3009.txt

snort入侵检测规则文件2.4 Snort是众所周知的网络入侵检测工具

Rule: 

--
Sid: 
3009

-- 
Summary:
This event is generated when an attempt is made to request a connection
using the NetBus Pro 2.0 Trojan.

-- 
Impact: 
If connected, the attacker could execute files remotely on your computer,
capture an image of your desktop, send messages, steal your passwords,
open and close your CD-ROM, play sounds, print documents, and even
shutdown or reboot your computer, among many other things. The attacker
will have almost total control of the PC should he connect successfully.

--
Detailed Information:
NetBus Pro 2.0 incorporates its own protocol. It uses port 20034 by
default, but it can be changed by the attacker.

Its packets included a ten byte header followed by the packet's encrypted
data. The first two bytes of the header are static: 42 4E.  The next two
bytes indicate the size of the packet, followed by two bytes
for the version number, followed by two random bytes, and the final ninth
and tenth byte make up the command code. To look for an attack from one of
these functions, the header of the suspicious packet will look like:

	42 4E S1 S2 V1 V2 R1 R2 C1 C2

NOTE: S1 and S2 are size byte one and size byte two. V1 and V2 are version
number byte one and version number byte two. R1 and R2 are random bytes
one and two. C1 and C2 are the command code bytes.

The following is a list of the command codes for many of Net Bus Pro 2.0's
functions:

	Capture Desktop Image: 41 01
	CD-ROM Open and Close: 60 01
	Client Chat: 08 00
	Execute File: 30 01
	Reading Directory Listing: 50 00
	Directory Traversal: 51 00
	Go To URL: 33 01
	Keyboard Tricks: 61 01
	Keylogger: 40 01
	Mouse Tricks: 65 01
	Open Document: 33 01
	Play Sound: 31 01
	Plugin Manager: 90 00
	Print Document: 34 01
	Record Sound: 43 01
	Redirect Application: 10 01
	Redirect Port: 00 01
	Registry Manager: 70 00
	Remote Control: 73 01 and 72 01
	Send Message: 40 00
	Send Text: 64 01
	Show Image: 32 01
	Sound System: 80 00
	System Administrator: 21 00
	System Information: 30 00
	Windows Manager: 60 00
	Any Windows Exit Function(Shutdown, Reboot, etc.): 50 01

--
Affected Systems:
Windows 95/98/ME/NT/2000

--
Attack Scenarios: 
The victim must first install the server. Be wary of suspicious files
because they often can be backdoor programs in disguise.

Once the victim mistakenly installs the server program, the attacker
will usually employ an IP scanner program to find the IP addresses of
victims that have installed the program. The attacker then enters the IP
address, port number (which is assigned to the server program by the
attacker: default is 20034), and presses the connect button to gain access
to the targeted system.

-- 
Ease of Attack: 
Simple. Trojan Horse programs are widely available.

-- 
False Positives:
None known

--
False Negatives:
None known

-- 
Corrective Action: 
In order to get rid of it, you will have to uninstall the program,
deleting the folder and its contents or uninstalling it from the
Add/Remove Programs option under the control panel. The Trojan usually
does not attempt to hide itself, making the process of finding it much easier.

--
Contributors:
Sourcefire Research Team
Ricky Macatee <rmacatee@sourcefire.com> 

-- 
Additional References:

Dark-E:
http://www.dark-e.com/archive/trojans/netbus/200/index.shtml

--