Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
packetstormPacket StormPACKETSTORM:12288
HistoryAug 17, 1999 - 12:00 a.m.

windows.backdoors.txt

1999-08-1700:00:00
Packet Storm
packetstormsecurity.com
41
JSON
`Date: Fri, 19 Feb 1999 20:02:46 -0500 (EST)  
From: X-Force <[email protected]>  
To: [email protected]  
Cc: X-Force <[email protected]>  
Subject: ISSalert: ISS Vulnerability Alert: Windows Backdoors Update II  
  
TO UNSUBSCRIBE: email "unsubscribe alert" in the body of your message to  
[email protected] Contact [email protected] for help with any problems!  
---------------------------------------------------------------------------  
  
  
-----BEGIN PGP SIGNED MESSAGE-----  
  
ISS Vulnerability Alert  
February 19, 1999  
  
Windows Backdoors Update II:  
NetBus 2.0 Pro, Caligula, and Picture.exe  
  
Synopsis:  
  
This advisory is a quarterly update on backdoors for the Windows 9x and  
Windows NT operating systems. The focus of this advisory is NetBus 2.0  
Pro. The final version of NetBus 2.0 Pro was released on February 19. The  
new version of NetBus is not distributed as a backdoor, but as a "Remote  
Administration and Spy Tool." Due to the proliferation of NetBus  
and its common use in attacks across the Internet, NetBus 2.0 poses a  
significant risk with its new functionality and enhanced network  
communication obfuscation. The default installation of NetBus 2.0 Pro  
(NB2) does not hide itself from the user, but it does support an  
"Invisible Mode" to prevent users of infected machines from noticing the  
software. The version of NB2 available on the Internet notifies users upon  
installation, however attackers can easily hide the installation with  
slight modification.  
  
This ISS X-Force Security Alert also includes information about the  
Picture.exe trojan and the Caligula macro virus, since the presence  
of either of those on your system could lead to a compromise of security  
and transmission of sensitive data over the Internet.  
  
NetBus 2.0 Pro Description:  
  
NB2 includes enhanced functionality, including the ability to find cached  
passwords, full control over all windows, capturing video from a video  
input device, a scheduler to run scripts on specified hosts at a certain  
time, and support for plugins. Plugins will enable programmers at add  
functionality to NB2, similar to the architecture provided in the cDc  
BackOrifice backdoor. The only plugin currently available is a  
file-finding utility that searches a victim's hard drive for files.  
  
By default, NB2 listens on TCP port 20034, but this is easily  
configurable. NB2 uses a weak form of encryption to obfuscate its  
communications, but the format of its packets makes it easy to spot NB2  
traffic. Each packet starts with 'BN', followed by the following sequence:  
  
- - - - Two bytes representing the length of the packet.  
- - - - Two bytes of 0x02 or 0x00, probably for the version of NetBus.  
- - - - Two random bytes, probably to confuse people.  
- - - - Two bytes for the command code.  
  
For example:  
  
42 4E XX XX 02 00 YY YY ZZ ZZ ...data...  
  
XX XX is the length of the whole NetBus 2.0 packet  
YY YY are just two random bytes  
ZZ ZZ is the command code  
  
The first 2 bytes are 'BN', the length of the packet is XX XX, and the  
version is 0x02.  
  
NB2 stores registry information in the HKEY_CURRENT_USER\NetBus Server  
registry key. If you have this key in your registry, NB2 may be running on  
your machine. To determine the port that NB2 uses, check the value of  
HKEY_CURRENT_USER\NetBus Server\General\TCPPort, and use the 'netstat -an  
| find "LISTEN"' command to see if your system is listening on that port.  
If NB2 is listening, you need to find the NB2 server executable and delete  
it. The default name is NbSvr.exe, but it can be easily renamed.  
  
If NetBus 2.0 is configured to start automatically when your computer  
boots, the  
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices  
registry key will have a registry value called 'NetBus Server Pro' that  
specifies the full path for the location of the NetBus executable. Use  
the registry key value to locate and delete the file if you find that  
NB2 has been installed on your machine without permission.  
  
NetBus 2.0 traffic using the default port can be detected by RealSecure if  
you configure it to monitor traffic on TCP port 20034.  
  
