Forwarded From: shadowvrai@trust-me.com Hacker hit by capitalism? By Bob Sullivan MSNBC New version of NetBus hacking tool “goes straight” — now author wants to charge for it Feb. 19 — In an odd twist for the hacker world, an infamous tool called NetBus is going commercial. NetBus, like its better-known competitor Back Orifice, can allow ill- intentioned hackers to take control of any Windows95/98 or Windows NT computer attached to the Internet. Once installed, a NetBus user can open and close your CD-ROM drive door at will, play random sounds through your speakers, even watch you with your Webcam. But with NetBus 2.0 Pro, the author says he’s trying to distance himself from “virus associations.” ON FRIDAY, NETBUS author Carl-Fredrik Neikter released NetBus 2.0 Pro, and he’s trying to position the tool as a legitimate software “remote administration tool.” He even hopes to make money off it — in the spirit of shareware, he is requesting that users register the software for $12. NetBus has been in circulation since March, even before the Cult of the Dead Cow hacker group released its Back Orifice tool. The new version has been making its way around the Internet in beta form for about a month but wasn’t officially released by its author until Friday. Both NetBus and Back Orifice have two parts: the server, which runs on the victim’s machine; and the client, which is used to connect to the victim’s machine. The server must be installed before the remote administrator can practice any mayhem. That normally means the victim “invites” the abuse by double-clicking on an e-mail attachment and installing some program. Installing NetBus requires installation of a file called “patch.exe,” but NetBus often comes hidden inside a game, usually “whack-a- mole.” Once a recipient installs whack-a-mole, anyone running the NetBus administrator tool can do anything they want with the victim’s machine. NetBus differs from Back Orifice in two crucial ways — first, it can infect Windows NT machines; Back Orifice can’t. Second, it’s much larger than Back Orifice, so it’s not nearly as stealthy. In fact, there’s a movement to make it not stealthy at all. In the standard version 2.0, the client no longer runs in “hidden” form, meaning an icon appears in the taskbar alerting the user that he or she is being “watched.” And the author has set up a Web site to promote the product and get away from those “virus associations. This blurring of the line between legitimate software and virus makes the world of anti-virus software much more confusing. “This puts an interesting twist on the NetBus trojan,” said Dan Takata of Data Fellows, a maker of computer security products. “A hypothetical situation could be that a person purchases NetBus, then installs it on a system with DataFellows F-Secure Anti-Virus, then anti- virus software immediately detects and deletes the NetBus which he just paid for. The question then is NetBus a legitimate program, and if so, should we avoid detection of NetBus?” Takata on Friday said Data Fellows software will not detect version 2.0 because the company considers it commercial software now. But don’t get too comfortable with it — Takata notes that there’s already a hacked version that allows NetBus to run hidden. And the author still calls it a “remote administration and spy tool” on the Web site. Neikter was not immediately available for comment. NetBus, like software packages PCAnywhere and Carbon Copy, can be used for legitimate purposes — like troubleshooting a friend’s computer from a remote location. But it’s just as easily used by pranksters, chiefly because it can “hide” on the victim’s computer. And according to one NetBus expert, there are so many unaware infected users out there that finding one takes only a matter of minutes. “It’s a great administration tool. And of course ... having fun with friends as well. :)” wrote one user on the NetBus Web site. The new "straight" NetBus Even the example of a good-natured user shows how alarmingly powerful NetBus can be. A user named “Blake” told MSNBC: “I give it to all the people who use their computers frequently so it is very useful, especially when I can tell what they are doing and they are slacking off. I wake them up with a loud wave file and tell them to get to work!!! It is fun.” Aside from tricking a victim into installing NetBus, there are a few other challenges to taking control of a remote computer. NetBus needs to know the exact IP address of its victim. And it can be deterred by firewalls. But since NetBus can work on any virtual port, it can get through improperly configured firewalls. And since it has a scan tool, NetBus can quickly scan through a range of IP addresses to find infected machines (like searching through all addresses at a specific Internet service provider or college). To make it even easier, infected machines send out signals to help an administrator home in. “I get e-mail from people and they say ‘I wrote a program like this a year ago but I didn’t tell anybody and it’s still out there and I stil have 100 percent success. ‘” — SIR DYSTIC author of Back Orifice But random across-the-Net connections aren’t even the most serious threat posed by NetBus and other tools like it. The real danger is “the inside job” — such as employees monitoring their boss’s computer. It’s easy to trick someone in the office into installing a small program; and it’s equally easy to obtain their IP address. “People always neglect the inside. It’s really designed for use inside a network,” Takata said. Microsoft’s official position on NetBus is it “does not exploit any operating system security vulnerabilities, nor does it claim to.... The software runs in the security context of the user who installed it and has the same privileges on the machine as the installer. This is not unique to Netbus; it’s just a computer science fact that when a user runs a program, it can do whatever the user can do.” And virus scanning software, if it’s updated, now recognizes Back Orifice and older versions of NetBus, preventing installation. But several members of the hacking community say these two tools are only “the tip of the iceberg” — there are at least a dozen other remote administration Trojan horse programs out there. “I get e-mail from people and they say ‘I wrote a program like this a year ago, but I didn’t tell anybody, and it’s still out there and I still have 100 percent success,’ ” said Sir Dystic, author of Back Orifice. “That’s why we released Back Orifice. Everybody out there who thinks they’re safe — they’re not safe at all.” And upgrades will keep coming. The Cult of the Dead Cow will release an upgraded version of Back Orifice, called BO2K, at the DefCon hacker trade show in July. It will run on Windows NT, and it will follow the open source code model, so it will be easy to duplicate. -o- Subscribe: mail majordomoat_private with "subscribe isn". Today's ISN Sponsor: Internet Security Institute [www.isi-sec.com]
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:19:34 PDT