NetBus

NetBus
Developer(s)	Carl-Fredrik Neikter
Stable release	2.01 Pro
Operating system	Microsoft Windows,; UNIX-systems (v1.60 client only)
Type	Remote administration
License	Shareware
Website	www.tcp-ip-info.de/trojaner_und_viren/netbus_pro_eng.htm

Last updated August 11, 2023

NetBus or Netbus is a software program for remotely controlling a Microsoft Windows computer system over a network. It was created in 1998 and has been very controversial for its potential of being used as a trojan horse.^[1]^[2]

NetBus was written in Delphi by Carl-Fredrik Neikter, a Swedish programmer in March 1998.^[3] It was in wide circulation before Back Orifice was released, in August 1998. The author claimed that the program was meant to be used for pranks, not for illegally breaking into computer systems. Translated from Swedish, the name means "NetPrank".

However, use of NetBus has had serious consequences. In 1999, NetBus was used to plant child pornography on the work computer of a law scholar at Lund University. The 3,500 images were discovered by system administrators, and the law scholar was assumed to have downloaded them knowingly. He lost his research position at the faculty, and following the publication of his name fled the country and had to seek professional medical care to cope with the stress. He was acquitted from criminal charges in late 2004, as a court found that NetBus had been used to control his computer.^[4]

There are two components to the client–server architecture. The server must be installed and run on the computer that should be remotely controlled. It was an .exe file with a file size of almost 500 KB. The name and icon varied a lot from version to version. Common names were "Patch.exe" and "SysEdit.exe". When started for the first time, the server would install itself on the host computer, including modifying the Windows registry so that it starts automatically on each system startup. The server is a faceless process listening for connections on port 12345 (in some versions, the port number can be adjusted). Port 12346 is used for some tasks, as well as port 20034.

The client was a separate program presenting a graphical user interface that allowed the user to perform a number of activities on the remote computer. Examples of its capabilities:

Keystroke logging
Keystroke injection
Screen captures
Program launching
File browsing
Shutting down the system
Opening / closing CD-tray
Tunneling protocol (NetBus connections through a number of systems.)

The NetBus client was designed to support the following operating system versions:

Netbus client (v1.70) works fine in Windows 2000 and in Windows XP as well. Major parts of the protocol, used between the client and server interaction (in version 1.70) are textual.

NetBus 2.0 Pro was released in February 1999. It was marketed commercially as a powerful remote administration tool. It was less stealthy, but special hacked versions exist that make it possible to use it for illegal purposes.

All versions of the program were widely used by "script kiddies" and was popularized by the release of Back Orifice. Because of its smaller size, Back Orifice can be used to gain some access to a machine. The attacker can then use Back Orifice to install the NetBus server on the target computer. Most anti-virus programs detect and remove NetBus.

Related Research Articles

Windows 2000 is a major release of the Windows NT operating system developed by Microsoft and designed for businesses. It was the direct successor to Windows NT 4.0, and was released to manufacturing on December 15, 1999, and was officially released to retail on February 17, 2000 and September 26, 2000 for Windows 2000 Datacenter Server. It was Microsoft's business operating system until the introduction of Windows XP Professional in 2001.

Back Orifice is a computer program designed for remote system administration. It enables a user to control a computer running the Microsoft Windows operating system from a remote location. The name is a play on words on Microsoft BackOffice Server software. It can also control multiple computers at the same time using imaging.

<span class="mw-page-title-main">Back Orifice 2000</span> Computer program for remote administration

Back Orifice 2000 is a computer program designed for remote system administration. It enables a user to control a computer running the Microsoft Windows operating system from a remote location. The name is a pun on Microsoft BackOffice Server software.

This timeline of computer viruses and worms presents a chronological timeline of noteworthy computer viruses, computer worms, Trojan horses, similar malware, related research and events.

<span class="mw-page-title-main">Backdoor (computing)</span> Method of bypassing authentication or encryption in a computer

A backdoor is a typically covert method of bypassing normal authentication or encryption in a computer, product, embedded device, or its embodiment. Backdoors are most often used for securing remote access to a computer, or obtaining access to plaintext in cryptosystems. From there it may be used to gain access to privileged information like passwords, corrupt or delete data on hard drives, or transfer information within autoschediastic networks.

