NetBus
Encyclopedia
NetBus or Netbus is a software program
for remotely controlling a Microsoft Windows
computer system over a network. It was created in 1998 and has been very controversial for its potential of being used as a backdoor.
NetBus was written in Delphi
by Carl-Fredrik Neikter, a Swedish programmer in March 1998. It was in wide circulation before Back Orifice
was released, in August 1998. The author claimed that the program was meant to be used for pranks
, not for illegally breaking into computer systems. Translated from Swedish
, the name means "NetPrank".
However, use of NetBus has had serious consequences. In 1999, NetBus was used to plant child pornography
on the work computer of a law scholar at Lund University
. The 3,500 images were discovered by system administrators, and the law scholar was assumed to have downloaded them knowingly. He lost his research position at the faculty, and following the publication of his name fled the country and had to seek professional medical care to cope with the stress. He was acquitted from criminal charges in late 2004, as a court found that NetBus had been used to control his computer.
There are two components to the client–server architecture. The server
must be installed and run on the computer that should be remotely controlled. It was an .exe
file with a file size of almost 500 KB
. The name and icon varied a lot from version to version. Common names were "Patch.exe" and "SysEdit.exe". When started for the first time, the server would install itself on the host computer, including modifying the Windows registry
so that it starts automatically on each system startup. The server is a faceless process listening for connections on port
12345 (in some versions, the port number can be adjusted). Port 12346 is used for some tasks, as well as port 20034.
The client
was a separate program presenting a graphical user interface
that allowed the user to perform a number of activities on the remote computer. Examples of its capabilities:
The NetBus client was designed to support the following operating system
versions:
Netbus client (v1.70) works fine in Windows 2000
and in Windows XP
as well. Major parts of the protocol, used between the client and server interaction (in version 1.70) are textual. Thus the server can be controlled by typing human understandable commands over a raw TCP connection. It is more difficult than using the client application yet allows one to administrate computers with NetBus from operating environments other than Windows, or when original client is not available. Features (such as screen capture) require an application with ability of accepting binary data, such as netcat
. Most of more common protocols (like the Internet Relay Chat
protocol, POP3 SMTP, HTTP) can also be used over a raw connections in a similar way.
NetBus 2.0 Pro was released in February 1999. It was marketed commercially as a powerful remote administration tool. It was less stealthy, but special hacked versions exist that make it possible to use it for illegal purposes.
All versions of the program were widely used by "script kiddies" and was popularized by the release of Back Orifice
. Because of its smaller size, Back Orifice can be used to gain some access to a machine. The attacker can then use Back Orifice to install the NetBus server on the target computer. Most anti-virus programs detect and remove NetBus.
Also existing is a tool called NetBuster. It pretends to be a running NetBus server, but causes connecting NetBus clients to crash. Additionally, a program called NetBusterBuster could be used to crash a remote NetBuster.
Computer program
A computer program is a sequence of instructions written to perform a specified task with a computer. A computer requires programs to function, typically executing the program's instructions in a central processor. The program has an executable form that the computer can use directly to execute...
for remotely controlling a Microsoft Windows
Microsoft Windows
Microsoft Windows is a series of operating systems produced by Microsoft.Microsoft introduced an operating environment named Windows on November 20, 1985 as an add-on to MS-DOS in response to the growing interest in graphical user interfaces . Microsoft Windows came to dominate the world's personal...
computer system over a network. It was created in 1998 and has been very controversial for its potential of being used as a backdoor.
NetBus was written in Delphi
Object Pascal
Object Pascal refers to a branch of object-oriented derivatives of Pascal, mostly known as the primary programming language of Embarcadero Delphi.-Early history at Apple:...
by Carl-Fredrik Neikter, a Swedish programmer in March 1998. It was in wide circulation before Back Orifice
Back Orifice
Back Orifice is a controversial computer program designed for remote system administration. It enables a user to control a computer running the Microsoft Windows operating system from a remote location. The name is a word play on Microsoft BackOffice Server software.Back Orifice was designed with...
was released, in August 1998. The author claimed that the program was meant to be used for pranks
Practical joke
A practical joke is a mischievous trick played on someone, typically causing the victim to experience embarrassment, indignity, or discomfort. Practical jokes differ from confidence tricks in that the victim finds out, or is let in on the joke, rather than being fooled into handing over money or...
, not for illegally breaking into computer systems. Translated from Swedish
Swedish language
Swedish is a North Germanic language, spoken by approximately 10 million people, predominantly in Sweden and parts of Finland, especially along its coast and on the Åland islands. It is largely mutually intelligible with Norwegian and Danish...
, the name means "NetPrank".
However, use of NetBus has had serious consequences. In 1999, NetBus was used to plant child pornography
Child pornography
Child pornography refers to images or films and, in some cases, writings depicting sexually explicit activities involving a child...
on the work computer of a law scholar at Lund University
Lund University
Lund University , located in the city of Lund in the province of Scania, Sweden, is one of northern Europe's most prestigious universities and one of Scandinavia's largest institutions for education and research, frequently ranked among the world's top 100 universities...
. The 3,500 images were discovered by system administrators, and the law scholar was assumed to have downloaded them knowingly. He lost his research position at the faculty, and following the publication of his name fled the country and had to seek professional medical care to cope with the stress. He was acquitted from criminal charges in late 2004, as a court found that NetBus had been used to control his computer.
There are two components to the client–server architecture. The server
Server (computing)
In the context of client-server architecture, a server is a computer program running to serve the requests of other programs, the "clients". Thus, the "server" performs some computational task on behalf of "clients"...
must be installed and run on the computer that should be remotely controlled. It was an .exe
EXE
EXE is the common filename extension denoting an executable file in the DOS, OpenVMS, Microsoft Windows, Symbian, and OS/2 operating systems....
file with a file size of almost 500 KB
Kilobyte
The kilobyte is a multiple of the unit byte for digital information. Although the prefix kilo- means 1000, the term kilobyte and symbol KB have historically been used to refer to either 1024 bytes or 1000 bytes, dependent upon context, in the fields of computer science and information...
