| Tools |
NetBus was written by a Swedish programmer, Carl-Fredrik
Neikter, in March 1998. Version 1.5 in English appeared in April. NetBus
apparently received little media attention but it was in fairly wide use by the
time BO was released on 3 August.
|
NetBus consists of two parts: a client-program ("netbus.exe") and
a server-program often named: "patch.exe" (or "SysEdit.exe" with version 1.5x),
which is the actual backdoor. Version 1.60 uses the TCP/UDP-Port # "12345" which
can't be altered. From the version 1.70 and higher the port be configured. If it
is installed by a "game" called "whackamole" (file name is: "whackjob.zip"
(contains the NetBus 1.53 server) its name is "explore.exe". There is also a
file called whackjob17.zip, which installs the server of NetBus 1.70 and uses
the port 12631. Additionally it is password protected (PW: "ecoli"). The NetBus
Server is installed by "game.exe" during the setup routine; the name of the
server actually is "explore.exe" located in the windows directory.
To start the server automatically, there is an entry in the
registry at: "\HKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows\CurrentVersion\Run"
normally used with the option "/nomsg". If this entry is deleted, the server
won't be started with windows.
The NetBus server is about 4 times as large as the Back Orifice
server, and generally less "stealthy." Unlike BO, NetBus is not designed to
attach virus-like to legitimate files or applications.
Like BO, the NetBus server can have practically any filename. The
usual way it is installed is through simple deception; the program is sent to
the victim, or offered on a website, and falsely represented as something it is
not. Occasionally it may be included in a setup package for a legitimate
application and executed in the process of that setup.
The unsuspecting victim runs the program either directly or by way
of the application used as camouflage, and it immediately installs itself and
begins to offer access to intruders.
NetBus will always reveal its presence by way of an open port,
viewable with netstat.exe. Because of this, many intruders delete netstat.exe
from the victim's hard drive immediately upon gaining access. Creating a copy or
two of netstat using other names is a good precaution against its loss. A
regular check for the presence of netstat.exe, including the file's size and
date, is advisable and is one means of spotting intrusions. Attackers may use BO
as a means of installing Netbus on the target system. This is because NetBus is
sophisticated yet easy to use.
Once access is gained, the intruder will often install other
backdoors, ftp or http daemons which open victim's drive(s) to access or he may
enable resource sharing on the Net connection
The v1.53 server opens two TCP ports numbered 12345 and 12346. It
listens on 12345 for a remote client and apparently responds via 12346. It will
respond to a Telnet connection on port 12345 with its name and version
number.
NetBus v1.53 is not extremely stealthy, but it is certainly
functional and effective.
This utility also has the ability to scan "Class C" addresses by
adding "+Number of ports" to the end of the target address. Example:
255.255.255.1+254 will scan 255.255.255.1 through 255.
By default, the v1.6o server is named Patch.exe. It may be
renamed. Its size is 4 61K (472,576 bytes). When this program is run, it remains
where it is and nothing appears to happen. Unlike v1.53, it can then be deleted
uneventfully. However, it is functional. It copies itself to the Windows
directory, extracts from within itself a file called KeyHook.dll and activates
both programs.
Run without added parameters, v1.6o is persistent; that is, it
will execute on its own when the computer is restarted. It makes changes to the
Registry; it creates the keys
HKEY_CURRENT_USER\PATCH, where PATCH is the filename before the
extension; and by default, it places a value in the key
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Version 1.60, like v1.53, also creates the Registry keys
HKEY_CURRENT_USER\NETBUS; and HKEY_CURRENT_USER\NETBUS\Settings
and places basically the same series of values in the Settings key.
The v1.60 server opens two TCP ports numbered 12345 and 12346. It
listens on 12345 for a remote client and apparently responds via 12346. It will
respond to a Telnet connection on port 12345 with its name and version
number.
Among the new features are greatly expanded file-handling
capabilities, an interactive message dialog, password setting and other server
controls, and new ways to tamper with the keyboard. Most of its tricks are
evident from this console display.
Netbus 1.7 was released to the public on 11/14/98. It is basically
the same program as version 1.6, but with an ultra-fast port scanner, capable of
redirecting data to another host and port, option to configure the server-exe
with some options, like TCP-port and mail notification, ability redirect I/O
from console applications to a specified TCP-port and restricting access to only
a few IP-numbers.
