Sign In Sign-Up

Welcome!

Close

Would you like to make this site your homepage? It's fast and easy...

Yes, Please make this my home page!

No Thanks

  Don't show this to me again.

Close

KAJ JE NETBUS?

Netbus je t.i. trojanski konj, podoben Back Orificu z nekaj razlikami - najpomembnejša je ta, da deluje ne le pod Windows 95/98, pač pa tudi Windows NT. Če je na vaš računalnik nameščen Netbusov server, lahko nekdo, ki ima na svojem računalniku nameščen Netbusov client, prevzame nadzor nad vašim računalnikom.

KAKO DELUJE?

NetBus je sestavljen iz dveh delov: "server" (na žrtvinem računalniku) in "client", ki se med sabo sporazumevata preko TCP/IP protokolov.
Ima tudi možnost iskanja IP naslovov, dokler ne najde poljubnega računalnika z aktivnim NetBus serverjem.

"Client" izgleda takole

KAKO LAHKO PRIDE NETBUS V MOJ RAČUNALNIK?

Največkrat se prenaša z datoteko PATCH.EXE, vendar pa je lahko ta datoteka preimenovana. (npr. CATCH.EXE) Ko je ta datoteka zagnana, se vpiše v Windows registry pod:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
Po domače povedano: na IRC / ICQ / kjerkoli, čvekaš s prijetnim "neznancem". Pošlje ti .exe datoteko, in ti reče da jo poženi. Takoj ko ti klikneš na to datoteko, se Netbusov server inštalira v tvoj računalnik. "Neznanec" se poveže s svojim clientom v tvoj server, in HOP, je že v tvojem računalniku!
Lahko pa to nevarno datoteko prejmeš tudi na kak drug način, npr. preko e-maila, ali pa z prenašanjem z interneta.

KAJ LAHKO NEKDO NAREDI Z TVOJIM RAČUNALNIKOM, ČE IMAŠ PODTAKNJEN NETBUS?

1. Odpira in zapira tvoj CD-rom enkrat, ali v intervalih
2. Prikaže BMP ali JPG sliko
3. Zamenja miškini funkciji za lev in desni gumb
4. Požene neko aplikacijo
5. Požene WAV file
6. Prestavi miškin kurzor na željeno lokacijo
7. Na ekran prikaže pogovorno okno s sporočilom na katerega lahko odgovoriš
8. Ugasne Windowse, zažene reboot, logoff ali power off
9. Z privzetim brskalnikom gre na nek naslov
10. Prikaže navidezno tipkanje v aktivni apilkaciji
11. Nadzoruje vse kar tipkaš ti in to shrani kot datoteko
12. Posname screenshot tvojega računalnika
13. Dobi informacije o tvojem računalniku
14. Prenese kakršno koli datoteko na tvoj PC, ali pa nadgradi Netbus z novo verzijo
15. Zmanjša ali poveča glasnost zvoka
16. POSNAME VSE KAR ULOVI TVOJ MIKROFON
17. Oddaja zvok klika miške vsakič ko pritisneš na neko tipko
18. SNAME ALI IZBRIŠE KATERIKOLI DATOTEKO Z TVOJEGA DISKA
19. Blokira nekaj tipk na tvoji tipkovnici
20. Ti z passwordom prepreči uporabo tvojega računalnika
21. Prikaže ali zapre okna na tvojem PCju

MISLIM DA IMAM NA MOJEM PCju NETBUS. KAKO TO PREVERIM?

1. Pogledati moraš v svoj registry. (navodila za ta postopek) Če ugotoviš, da imaš Netbus, ga lahko tam tudi zbrišeš. (POZOR!  Uporabniki, nevešči dela z registrijem naj  za pomoč prosijo strokovnjaka. Če boste zbrisali napačno vrstico, lahko pride do  napake v delovanju Windows-ov)
2. Zbriši tudi patch.exe oz. datoteko ki je okužila računalnik.