Remote Desktop Protocol (RDP) is a proprietary protocol developed by Microsoft Corporation which provides a user with a graphical interface to connect to another computer over a network connection. The user employs RDP client software for this purpose, while the other computer must run RDP server software.

Agobot, also frequently known as Gaobot, is a family of computer worms. Axel "Ago" Gembe, a German programmer also known for leaking Half-Life 2 a year before release, was responsible for writing the first version. The Agobot source code describes it as: “a modular IRC bot for Win32 / Linux”. Agobot was released under version 2 of the GNU General Public License. Agobot is a multi-threaded and mostly object oriented program written in C++ as well as a small amount of assembly. Agobot is an example of a Botnet that requires little or no programming knowledge to use.

A remote access service (RAS) is any combination of hardware and software to enable the remote access tools or information that typically reside on a network of IT devices.

NX technology, commonly known as NX or NoMachine, is a remote access and remote control computer software, allowing remote desktop access and maintenance of computers. It is developed by the Luxembourg-based company NoMachine S.à r.l.. NoMachine is proprietary software and is free-of-charge for non-commercial use.

Remote administration refers to any method of controlling a computer from a remote location. Software that allows remote administration is becoming increasingly common and is often used when it is difficult or impractical to be physically near a system in order to use it. A remote location may refer to a computer in the next room or one on the other side of the world. It may also refer to both legal and illegal remote administration.

Apple Remote Desktop (ARD) is a Macintosh application produced by Apple Inc., first released on March 14, 2002, that replaced a similar product called Apple Network Assistant. Aimed at computer administrators responsible for large numbers of computers and teachers who need to assist individuals or perform group demonstrations, Apple Remote Desktop allows users to remotely control or monitor other computers over a network. Mac Pro (2019), Mac mini with a 10Gb Ethernet card, and Mac Studio (2022) have Lights Out Management function and are able to power-on by Apple Remote Desktop.

Bifrost is a backdoor trojan horse family of more than 10 variants which can infect Windows 95 through Windows 10. Bifrost uses the typical server, server builder, and client backdoor program configuration to allow a remote attacker, who uses the client, to execute arbitrary code on the compromised machine.

Sub7, or SubSeven or Sub7Server, is a Trojan horse program originally released in 1999. Its name was derived by spelling NetBus backwards ("suBteN") and swapping "ten" with "seven". As of June 2021, the development of Sub7 is being continued.

The booting process of Windows NT is the process run to start Windows NT. The process has been changed between releases, with the biggest changes being made with Windows Vista. In versions before Vista, the booting process begins when the BIOS loads the Windows NT bootloader, NTLDR. Starting with Vista, the booting process begins with either the BIOS or UEFI load the Windows Boot Manager, which replaces NTLDR as the bootloader. Next, the bootloader starts the kernel, which starts the session manager, which begins the login process. Once the user is logged in, File Explorer, the graphical user interface used by Windows NT, is started.

UltraVNC is an open-source remote-administration/remote-desktop-software utility. The client supports Microsoft Windows and Linux but the server only supports Windows. It uses the VNC protocol to allow a computer to access and control another one remotely over a network connection.

<span class="mw-page-title-main">Quick Assist</span>

Quick Assist is a Microsoft Windows feature that allows a user to view or control a remote Windows computer over a network or the Internet to resolve issues without directly touching the unit. It is based on the Remote Desktop Protocol (RDP). It is complemented by Get Help, a feature introduced in Windows 10 that enables the user to contact Microsoft directly but does not allow for remote desktoping or screen sharing.

A home server is a computing server located in a private computing residence providing services to other devices inside or outside the household through a home network or the Internet. Such services may include file and printer serving, media center serving, home automation control, web serving, web caching, file sharing and synchronization, video surveillance and digital video recorder, calendar and contact sharing and synchronization, account authentication, and backup services. In the recent times, it has become very common to run literally hundreds of applications as containers, isolated from the host operating system.