By default, the v1.70 server is named Patch.exe. It may be
renamed. Its default size is 483K (494,592 bytes). With configuration added, its
size increases, usually by a couple of hundred bytes. By default, the v1.70
server opens two TCP ports numbered 12345 and 12346. It listens on 12345 for a
remote client and apparently responds via 12346. It will respond to a Telnet
connection on port 12345 with its name and version number. It can however be
readily configured to use any other virtual port from 1 to 65534. The port
configuration can be pre-set by the sender, and/or it can be changed from
remote. It will also open the next-numbered port in sequence, which it
apparently uses for responses to the client.
When the v1.70 server is contacted by a remote user, it creates
two files named Hosts.txt and Memo.txt and places them in the same directory as
the running server. Hosts.txt lists hosts that have contacted the server, if
logging is enabled. The remote user can leave a memo here for self using
Memo.txt.
If the server file has been pre-configured by the sender, it will
create yet another file, which it always places in the Windows directory. IP.txt
lists all text and commands received on the port on which NetBus is listening,
showing date, time and originating IP address.
It can be instructed to send an email when it is run for the first
time, to notify its owner of its installation. If IP logging is enabled, it will
write all commands and IP addresses to IP.TXT. Another file is called
"Access.txt", and contains the list of IP addresses permitted to connect to the
Netbus server.
NetBus is now capable of redirecting input to a specified port to
another IP address via the server machine. This means the remote user can do
mischief on a third machine someplace on the Net, and his
connection will appear to come from the redirecting address.
NetBus 2.0 Pro", (often just called "NetBus 2.0") the latest
version of this well known backdoor program has been released after Spector took
over Netbus. Therefore the new version is a shareware and needs remote user's
permission for installation. However, hackers have released variations such as
Retail_10.exe which fakes the incomplete patch of ICQ. Instead it installs the
"NetBus 2.0 Server" in the invisible and auto starting mode. It even deletes the
data logged by the server.
| Note |
Wrappers are used to bind the Trojan executable with a
legitimate file. The attacker can compress any (DOS/WIN) binary with tools like
"petite.exe". This tool decompresses an exe-file (once compressed) on runtime.
This makes it possible for the Trojan to get in virtually undetected, as most
antivirus are not able to detect the signatures in the
file.
|
The attacker can place several executables to one executable as
well. These wrappers may also support functions like running one file in the
background while another one is running on the desktop.
Technically speaking though, wrappers can be considered to be
another type of software "glueware" that is used to attach together other
software components. A wrapper encapsulates a single data source to make it
usable in a more convenient fashion than the original unwrapped source.
Users can be tricked into installing Trojan horses by being
enticed or frightened. For example, a Trojan horse might arrive in email
described as a computer game. When the user receives the mail, they may be
enticed by the description of the game to install it. Although it may in fact be
a game, it may also be taking other action that is not readily apparent to the
user, such as deleting files or mailing sensitive information to the
attacker.
| Tools |
Graffiti.exe is an example of a legitimate file that can be
used to drop the Trojan into the target system. This program runs as soon as
windows boots up and on execution keep the user distracted for a given period of
time by running on the desktop.
|
This will allow the Trojan executable to run in the background and
make the necessary changes it needs to. The program in itself does not mess with
registry, as all modifications are in one .ini file created in the same folder
with software. The only options available to the viewer are:
-
Left Mouse Click- Exit Graffiti
-
Esc and Space- Exit Graffiti
-
Right Mouse Click- Display next message
-
Alt-N- Display next message
| Tools |
eLiTeWrap is an EXE wrapper, used to pack files into an
archive executable that can extract and execute them in specified ways when the
packfile is run. For example, you could create a setup program that would
extract files to a directory and execute programs or batch files to display
help, copy files, etc.
|
The advantages eLiTeWrap has over other common self-extractor
programs and EXE wrappers are:
Programs in the packfile can be extracted without starting. Unlike
many EXE wrappers, files can be automatically extracted into a temporary
directory, from where other programs in the packfile or on the user's system can
manipulate them.