VDIRANJE KAKRŠNO JE MOGOČE Z NETBUSOM JE PROTIZAKONITO! Če ste ena izmed žrtev, raje NE BRIŠITE ničesar (saj bi s tem uničili dokaze), ampak to prijavite na policijo oz. kontaktirajte
ARNES SI-CERT
Jamova 39
1000 Ljubljana
Telephone: 061 125 1515
Telefax: 061 125 54 54
E-mail: si-cert@arnes.si
 
 
 

  Še več informacij o NetBusu:
________________________________________________________________________________________________

Privacy Software Corporation Security Advisory
Tuesday, September 1, 1998

NETBUS INTERNET TROJAN HORSE PROGRAM
 

SYNOPSIS:

A Swedish programmer has released a Windows95/98 trojan horse program named "Netbus." Netbus consists of a client program called Netbus which is run on a remote computer to gain access to any computer connected to a TCP/IP network or the internet. An executable server program is required to be installed on the victim's computer to permit the remote site access to the victim's computer in a manner similar to Cult of the Dead Cow's "Back Orifice" program. As is the case with "Back Orifice," this program exploits security vulnerabilities in the Windows95 and Windows98 platform and does not function on Windows NT systems at the time of this advisory. "Netbus does infect and affect NT systems. Our own internal research has proven this, and we have received many reports of Netbus intrusion into customer's NT systems." (written in mail from Privacy Software Corporation CEO as of November 10, 1998) Reported delivery modes include transfer through IRC and AOL chat rooms, email file attachments, exploits of security holes in browsers and email programs and physical installation on machines.

The server program for the Netbus trojan horse can be given any name by the party who places it on the victim's machine which makes it difficult, but not impossible to identify after it has been installed. The server is provided under the name of PATCH.EXE but exploiters of this trojan horse program are reminded that they should change the name of the server program or package it within another innocuous program for delivery and installation on the victim's machine.

Privacy Software Corporation's "BOClean version 2.01" software, designed to detect and defeat the "Back Orifice" trojan horse program, is fully effective in removing the Netbus server regardless of the filename or manner of delivery and, as is the case with "Back Orifice," can also disable this program instantly upon detection. BOClean version 2.01 will also remove the files and registry hooks without the need to disconnect from the internet or reboot the victim's machine. This precludes the risks of registry editing and possible loss of data and permits the victim to remove the program and continue their use of a TCP/IP connection without loss of work or time.

The server program can also be removed manually if it is delivered in its native state with the default filename of "PATCH.EXE." Since the server program can be given any name, the registry will have to be examined to determine the name of the server program. A knowledge of legitimate registry entries in the particular machine is required in order to determine the key which contains the pointer to the Netbus server program. Once the added file is determined, the registry entry can be removed and the machine rebooted to permit deletion of the server file. A KeyHook.DLL file is also placed in the \WINDOWS or \WINDOWS\SYSTEM directory which replaces any copies of this file which may have been installed with other shareware legitimately. It will be necessary to replace the KeyHook.DLL file with a copy from the original install disks after removal.

While the server is a completely different design from "Back Orifice," its behaviors are similar as is the means of exploitation of the victim's machine. The server is similar to but not the same as the server used in the "Master's Paradise" exploit.
 

CAPABILITIES:

The Netbus server permits anyone using the Netbus client to remotely control the victim's machine. The capabilities of the Netbus program are not as significant as "Back Orifice" but Privacy Software Corporation has already received reports of this and similar trojan horse programs from BOClean customers in actual operation on their machines. We quote from the documentation shipped with the Netbus program below verbatim:

Open/close the CD-ROM once or in intervals (specified in seconds).
Show optional image. If no full path of the image is given it will look for it in the Patch-directory. The supported image-formats is BMP and JPG.
Swap mouse buttons the right mouse button gets the left mouse button's functions and vice versa.
Start optional application.
Play optional sound-file. If no full path of the sound-file is given it will look for it in the Patch-directory. The supported sound-format is WAV.
Point the mouse to optional coordinates. You can even navigate the mouse on the target computer with your own!
Show a message dialog on the screen. The answer is always sent back to you!
Shutdown the system, logoff the user etc.
Go to an optional URL within the default web-browser.
Send keystrokes to the active application on the target computer! The text in the field Message/text will be inserted in the application that has focus. (| represents enter).
Listen for keystrokes and send them back to you!
Get a screendump! (should not be used over slow connections)
Return information about the target computer.
Upload any file from you to the target computer! With this feature it will be possible to remotely update Patch with a new version.
Increase and decrease the sound-volume.
Record sounds that the microphone catch. The sound is sent back to you!
Make click sounds every time a key is pressed!
Download and deletion of any file from the target. You choose which file you wish to download/delete in a nice view that represents the harddisks on the target!
Keys (letters) on the keyboard can be disabled.
Password-protection management.
Show, kill and focus windows on the system.
The ability to turn on a microphone is particularly threatening as this could permit the perpetrator the ability to listen to room audio and in effect "bug" the victim's room without detection. The ability to monitor keystrokes is also of concern as is the ability to read and write files or possibly destroy the operating system.

MANUAL REMOVAL OF NETBUS SERVER:

The Netbus server will install its program in the registry under the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run key and may have a dos-like command switch such as /nomsg, /noadd or similar switch. In some cases this clue will not appear. The registry entry will point to the name of the file as the subkey name and will have as its value a pointer to the location where the server is installed.

It is necessary to remove the registry subkey first. It will not be possible to remove the program file while the server is running and you may also be prevented from shutting down the computer. A reboot will be required in order to restart the machine without the Netbus server being reloaded at which time the file pointed to in the registry can be removed without further risk.

As a result, care should be taken to back up your registry first as well as your programs and files in the event that removal of the registry entry results in damage to your system. Use of Privacy Software Corporation's "BOClean version 2.01" program will safeguard against this possibility by removing the program and its registry entries automatically without risk of damage.
 

COPYRIGHTED MATERIAL:

Copyright (c) 1998 by Privacy Software Corporation.

Permission is granted for the retransmission of this advisory by electronic means. It is not to be edited in any way without the express consent of Privacy Software Corporation. Requests to reprint this information in whole or in part should be directed to technology@privsoft.com.

Disclaimer: The information within this advisory may change without notice and is provided by Privacy Software Corporation AS IS. No warrantees, express or implied, are provided with respect to this information nor should any be construed by the transmission of this information. Any use of this information or its recommendations is solely at the risk of the user.

Contact Privacy Software Corporation at http://www.privsoft.com, http://www.nsclean.com, email to technology@privsoft.com. Copies of the Netbus distribution as captured by Privacy Software Corporation will only be provided to recognized security interests and responsible, recognized members of the press with the technical capability to conduct independent research on this trojan horse program or in the alternative, we will provide the URL where the programs can be obtained independently. Copies will NOT be provided by us to any other parties. Privacy Software Corporation reserves the right to refuse transmission without further explanation. Under the provisions of Privacy Software Corporation's customer and website privacy policies, we cannot divulge email from our customers regarding their experiences with these trojan horse programs nor can we divulge their identities under any circumstances.

Free updates are available to existing BOClean customers of Privacy Software Corporation to include coverage of this new trojan horse exploit. Copies of BOClean version 2.01 now shipping already contain these updates. BOClean customers should visit the BOClean support page at http://www.nsclean.com/supboc.html for further details.
***********************************************************************************************************
(skopirano s strani http://post.blackbox.at/fcweb/Computertalk_Hackers/BONetbus_Infos.htm )
_________________________________________________________________________________________________________________________________________________________
Povezave:
Še o NetBusu
Stran Netbusovega avtorja
Back Orifice info