NetBus 'Trojan' Splits Security Community (03/02/99, 7:46 p.m. ET) By Lee Kimber, Network Week Internet-connected networks could be left vulnerable to Trojan attacks because leading anti-virus software vendors have said they won't scan and disable a new, more powerful NetBus Trojan. Remote-control programs like NetBus were dubbed Trojans because they could be hidden on computers by crackers. The latest version of NetBus has split network-security experts because its author said it was not a Trojan as it remained visible. But crackers reportedly rewrote it to make it invisible within days of its launch. Data Fellows and Sophos said their anti-virus products would not disable the recently launched remote-control Trojan NetBus 2 Pro because its Swedish author Carl-Fredrik Neikter was a professional who now charged $12 for a legitimate shareware product. "NetBus 2.0 Pro is not detected as it is now commercial software," according to a spokesman for Data Fellows' European office in Finland. "NetBus 1.x up to 1.7 was detected by anti-virus scanner F-Secure but not NetBus 2.0" Data Fellows' website reported that earlier NetBus versions were used frequently to steal data and delete files on people's machines. NetBus lets crackers to take remote control of networked PCs, but publicity over its spread has been eclipsed by the Back Orifice remote-control Trojan written by hacker group Cult of the Dead Cow. But unlike Back Orifice, NetBus can infect Windows NT machines and is more easily configured. And Neikter described it himself as a "remote administration and spy tool." His promotional material also mentioned NetBus provided the ability to change files and registries. Neikter could not be contacted for comment. Sophos confirmed it also would not offer NetBus support. "It is a commercial product and it looks extremely professionally written. You can use these products for lawful or unlawful purposes," said Jan Hruska, Sophos technical director. He added Sophos products did not scan for earlier versions of NetBus but the company would make a scanning tool available that people could use if they want to. But rival vendor Network Associates said it believed NetBus was aimed at young crackers and joined with other vendors to commit to detecting and removing the Trojan in Dr Solomon's and McAfee anti-virus products. "We're carrying on detecting it," said the company's anti-virus consultant Jack Clark. "We don't believe a commercial application would have a section in the manual that says 'have fun with your friends' and has the ability to pop out the CD tray on users' machines," he added. And asked if Symantec would update its software to detect the Trojan, Symantec technical manager Kevin Street replied: "Absolutely. We've already got it sorted out, so why would we remove it?" -o- Subscribe: mail majordomoat_private with "subscribe isn". Today's ISN Sponsor: Internet Security Institute [www.isi-sec.com]
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:20:09 PDT