Programs inside the packfile and on the user's system can be
automatically started. Unlike many self-extractor utilities, eLiTeWrap has the
ability to start any number of programs, contained in the packfile, or existing
on the user's system.
Programs (packed and external) can be started visibly, or hidden
from the user. Programs that do not require user input can be started completely
hidden from the user. Programs can be started synchronously or asynchronously.
The packfile can be made to wait for a program to finish before the rest of the
files are processed. Script files can be written to automate the creation of
packfiles.
Full CRC-32 checking is built in 32-bit cyclic redundancy checks
are preformed to ensure that files are complete, undamaged, and that they have
not been tampered with. Packfiles are produced with an icon. Providing CRC-32
checking is disabled, you can change the icon in any resource editor, such as
those provided with Microsoft and Borland development environments.
| Tools |
Icon Plus is a conversion program for translating icons
between various formats.
|
Icon Plus now can read and save Windows XP icons. Icon Plus can
also be worked at from the command prompt. This kind of application can be used
by an attacker to disguise his malicious code or Trojan so that users are
tricked into executing it.
There are numerous icon libraries available on the Internet that
allows a user to change icons to suit various operating systems by aping their
look and feel.
| Tools |
It is a versatile skin editor for any Win32 programs: change
images, icons, text, sounds, videos, dialogs, menus, and other parts of the user
interface. Using this one can create one's own User-styled Custom Applications
(UCA).
|
The relevance of discussing this tool here arises from its ability
to modify the user interface of any Windows 32-bit program and thus create
UCA's. The user can view, extract, and change images, icons, text, dialogs,
sounds, videos, menus and much more.
Technically speaking, it lets the user edit the resources in many
file types, for example exe, dll, res, ocx (Active X), scr (Screen Saver) and
others. Screensavers have been popular as Trojan carriers. The attacker can
distribute his modifications in a small, self-executing file - the
ResPatcher.
It is small in size and people who use it need not have Restorator
installed. It is not necessary to give away the complete exe or dll file either,
which makes it a powerful tool. It is a stand alone program which redoes the
modifications made to a program.
Restorator has many built-in tools. Powerful find and grab
functions lets the user retrieve resources from all files on their disks.
One example is where a program can be modified using restorator
and sent across to the intended victim. This may be a screensaver, a skin for a
media player or even an innocent looking attachment.
It has been seen how notepad has been used by QAZ. In windows, we
have seen OLE to be a simple concept that allows the inclusion of data from one
type of file or document, within another. Moreover, it allows multiple
applications on the same desktop to share information.
This makes it possible to transport "objects" which are embedded
in an application, from one place to another, embedding them as deemed fit. OLE
provides for this, using a file format of its own which contains the embedded
data in a sort of "wrapper." We will look at how WordPad can be used to hide
notepad and execute it on being opened.
| Attack Methods |
To begin, open WordPad. Using the mouse, drag and drop
Notepad.exe into the WordPad window. On double-click the embedded icon, Notepad
will open. Now, right-click on the Notepad icon within the WordPad and copy it
to the desktop.
|
The icon that appears is very similar to the default text icon. We
can change the icon by using the properties box. By default, the file is named
simply "Scrap" -- even if Windows is set to show all file extensions. Rename it
to "Read me". Now it can pass easily for a genuine text file. On double-click
the file, the Notepad program that's within the scrap object will open.
Even if the object in a scrap file is not executable, a command
can be associated with the object, which will be executed when it is
double-clicked. This makes it simple for files to masquerade as another file
type.
Is it possible for an attacker to trick the target into loading
the Trojan either while booting or installing any other application?
| Attack Methods |
Obviously, this has been thought of in more than one way.
One way of infecting the target machine is to use the auto start CD function.
This may be done by "gifting" a CD, lending an infected CD or by having physical
access to the system.
|
The Autorun.inf file that is placed on such CD's can be configured
to execute the Trojan. This makes it possible to infect a machine while running
the real setup program. It looks like this:
[autorun] Open= setup.exe Icon= setup.exe
Countermeasure is to stop auto start functionality by doing the
following:
Start Button-> Settings-> Control Panel-> System-> Device Manager-> CDROM->Properties- > Settings
Turn off the reference to Auto Insert Notification
For more information continue read on : www.oceninfo.co.cc being with us and be a master of computer
COMMENTS