
    3. For NetBus 1.70 :
    1. Look for a file called Patch.exe with 494,592bytes. After configuration its size increases, usually by a couple of hundred bytes. (The file may have a different name, in which case look for the keys in the next section; one of them will either be, or have, the right name.)
    2. Check for the following registry keys: HKEY_CURRENT_USER\PATCH ("PATCH" will be the base name of the NetBus executable, so if that is different this key will be too), HKEY_CURRENT_USER\NETBUS, HKEY_CURRENT_USER\NETBUS\Settings, and HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run.
    3. Check if TCP ports 12345 and 12346 are open. The v1.70 server listens on 12345 for a remote client and apparently responds via 12346. If they are, It will respond to a Telnet connection on port 12345 with its name and version number. Unlike the other two versions, the port numbers are configurable, so check other ports if this fails. The port can also be changed remotely. The response port is always the next-higher numbered port.
    4. Look for the file KeyHook.dll , most likely in the Windows directory. The v1.70 server requires this file for some of its functions.
    5. Look for the files Host.txt and Memo.txt in the same directory as the running server. If they exist, the NetBus a remote user has contacted the NetBus v1.70 server.

Fixing the hole:

    1. The steps to delete NetBus are the same for all versions, except that the file names of the executable differ. Also, v1.53 uses a dll, and v1.70 may create two text files. These should be cleaned out.
    1. Obtain the name of the NetBus server (most often SysEdit.exe ).One way to do this is to go to the tasklist and kill any suspicous process. After each kill, try connecting to port 12345 and when that fails, the last task killed was the NetBus server.
    2. Next prevent NetBus from being started at boot time. Delete the registry key \HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\XXX, where XXX is the name of the NetBus server.
    3. Delete the NetBus server executable. Also delete the KeyHook.dll file in the same directory as the NetBus server, if it is present.
    4. Restart the computer.

Other information: NetBus 's protocol is not encrypted and the commands have a simple format: the name of the command, followed by a semicolon, followed by the arguments separated by semicolons. It is possible to set a password on the NetBus server, and the password is stored in the registry as plaintext at HKEY_CURRENT_USER\Patch\Settings\ServerPwd. There is a backdoor in NetBus that will allow anyone to connect with no password. When the client sends the password to the server, it sends a string similar to Password;0;my_password . If the client uses a 1 instead of a 0, you will be authenticated with any password.

Keywords

Trojan horse, netbus

Cataloguing

PA Classification(s):

RISOS Classification(s):

DCS Classification(s):

CVE Number: CAN-1999-0660 -- A hacker utility or Trojan Horse is installed on a system, e.g. NetBus , Back Orifice , Rootkit , etc.

Exploit Information

Attack:

Related Information

The NetBus program has two pages: a copy of the original page and a version called NetBus Pro .

Advisories: CERT Summary CS-99-01 section 2, Back Orifice and NetBus; CIAC Information Bulletin J-032: Windows Backdoors Update II: (NetBus 2.0 Pro, Caligula, and Picture.exe) quoting ISS Vulnerability Alert #20, Windows Backdoors Update II: NetBus 2.0 Pro, Caligula, and Picture.exe .

Related Vulnerabilities:

Reportage

Reporting: Carl-Fredrik Neikter in (March 1998 )

Revision Number 1

  1. Stacey Anderson (6/23/2000):
    Initial entry