[ISN] Hacker bit by Capitalism?

From: mea culpa (jerichoat_private)
Date: Sat Feb 20 1999 - 01:31:38 PST

  • Next message: mea culpa: "[ISN] Locksmiths may pose a threat"

    Forwarded From: shadowvrai@trust-me.com
    Hacker hit by capitalism? 
    By Bob Sullivan
    New version of NetBus hacking tool “goes straight” — now author wants to
    charge for it
    Feb. 19 — In an odd twist for the hacker world, an infamous tool called
    NetBus is going commercial. NetBus, like its better-known competitor Back
    Orifice, can allow ill- intentioned hackers to take control of any
    Windows95/98 or Windows NT computer attached to the Internet. Once
    installed, a NetBus user can open and close your CD-ROM drive door at
    will, play random sounds through your speakers, even watch you with your
    Webcam. But with NetBus 2.0 Pro, the author says he’s trying to distance
    himself from “virus associations.”
            ON FRIDAY, NETBUS author Carl-Fredrik Neikter released NetBus 2.0
    Pro, and he’s trying to position the tool as a legitimate software “remote
    administration tool.” He even hopes to make money off it — in the spirit
    of shareware, he is requesting that users register the software for $12. 
           NetBus has been in circulation since March, even before the Cult of
    the Dead Cow hacker group released its Back Orifice tool. The new version
    has been making its way around the Internet in beta form for about a month
    but wasn’t officially released by its author until Friday. 
           Both NetBus and Back Orifice have two parts: the server, which runs
    on the victim’s machine; and the client, which is used to connect to the
    victim’s machine. The server must be installed before the remote
    administrator can practice any mayhem. That normally means the victim
    “invites” the abuse by double-clicking on an e-mail attachment and
    installing some program. Installing NetBus requires installation of a file
    called “patch.exe,” but NetBus often comes hidden inside a game, usually
    “whack-a- mole.” Once a recipient installs whack-a-mole, anyone running
    the NetBus administrator tool can do anything they want with the victim’s
           NetBus differs from Back Orifice in two crucial ways — first, it
    can infect Windows NT machines; Back Orifice can’t. Second, it’s much
    larger than Back Orifice, so it’s not nearly as stealthy. 
           In fact, there’s a movement to make it not stealthy at all. In the
    standard version 2.0, the client no longer runs in “hidden” form, meaning
    an icon appears in the taskbar alerting the user that he or she is being
    “watched.” And the author has set up a Web site to promote the product and
    get away from those “virus associations. 
             This blurring of the line between legitimate software and virus
    makes the world of anti-virus software much more confusing. 
           “This puts an interesting twist on the NetBus trojan,” said Dan
    Takata of Data Fellows, a maker of computer security products. “A
    hypothetical situation could be that a person purchases NetBus, then
    installs it on a system with DataFellows F-Secure Anti-Virus, then anti-
    virus software immediately detects and deletes the NetBus which he just
    paid for. The question then is NetBus a legitimate program, and if so,
    should we avoid detection of NetBus?”
           Takata on Friday said Data Fellows software will not detect version
    2.0 because the company considers it commercial software now. 
           But don’t get too comfortable with it — Takata notes that there’s
    already a hacked version that allows NetBus to run hidden. And the author
    still calls it a “remote administration and spy tool” on the Web site.
    Neikter was not immediately available for comment. 
           NetBus, like software packages PCAnywhere and Carbon Copy, can be
    used for legitimate purposes — like troubleshooting a friend’s computer
    from a remote location.
           But it’s just as easily used by pranksters, chiefly because it can
    “hide” on the victim’s computer. And according to one NetBus expert, there
    are so many unaware infected users out there that finding one takes only a
    matter of minutes.
           “It’s a great administration tool. And of course ...  having fun
    with friends as well. :)” wrote one user on the NetBus Web site. 
      The new "straight" NetBus
             Even the example of a good-natured user shows how alarmingly
    powerful NetBus can be. A user named “Blake” told MSNBC: “I give it to all
    the people who use their computers frequently so it is very useful,
    especially when I can tell what they are doing and they are slacking off.
    I wake them up with a loud wave file and tell them to get to work!!! It is
           Aside from tricking a victim into installing NetBus, there are a
    few other challenges to taking control of a remote computer. NetBus needs
    to know the exact IP address of its victim. And it can be deterred by
    firewalls. But since NetBus can work on any virtual port, it can get
    through improperly configured firewalls. And since it has a scan tool,
    NetBus can quickly scan through a range of IP addresses to find infected
    machines (like searching through all addresses at a specific Internet
    service provider or college). To make it even easier, infected machines
    send out signals to help an administrator home in. 
     “I get e-mail from people and they say ‘I wrote a program like this a
    year ago but I didn’t tell anybody and it’s still out there and I stil
    have 100 percent success. ‘”
     — SIR DYSTIC author of Back Orifice But random across-the-Net connections
    aren’t even the most serious threat posed by NetBus and other tools like
    it. The real danger is “the inside job” — such as employees monitoring
    their boss’s computer. It’s easy to trick someone in the office into
    installing a small program; and it’s equally easy to obtain their IP
           “People always neglect the inside. It’s really designed for use
    inside a network,” Takata said.
           Microsoft’s official position on NetBus is it “does not exploit any
    operating system security vulnerabilities, nor does it claim to.... The
    software runs in the security context of the user who installed it and has
    the same privileges on the machine as the installer. This is not unique to
    Netbus; it’s just a computer science fact that when a user runs a program,
    it can do whatever the user can do.”
           And virus scanning software, if it’s updated, now recognizes Back
    Orifice and older versions of NetBus, preventing installation. But several
    members of the hacking community say these two tools are only “the tip of
    the iceberg” — there are at least a dozen other remote administration
    Trojan horse programs out there. 
           “I get e-mail from people and they say ‘I wrote a program like this
    a year ago, but I didn’t tell anybody, and it’s still out there and I
    still have 100 percent success,’ ” said Sir Dystic, author of Back
    Orifice. “That’s why we released Back Orifice. Everybody out there who
    thinks they’re safe — they’re not safe at all.”
           And upgrades will keep coming. The Cult of the Dead Cow will
    release an upgraded version of Back Orifice, called BO2K, at the DefCon
    hacker trade show in July. It will run on Windows NT, and it will follow
    the open source code model, so it will be easy to duplicate. 
    Subscribe: mail majordomoat_private with "subscribe isn".
    Today's ISN Sponsor: Internet Security Institute [www.isi-sec.com]

    This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:19:34 PDT