Editing NetBus

{{Short description|Software program}}
{{morefootnotes|date=August 2013}}
{{Infobox Software
|name = NetBus
|screenshot =<!-- Deleted image removed:  [[Image:NetBus153.png|250px]] -->
|caption = Screenshot of NetBus 1.5.3 client 
|developer = [[Carl-Fredrik Neikter]]
|operating_system = [[Microsoft Windows]],<br />[[UNIX]]-systems (v1.60 client only)
|latest_release_version = 2.01 Pro
|latest_release_date = 
|genre = [[Remote administration]]
|license = [[Shareware]]
}}

'''NetBus''' or '''Netbus''' is a [[computer program|software program]] for remotely controlling a [[Microsoft Windows]] computer system over a network. It was created in 1998 and has been very controversial for its potential to be used as a [[trojan horse (computing)|trojan horse]].<ref>{{Cite web|url=https://www.sans.org/reading-room/whitepapers/malicious/paper/103|title=NetBus 2.1, Is It Still a Trojan Horse or an Actual Valid Remote Control Administration Tool?|last=Kulakow|first=Seth|date=2001|website=SANS Institute: Reading Room - Malicious Code|language=en|archive-url=|archive-date=|access-date=2020-03-26}}</ref><ref name="II2013">{{cite book|author=William (Chuck) Easttom II|url=https://books.google.com/books?id=HeB1AQAAQBAJ&pg=PA262|title=Network Defense and Countermeasures: Principles and Practices|date=18 October 2013|publisher=Pearson Education|isbn=978-0-13-338438-3|pages=262–}}</ref>

NetBus was written in [[Delphi (programming language)|Delphi]] by Carl-Fredrik Neikter, a Swedish programmer in March 1998.<ref>{{Cite web|url=https://www.giac.org/paper/gsec/403/netbus/101033|title=NetBus|date=December 17, 2000|access-date=2021-08-01}}</ref> It was in wide circulation before [[Back Orifice]] was released, in August 1998. The author claimed that the program was meant to be used for [[practical joke|pranks]], not for illegally breaking into computer systems. Translated from [[Swedish language|Swedish]], the name means "NetPrank".

However, use of NetBus has had serious consequences. In 1999, NetBus was used to plant [[child pornography]] on the work computer of a law scholar at [[Lund University]]. The 3,500 images were discovered by system administrators, and the law scholar was assumed to have downloaded them knowingly. He lost his research position at the faculty, and following the publication of his name fled the country and had to seek professional medical care to cope with the stress. He was acquitted of criminal charges in late 2004, as a court found that NetBus had been used to control his computer.<ref>{{cite web |url=http://www.expressen.se/1.153215 |title=Offer för porrkupp |language=Swedish |publisher=[[Expressen]] |date=November 28, 2004 |access-date=May 31, 2007 |archive-url=https://web.archive.org/web/20090621012436/http://www.expressen.se/1.153215 |archive-date=June 21, 2009 |url-status=dead }}</ref>

There are two components to the [[client–server]] architecture. The [[Server (computing)|server]] must be installed and run on the computer that should be remotely controlled. It was an [[EXE|.exe]] file with a file size of almost 500 [[kilobyte|KB]]. The name and icon varied a lot from version to version. Common names were "Patch.exe" and "SysEdit.exe". When started for the first time, the server would install itself on the host computer, including modifying the [[Windows registry]] so that it starts automatically on each system startup. The server is a [[faceless process]] listening for connections on [[TCP and UDP port|port]] 12345 (in some versions, the port number can be adjusted). Port 12346 is used for some tasks, as well as port 20034.

The [[client (computing)|client]] was a separate program presenting a [[graphical user interface]] that allowed the user to perform a number of activities on the remote computer. Examples of its capabilities:
* [[Keystroke logging]]
* Keystroke injection
* Screen captures
* Program launching
* File browsing
* Shutting down the system
* Opening / closing CD-tray
* [[Tunneling protocol]] (NetBus connections through a number of systems.)

The NetBus client was designed to support the following [[operating system]] versions:
* [[Windows 95]]
* [[Windows 98]]
* [[Windows ME]]
* [[Windows NT 4.0]]

Netbus client (v1.70) works fine in [[Windows 2000]] and in [[Windows XP]] as well. Major parts of the protocol, used between the client and server interactions (in version 1.70) are textual.

NetBus 2.0 Pro was released in February 1999. It was marketed commercially as a powerful remote administration tool. It was less stealthy, but special hacked versions exist that make it possible to use it for illegal purposes.

All versions of the program were widely used by "[[script kiddies]]" and were popularized by the release of [[Back Orifice]]. Because of its smaller size, Back Orifice can be used to gain some access to a machine. The attacker can then use Back Orifice to install the NetBus server on the target computer. Most [[anti-virus]] programs detect and remove NetBus.

==References==
{{reflist}}

==External links==
<!-- Note: Don't link directly to NetBus or any other such tools; it'll only encourage skiddies. -->
* [http://www.f-secure.com/v-descs/netbus.shtml Information about NetBus] &mdash; Information from anti-virus vendor F-Secure.
* [https://packetstormsecurity.com/files/10680/linux-netbus-client-v0.4.tgz.html lxnb] &mdash; A NetBUS client for Linux that works with NetBus 1.60.
* [https://packetstormsecurity.com/files/14625/nil-0.1b.tar.gz.html NIL] &mdash; NIL 0.1b - NIL is a simple Netbus client with a clean interface for Linux.


{{Remote administration software}}

[[Category:Common trojan horse payloads]]
[[Category:Windows remote administration software]]
[[Category:Pascal (programming language) software]]