<span class="mw-page-title-main">Remote desktop software</span> Desktop run remotely from local device

In computing, the term remote desktop refers to a software- or operating system feature that allows a personal computer's desktop environment to be run remotely off of one system, while being displayed on a separate client device. Remote desktop applications have varying features. Some allow attaching to an existing user's session and "remote controlling", either displaying the remote control session or blanking the screen. Taking over a desktop remotely is a form of remote administration.

Remote Desktop Services (RDS), known as Terminal Services in Windows Server 2008 and earlier, is one of the components of Microsoft Windows that allow a user to initiate and control an interactive session on a remote computer or virtual machine over a network connection. RDS was first released in 1998 as Terminal Server in Windows NT 4.0 Terminal Server Edition, a stand-alone edition of Windows NT 4.0 Server that allowed users to log in remotely. Starting with Windows 2000, it was integrated under the name of Terminal Services as an optional component in the server editions of the Windows NT family of operating systems, receiving updates and improvements with each version of Windows. Terminal Services were then renamed to Remote Desktop Services with Windows Server 2008 R2 in 2009.

<span class="mw-page-title-main">Server Core</span> Windows Server installation option

Server Core is a minimalistic Microsoft Windows Server installation option, debuted in Windows Server 2008. Server Core provides a server environment with functionality scaled back to core server features, and because of limited features, it has reduced servicing and management requirements, attack surface, disk and memory usage. Andrew Mason, a program manager on the Windows Server team, noted that a primary motivation for producing a Server Core variant of Windows Server 2008 was to reduce the attack surface of the operating system, and that about 70% of the security vulnerabilities in Microsoft Windows from the prior five years would not have affected Server Core. Most notably, no Windows Explorer shell is installed. All configuration and maintenance is done entirely through command-line interface windows, or by connecting to the machine remotely using Microsoft Management Console (MMC), remote server administration tools, and PowerShell.

References

↑ Kulakow, Seth (2001). "NetBus 2.1, Is It Still a Trojan Horse or an Actual Valid Remote Control Administration Tool?". SANS Institute: Reading Room - Malicious Code. Retrieved 2020-03-26.{{cite web}}: CS1 maint: url-status (link)
↑ William (Chuck) Easttom II (18 October 2013). Network Defense and Countermeasures: Principles and Practices. Pearson Education. pp. 262–. ISBN 978-0-13-338438-3.
↑ "NetBus". December 17, 2000. Retrieved 2021-08-01.{{cite web}}: CS1 maint: url-status (link)
↑ "Offer för porrkupp" (in Swedish). Expressen. November 28, 2004. Archived from the original on June 21, 2009. Retrieved May 31, 2007.

External links

Information about NetBus — Information from anti-virus vendor F-Secure.
lxnb — A NetBUS client for Linux that works with NetBus 1.60.
NIL — NIL 0.1b - NIL is a simple Netbus client with a clean interface for Linux.

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.

[1] Kulakow, Seth (2001). "NetBus 2.1, Is It Still a Trojan Horse or an Actual Valid Remote Control Administration Tool?". SANS Institute: Reading Room - Malicious Code. Retrieved 2020-03-26.{{cite web}}: CS1 maint: url-status (link)

[II2013-2] William (Chuck) Easttom II (18 October 2013). Network Defense and Countermeasures: Principles and Practices. Pearson Education. pp. 262–. ISBN 978-0-13-338438-3.

[3] "NetBus". December 17, 2000. Retrieved 2021-08-01.{{cite web}}: CS1 maint: url-status (link)

[4] "Offer för porrkupp" (in Swedish). Expressen. November 28, 2004. Archived from the original on June 21, 2009. Retrieved May 31, 2007.

[1]

[2]

[3]

[4]

v t e Remote administration software
General	Remote desktop software Comparison of remote desktop software
Implementations	Absolute Manage AetherPal AnyDesk Apple Remote Desktop Chrome Remote Desktop Citrix Virtual Apps ConnectWise Control Crossloop IBM BigFix LogMeIn Microsoft System Center Configuration Manager NetSupport Manager pcAnywhere RealVNC Remote Desktop Services Remote Utilities RescueAssist scrcpy Secure Shell Splashtop TeamViewer ThinLinc TightVNC Timbuktu UltraVNC Virtual Network Computing NX technology
Controversial Implementations	Back Orifice Back Orifice 2000 NetBus Sub7