Back Orifice, NetBus, and Others

Back Orifice and NetBus both consist of two separate programs: a server portion that hides on the "infected" machine, and a client portion. Back Orifice has clients available on multiple platforms (Windows, Mac, UNIX, even Amiga), NetBus only has a Windows based client portion. The server portions hide themselves within the directory structures of the "infected" machines and use the Windows registry to load them automatically on startup. Back Orifice by default names itself " .exe" ("space".exe) and comes complete with a blank icon to make it more difficult to spot; it tries to load into the C:\Windows\System directory. NetBus by default is named "patch.exe", but it recommends renaming to something less suspiction (SysEdit.exe is common); it tries to load into the C:\Windows directory.

Can you spot the trojans?



How about now?

When running, the server portions start listening for the client portions to connect. Back Orifice listens on port 31337 and NetBus listens on port 12345 and 12346 by default, but both programs can be configured to listen on any port.

Once the server portion has been loaded and started, someone can use the client portions to take control of the "infected" computer.

NetBus v1.70 client



Back Orifice Win32 GUI client

The client portions can be used to do just about anything to the target computer.

NetBus:

• Get Info: Displays the path to the server portion, the login name of who is currently using the computer, and the number of clients connected to the server.
• Screendump: Grabs a screenshot of the target machine.
• Msg manager: Creates various dialog boxes with your text.

• Start program: Starts an executable on the target computer.
• Swap mouse: Switches the right and left mouse buttons.
• Show image: Displays a BMP/JPG image in a window.
• Open CD-ROM: Opens and closes the cd-rom drive.
• Server admin: Allows you to set the IP-Addresses a client can connect to the target computer from. Also allows you to disable the server portion.
• Port Redirect: Redirects incoming TCP packets from a specified port to another host and port.
• Play sound: Plays a WAV file.
• Exit Windows: Closes Windows.
• Send text: Sends text to the currently focused window.
• Active wnds: Lists the open windows and can close or focus on specific windows.
• App Redirect: Redirects the I/O output of a program to a specfied TCP port for outside interaction.
• Mouse pos: Moves the mouse pointer to a specific X-Y coordinate.
• Listen: Monitors keystrokes and can save them to a file.
• Sound system: Adjusts the volume on the target computer and can record a WAV file from the target computer's microphone.
• Server setup: Allows the customization of the connection
port number, the setting of passwords, and e-mail notifications when the server is started.
• Control mouse: Takes control of the target computer's mouse.
• Go to URL: Opens the default browser to a website you specify.
• Key manager: Can disable specific keys, or the entire keyboard. Can also enable and disable keyclick sounds.
• File manager: View the directory structure and allow the addition, removal, and taking of files.

Back Orifice:

• Application Add/Delete/List: Starts a text-based application, stops one, or lists running ones.
• Directory Create/List/Remove: Creates and removes directories or displays their contents.
• Export Add/Delete/List: Shares a folder on the target machine, but hides the "shared hand" icon.
• File Copy/Delete/Find/View: Copies, deletes, finds, and views files.
• File Freeze/Melt: Compresses/Decompresses a file.
• HTTP Disable/Enable: Enables/disables a web server that allows anyone with a web browser to connect to the target machine and have full access to its directory structure and files.
• Keylog Begin/End: Logs keystrokes and saves them to a file.
• MM Capture AVI/Frame/Screen: If the target computer has a capture device, this will grab screenshots, or record from the device.
• MM List Capture Devices: Lists any capture devices the target computer has.

• MM Play Sound: Plays a WAV sound.
• Net Connections: Lists incoming and outgoing network connections.
• Net Delete/Use/View: Allow you to view the target computers network neighborhood and connect up shares to it.
• Ping Host: Ping a computer for Back Orifice.
• Plugin Execute/Kill/List: List plugins and can start or stop them.
• Process Kill/List/Spawn: Starts an application on the target computer.
• Redirect Add/Delete/List: Redirect incoming TCP packets to another host.
• Registry Create Key / Delete Key / Delete Value / List Keys / List Values / Set Value: Gives full control over the target computer's registry.
• Resolve Host: Find the IP address for a host name.

• System Dialogue Box: Creates a dialog box with a specified title, specified text, and an OK button.
• System Info: Displays system info such as hard drive size, memory, processor, username, etc.
• System Lockup: Freezes the target computer.
• System Passwords: Displays cached passwords.
• System Reboot: Reboots the target computer.
• TCP File Send/Receive: Transfers files.

Back Orifice also has an additional ability of being able to execute certain "addons" or "plugins" known as "Butt Plugs".

• Butt Trumpet: causes Back Orifice to connect to a specified SMTP server and send the perpetrator an e-mail with the IP-Address of the "infected" computer.
• Saran Wrap: allows Back Orifice to be attached to an installation file.
• Silk Rope: similiar to Saran Wrap, but it allows Back Orifice to be attached to any executable file.
• And Many More

Unfortunately, there is no guaranteed method for detecting Back Orifice and NetBus on a computer, but there are a number of symptoms that one can look for.

First of all, if a computer is being controlled by another computer, strange things might start occuring on the "infected" computer. Strange occurances such as the cd-rom drive mysteriously opening, slow network connections, unusual sounds playing, or even the appearance of non-standard error messages.