Caligula Description:  
  
The WM97/Caligula virus was released by 'Codebreakers', a virus exchange  
(Vx) group. This is a Microsoft Word macro virus that steals your Pretty  
Good Privacy (PGP) secret key ring and uploads it to a Codebreakers FTP  
site. When executed, this virus will open the registry and look for the  
HKEY_CLASSES_ROOT\PGP Encrypted File\shell\open\command registry value.  
The virus uses this value to find the path to the PGP program. Once it  
finds the path to PGP, the virus locates your secret key ring, located in  
the secring.skr file. The virus copies this file to a file called  
secringXXXX.skr, where each X is an integer from 0 to 7, for example,  
secring3150.skr. This file is uploaded to an FTP site at 208.201.88.110,  
or ftp.codebreakers.org, and stored in the incoming directory.  
  
After Caligula runs, it sets the registry value  
HKEY_CURRENT_USER\Software\Microsoft\MS Setup (ACME)\User Info\Caligula to  
1 (True). You can tell if you have the Caligula virus by looking for that  
key in the registry.  
  
An infection by Caligula can be detected by RealSecure if you configure  
it to look for FTP connections to 208.201.88.110.  
  
Picture.exe Description:  
  
The Picture.exe trojan horse program has been circulating around the  
Internet via an e-mail attachment. If run, this executable will send  
information about your Windows NT or 95/98 system to any of several e-mail  
addresses in China. The file has also been seen with the name Manager.exe.  
  
Executing or opening Picture.exe places a file called note.exe in your  
Windows directory. It also adds the line "RUN=NOTE.EXE" to the win.ini  
file so note.exe runs every time Windows boots. The first time that  
note.exe runs, it creates a file in your Windows directory called  
$2321.Dat. This file contains an encoded listing of all of the files whose  
three-letter file name extensions begin with an h, i, m, p, s, or t. ISS  
X-Force believes it was the author's intent to get files whose extensions  
are .idx, .mdb, .pst, .htm, .snm, .pab, and .txt, because those extensions  
show up in note.exe. However, note.exe will list any file whose extension  
begins with those letters. Earlier reports indicated that note.exe looks  
through a user's web cache directories to determine which web sites the  
user visited, but this claim is false. Note.exe looks through all  
directories trying to gather e-mail addresses.  
  
The data in the file created by note.exe is encoded by adding 5 to each  
character's ASCII code, for example:  
  
C:\Inetpub\iissamples\ISSamples\default.htm  
  
becomes:  
  
H?aNsjyuzgannxxfruqjxaNXXfruqjxaijkfzqy3myr  
  
The second time note.exe runs, it searches all files for e-mail addresses.  
When it finds an address, it encodes and writes the address to a file  
called $4135.Dat in your Windows directory. The way that this data is  
encoded is by subracting 5 from each character's ASCII code, for example:  
  
[email protected]  
  
becomes:  
  
sajm^`;dnn)i`o  
  
After note.exe searches all of the files, it overwrites $4135.Dat with  
compressed data, where every host name is only listed once. It encodes the  
data by subtracting 5 from each character's ASCII code, and ends each line  
with ~X or =~X, where X is an integer. The lines that end in ~X are  
usernames, and the lines that end in =~X are host names. Once decoded, the  
format of the data looks like this:  
  
root~1  
xforce~1  
support~2  
iss.net=~1  
microsoft.com=~2  
  
Each username is matched with the corresponding host name. In this  
example, the e-mail addresses are: [email protected], [email protected], and  
[email protected].  
  
The third time note.exe runs, it attempts to send the contents of  
$4135.Dat to any of several e-mail addresses. The addresses ISS X-Force  
have identified are [email protected], [email protected],  
[email protected], and [email protected].  
  
The trojan tries to connect to various SMTP servers. ISS X-Force has  
identified public2.lyptt.ha.cn, public1.sta.net.cn, nenpub.szptt.net.cn,  
mail.capital-online.com.cn, public2.lyptt.ha.cn, public.cc.jl.cn,  
pub1.fz.fj.cn, public.szonline.net, and mail.nn.gx.cn. The data is Base64  
encoded.  
  
