NetBus 'Trojan' Splits Security Community
(03/02/99, 7:46 p.m. ET)
By Lee Kimber, Network Week
Internet-connected networks could be left vulnerable to Trojan attacks
because leading anti-virus software vendors have said they won't scan and
disable a new, more powerful NetBus Trojan.
Remote-control programs like NetBus were dubbed Trojans because they could
be hidden on computers by crackers. The latest version of NetBus has split
network-security experts because its author said it was not a Trojan as it
remained visible.
But crackers reportedly rewrote it to make it invisible within days of its
launch.
Data Fellows and Sophos said their anti-virus products would not disable
the recently launched remote-control Trojan NetBus 2 Pro because its
Swedish author Carl-Fredrik Neikter was a professional who now charged $12
for a legitimate shareware product.
"NetBus 2.0 Pro is not detected as it is now commercial software,"
according to a spokesman for Data Fellows' European office in Finland.
"NetBus 1.x up to 1.7 was detected by anti-virus scanner F-Secure but not
NetBus 2.0"
Data Fellows' website reported that earlier NetBus versions were used
frequently to steal data and delete files on people's machines.
NetBus lets crackers to take remote control of networked PCs, but
publicity over its spread has been eclipsed by the Back Orifice
remote-control Trojan written by hacker group Cult of the Dead Cow.
But unlike Back Orifice, NetBus can infect Windows NT machines and is more
easily configured. And Neikter described it himself as a "remote
administration and spy tool."
His promotional material also mentioned NetBus provided the ability to
change files and registries. Neikter could not be contacted for comment.
Sophos confirmed it also would not offer NetBus support.
"It is a commercial product and it looks extremely professionally written.
You can use these products for lawful or unlawful purposes," said Jan
Hruska, Sophos technical director.
He added Sophos products did not scan for earlier versions of NetBus but
the company would make a scanning tool available that people could use if
they want to.
But rival vendor Network Associates said it believed NetBus was aimed at
young crackers and joined with other vendors to commit to detecting and
removing the Trojan in Dr Solomon's and McAfee anti-virus products.
"We're carrying on detecting it," said the company's anti-virus consultant
Jack Clark.
"We don't believe a commercial application would have a section in the
manual that says 'have fun with your friends' and has the ability to pop
out the CD tray on users' machines," he added.
And asked if Symantec would update its software to detect the Trojan,
Symantec technical manager Kevin Street replied: "Absolutely. We've
already got it sorted out, so why would we remove it?"
-o-
Subscribe: mail majordomo@repsec.com with "subscribe isn".
Today's ISN Sponsor: Internet Security Institute [www.isi-sec.com]
Received on Thu Mar 11 17:30:03 1999