NetBus

Okay today I want to talk about NetBus. It is the last of the remote control programs I am researching. The others were Back Orifice and SubSeven. NetBus is translated as Net Prank from the Swedish name. It was created back in 1998 by Carl-Fredrik Neikter of Sweden. He also goes by the handle "cd".

The program was distributed by Cult of the Dead Cow. Apparently it was distributed in a Trojan fashion as part of a whack-a-mole game. Some say NetBus is one of the most famous Trojans. The program is not a virus. The user needs to install the program. It installs to the Windows directory just like other Trojans that try to hide from sight.

NetBus was written in the Pascal programming language using the Delphi development tool. It had a relatively large 500kb footprint. Its release predated Back Orifice. The name of the server program is "patch.exe" or "sysedit.exe". Legit sounding names right? Communication is done over TCP/IP ports 12345, 12346, or 20034. The client is GUI based. The original version worked on Windows 95/98/ME/NT. Later updates ported it to Windows 2000 and XP. Further versions were actually sold as commercial products.

NetBus is a remote administration tool. It can log and/or inject keystrokes. It can do screen captures. It can launch other programs. It can take screen shots. With it, you can browse files. It can also play sounds, as well as change the volume levels. It runs using the rights/privileges of the logged on user. The program restarts on Windows startup. The name is hidden from the task manager list. You cannot delete or rename the server file.

There was a famous use of NetBus in 1999 to plant pornography on a university scholar's computer. It caused him to be fired. He was later exonerated when they discovered that the files were planted by someone else using NetBus.