A header detected from an e-mail sent by note.exe is as follows:  
  
>From: ab<[email protected]>  
To: [email protected]  
Subject: A manager software from ZDNet_AU  
X-Mailer: Microsoft Outlook Express 4.72  
Mime-Version: 1.0  
Content-Type: multipart/mixed;  
boundary="====================545354:56:00.PM===="  
  
If sending the e-mail succeeds, note.exe will delete $2321.Dat and  
$4135.Dat. If sending fails, it will try again the next time note.exe  
runs, and keep trying until it successfully sends the e-mail.  
  
Earlier reports also stated that note.exe looks for AOL account  
information on your computer, because it reads the MAIN.IDX file in your  
AOL directory. ISS X-Force believes that this statement is false. The  
program searches the hard drive for .idx files, because it is looking for  
e-mail addresses, and Microsoft Outlook uses .idx files for keeping track  
of e-mail in your mail folders. On a machine with AOL 4.0 installed,  
note.exe does read the MAIN.IDX file in the AOL directory, but the  
username and password information is never sent to the e-mail addresses in  
China.  
  
  
Recommendations:  
  
It would be difficult to manually search all of your machines to make  
sure no backdoors are running, so the best way to protect yourself is  
to not run any untrusted binaries. You should NEVER run any program sent  
to you over IRC, ICQ, or any other chat medium, as it is quite easy to  
spoof or impersonate even trusted users, and you can never tell if the  
person sending you the program is who they claim to be. Don't run any  
program sent to you via e-mail unless it is digitally signed. It is  
trivial to fake the sender's address, and you don't know who actually sent  
the e-mail. Also, be very careful when running programs you download from  
the Internet or the World Wide Web. Isolating your machines behind a  
firewall will help prevent attackers from connecting to any backdoors  
installed on your machine, but it may be possible for them to bypass the  
firewall if the backdoor is listening on a port that is left open on the  
firewall, for example, the port DNS uses for its operations.  
  
If you find yourself infected with the Picture.exe trojan or the Caligula  
macro virus, you should run an anti-virus program to get rid of it.  
  
For more information:  
  
NetBus can be downloaded from http://netbus.nu.  
  
________  
  
Copyright (c) 1999 by Internet Security Systems, Inc. Permission is  
hereby granted for the electronic redistribution of this Security Alert.  
It is not to be edited in any way without express consent of the X-Force.  
If you wish to reprint the whole or any part of this Alert Summary in any  
other medium excluding electronic medium, please e-mail [email protected] for  
permission.  
  
Internet Security Systems, Inc. (ISS) is the leading provider of adaptive  
network security monitoring, detection, and response software that  
protects the security and integrity of enterprise information systems. By  
dynamically detecting and responding to security vulnerabilities and  
threats inherent in open systems, ISS's SAFEsuite family of products  
provide protection across the enterprise, including the Internet,  
extranets, and internal networks, from attacks, misuse, and security  
policy violations. ISS has delivered its adaptive network security  
solutions to organizations worldwide, including firms in the Global 2000,  
nine of the ten largest U.S. commercial banks, and over 35 governmental  
agencies. For more information, call ISS at 678-443-6000 or 800-776-2362  
or visit the ISS Web site at http://www.iss.net..  
  
Disclaimer  
The information within this paper may change without notice. Use of this  
information constitutes acceptance for use in an AS IS condition. There  
are NO warranties with regard to this information. In no event shall the  
author be liable for any damages whatsoever arising out of or in  
connection with the use or spread of this information. Any use of this  
information is at the user's own risk.  
  
X-Force PGP Key available at: http://www.iss.net/xforce/sensitive.html  
as well as on MIT's PGP key server and PGP.com's key server.  
  
Please send suggestions, updates, and comments to:  
X-Force <[email protected]> of Internet Security Systems, Inc.  
  
-----BEGIN PGP SIGNATURE-----  
Version: 2.6.3a  
Charset: noconv  
  
iQCVAwUBNs4H8DRfJiV99eG9AQEzLAP/UrxikH1CpUzOr2wKqe3brD60atbvGr0y  
TEYTi4oFBKAtlg4cDgRlXWA3UGOqzqvB5lc4eEMv1vgKXG0zmFpaPFMpcLP9dtPd  
e/XDQ/ixESG7MhXHltK8MFJPGyDV3Fz1vwjukUhcqlNmnHqCXcnCnOntjV7zG8Eh  
dyDGQ1cVA18=  
=n9in  
-----END PGP SIGNATURE-----  
  
`
JSON