Rule: 

--
Sid: 
115
-- 
Summary: 
This event is generated when the victim confirms the connection request sent by the attacker using the NetBus Pro 2.0 trojan.

-- 

Impact: 
If connected, the attacker could execute files remotely on your computer, capture an image of your desktop, send messages, steal your passwords,
open and close your CD-ROM, play sounds, print documents, and even shutdown or reboot your computer, among many other things.  The attacker will have almost 
total control of the PC should he connect successfully.

--
Detailed Information:
NetBus Pro 2.0 incorporates its own protocol. It uses port 20034 by defualt, but it can be changed by the attacker.
Its packets included a ten byte header followed by the packet's encrypted data. 
The first two bytes of the header are static: 42 4E.  The next two bytes indicate the size of the packet, followed by two bytes
for the version number, followed by two random bytes, and the final ninth and tenth byte make up the command code. To look for an attack from one of these functions,
the header of the suspicious packet will look like:
42 4E S1 S2 V1 V2 R1 R2 C1 C2
NOTE: S1 and S2 stand for size byte one and size byte two. V1 and V2 stand for version number byte one and version number byte two.
R1 and R2 stand for random bytes one and two. C1 and C2 stand for the command code bytes.

The following is a list of the command codes for many of Net Bus Pro 2.0's functions:

Capture Desktop Image: 41 01
CDROM Open and Close: 60 01
Client Chat: 08 00
Execute File: 30 01
Reading Directory Listing: 50 00
Directory Traversal: 51 00
Go To URL: 33 01
Keyboard Tricks: 61 01
Keylogger: 40 01
Mouse Tricks: 65 01
Open Document: 33 01
Play Sound: 31 01
Plugin Manager: 90 00
Print Document: 34 01
Record Sound: 43 01
Redirect Application: 10 01
Redirect Port: 00 01
Registry Manager: 70 00
Remote Control: 73 01 and 72 01
Send Message: 40 00
Send Text: 64 01
Show Image: 32 01
Sound System: 80 00
System Administrator: 21 00
System Information: 30 00
Windows Manager: 60 00
Any Windows Exit Function(Shutdown, Reboot, etc.): 50 01

--
Affected Systems:
Windows 95/98/ME/NT/2000

--

Attack Scenarios: 
The victim must first install the server. Be wary of suspicious files because they often can be backdoors in disguise.
Once the victim mistakenly installs the server program, the attacker usually will employ an IP scanner program
to find the IP addresses of victims that have installed the program. Then the attacker enters the IP address, port number (which 
is assigned to the server program by the attacker: default is 20034), and presses the connect button and he has access to your computer.

-- 

Ease of Attack: 
Easy. Simply a matter of pressing the connect button once the victim has installed the server.


-- 

False Positives:
None known

--
False Negatives:
None known

-- 

Corrective Action: 
In order to get rid of it, you will have to uninstall the program, deleting the folder and
its contents or uninstalling it from the Add/Remove Programs option under the control panel. 
The trojan usually does not attempt to hide itself, making the process of finding it much easier.

--
Contributors:
Original Rule Writer: Ricky Macatee <rmacatee@sourcefire.com> 
Sourcefire Research Team

-- 
Additional References:
http://www.dark-e.com/archive/trojans/netbus/200/index.shtml


--
