[ISN] NetBus 'Trojan' Splits Security Community

From: mea culpa (jerichoat_private)
Date: Wed Mar 03 1999 - 03:25:13 PST

  • Next message: mea culpa: "[ISN] Cracking Tools Get Smarter"

    NetBus 'Trojan' Splits Security Community
    (03/02/99, 7:46 p.m. ET)
    By Lee Kimber, Network Week
    Internet-connected networks could be left vulnerable to Trojan attacks
    because leading anti-virus software vendors have said they won't scan and
    disable a new, more powerful NetBus Trojan. 
    Remote-control programs like NetBus were dubbed Trojans because they could
    be hidden on computers by crackers. The latest version of NetBus has split
    network-security experts because its author said it was not a Trojan as it
    remained visible. 
    But crackers reportedly rewrote it to make it invisible within days of its
    Data Fellows and Sophos said their anti-virus products would not disable
    the recently launched remote-control Trojan NetBus 2 Pro because its
    Swedish author Carl-Fredrik Neikter was a professional who now charged $12
    for a legitimate shareware product. 
    "NetBus 2.0 Pro is not detected as it is now commercial software,"
    according to a spokesman for Data Fellows' European office in Finland.
    "NetBus 1.x up to 1.7 was detected by anti-virus scanner F-Secure but not
    NetBus 2.0" 
    Data Fellows' website reported that earlier NetBus versions were used
    frequently to steal data and delete files on people's machines. 
    NetBus lets crackers to take remote control of networked PCs, but
    publicity over its spread has been eclipsed by the Back Orifice
    remote-control Trojan written by hacker group Cult of the Dead Cow. 
    But unlike Back Orifice, NetBus can infect Windows NT machines and is more
    easily configured. And Neikter described it himself as a "remote
    administration and spy tool." 
    His promotional material also mentioned NetBus provided the ability to
    change files and registries.  Neikter could not be contacted for comment. 
    Sophos confirmed it also would not offer NetBus support. 
    "It is a commercial product and it looks extremely professionally written.
    You can use these products for lawful or unlawful purposes," said Jan
    Hruska, Sophos technical director. 
    He added Sophos products did not scan for earlier versions of NetBus but
    the company would make a scanning tool available that people could use if
    they want to. 
    But rival vendor Network Associates said it believed NetBus was aimed at
    young crackers and joined with other vendors to commit to detecting and
    removing the Trojan in Dr Solomon's and McAfee anti-virus products. 
    "We're carrying on detecting it," said the company's anti-virus consultant
    Jack Clark. 
    "We don't believe a commercial application would have a section in the
    manual that says 'have fun with your friends' and has the ability to pop
    out the CD tray on users' machines," he added. 
    And asked if Symantec would update its software to detect the Trojan,
    Symantec technical manager Kevin Street replied: "Absolutely. We've
    already got it sorted out, so why would we remove it?" 
    Subscribe: mail majordomoat_private with "subscribe isn".
    Today's ISN Sponsor: Internet Security Institute [www.isi-sec.com]

    This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:20:09 PDT