. The name and icon varied a lot from version to version. Common names were "Patch.exe" and "SysEdit.exe". When started for the first time, the server would install itself on the host computer, including modifying the Windows registry
Windows registry
The Windows Registry is a hierarchical database that stores configuration settings and options on Microsoft Windows operating systems. It contains settings for low-level operating system components as well as the applications running on the platform: the kernel, device drivers, services, SAM, user...
so that it starts automatically on each system startup. The server is a faceless process listening for connections on port
TCP and UDP port
In computer networking, a port is an application-specific or process-specific software construct serving as a communications endpoint in a computer's host operating system. A port is associated with an IP address of the host, as well as the type of protocol used for communication...
12345 (in some versions, the port number can be adjusted). Port 12346 is used for some tasks, as well as port 20034.
The client
Client (computing)
A client is an application or system that accesses a service made available by a server. The server is often on another computer system, in which case the client accesses the service by way of a network....
was a separate program presenting a graphical user interface
Graphical user interface
In computing, a graphical user interface is a type of user interface that allows users to interact with electronic devices with images rather than text commands. GUIs can be used in computers, hand-held devices such as MP3 players, portable media players or gaming devices, household appliances and...
that allowed the user to perform a number of activities on the remote computer. Examples of its capabilities:
- Keystroke loggingKeystroke loggingKeystroke logging is the action of tracking the keys struck on a keyboard, typically in a covert manner so that the person using the keyboard is unaware that their actions are being monitored...
- Keystroke injection
- Screen captures
- Program launching
- File browsing
- Shutting down the system
- Opening / closing CD-tray
- Tunneling protocolTunneling protocolComputer networks use a tunneling protocol when one network protocol encapsulates a different payload protocol...
(NetBus connections through a number of systems.)
The NetBus client was designed to support the following operating system
Operating system
An operating system is a set of programs that manage computer hardware resources and provide common services for application software. The operating system is the most important type of system software in a computer system...
versions:
- Windows 95Windows 95Windows 95 is a consumer-oriented graphical user interface-based operating system. It was released on August 24, 1995 by Microsoft, and was a significant progression from the company's previous Windows products...
- Windows 98Windows 98Windows 98 is a graphical operating system by Microsoft. It is the second major release in the Windows 9x line of operating systems. It was released to manufacturing on 15 May 1998 and to retail on 25 June 1998. Windows 98 is the successor to Windows 95. Like its predecessor, it is a hybrid...
- Windows MEWindows MeWindows Millennium Edition, or Windows Me , is a graphical operating system released on September 14, 2000 by Microsoft, and was the last operating system released in the Windows 9x series. Support for Windows Me ended on July 11, 2006....
- Windows NT 4.0Windows NT 4.0Windows NT 4.0 is a preemptive, graphical and business-oriented operating system designed to work with either uniprocessor or symmetric multi-processor computers. It was the next release of Microsoft's Windows NT line of operating systems and was released to manufacturing on 31 July 1996...
Netbus client (v1.70) works fine in Windows 2000
Windows 2000
Windows 2000 is a line of operating systems produced by Microsoft for use on personal computers, business desktops, laptops, and servers. Windows 2000 was released to manufacturing on 15 December 1999 and launched to retail on 17 February 2000. It is the successor to Windows NT 4.0, and is the...
and in Windows XP
Windows XP
Windows XP is an operating system produced by Microsoft for use on personal computers, including home and business desktops, laptops and media centers. First released to computer manufacturers on August 24, 2001, it is the second most popular version of Windows, based on installed user base...
as well. Major parts of the protocol, used between the client and server interaction (in version 1.70) are textual. Thus the server can be controlled by typing human understandable commands over a raw TCP connection. It is more difficult than using the client application yet allows one to administrate computers with NetBus from operating environments other than Windows, or when original client is not available. Features (such as screen capture) require an application with ability of accepting binary data, such as netcat
Netcat
Netcat is a computer networking service for reading from and writing network connections using TCP or UDP. Netcat is designed to be a dependable “back-end” device that can be used directly or easily driven by other programs and scripts...
. Most of more common protocols (like the Internet Relay Chat
Internet Relay Chat
Internet Relay Chat is a protocol for real-time Internet text messaging or synchronous conferencing. It is mainly designed for group communication in discussion forums, called channels, but also allows one-to-one communication via private message as well as chat and data transfer, including file...
protocol, POP3 SMTP, HTTP) can also be used over a raw connections in a similar way.
NetBus 2.0 Pro was released in February 1999. It was marketed commercially as a powerful remote administration tool. It was less stealthy, but special hacked versions exist that make it possible to use it for illegal purposes.
All versions of the program were widely used by "script kiddies" and was popularized by the release of Back Orifice
Back Orifice
Back Orifice is a controversial computer program designed for remote system administration. It enables a user to control a computer running the Microsoft Windows operating system from a remote location. The name is a word play on Microsoft BackOffice Server software.Back Orifice was designed with...
. Because of its smaller size, Back Orifice can be used to gain some access to a machine. The attacker can then use Back Orifice to install the NetBus server on the target computer. Most anti-virus programs detect and remove NetBus.
Also existing is a tool called NetBuster. It pretends to be a running NetBus server, but causes connecting NetBus clients to crash. Additionally, a program called NetBusterBuster could be used to crash a remote NetBuster.
External links
- Information about Back Orifice and NetBus — Information from anti-virus vendor Symantec