Netbus security advisory - Privacy Software Corporation

Privacy Software Corporation Security Advisory Tuesday, September 1, 1998 MASTER'S PARADISE INTERNET TROJAN HORSE PROGRAM Screenshot of the program they use against your machine. What runs on your machine is completely invisible.

Screenshot of the program they use against your machine. What runs on your machine is completely invisible.

SYNOPSIS:

A German programmer named Dan Lehman has released a Windows95/98 trojan horse program named "Master's Paradise." Master's Paradise consists of a client program called Master's Paradise which is run on a remote computer to gain access to any computer connected to a TCP/IP network or the internet. An executable server program is required to be installed on the victim's computer to permit the remote site access to the victim's computer in a manner similar to Cult of the Dead Cow's "Back Orifice" program. As is the case with "Back Orifice," this program exploits security vulnerabilities in the Windows95 and Windows98 platform and does not function on Windows NT systems at the time of this advisory. Reported delivery modes include transfer through IRC and AOL chat rooms, email file attachments, exploits of security holes in browsers and email programs and physical installation on machines.

The server program for the Master's Paradise trojan horse is presently delivered embedded within a legitimate program. We first encountered it within a file called GAME.EXE which contained the popularly-used parody game called "Pie Bill Gates." In this configuration, the server was delivered and installed as SYSEDIT.EXE along with a Dynamic Link Library file called KeyHook.DLL which is also modified from the original form as it exists in several shareware programs. In the GAME.EXE distribution we received, it was provided as a self-installing executable embedded in an unlicensed copy of the TurboSFX file extractor. Other victims of this trojan horse program have received it in files called "PICS.EXE" which purported to contain picture files. In this case, the program appeared to not execute at all but did install the server for these victims. Experimentation with the client program also proved troublesome and resulted in numerous errors. However the server itself was found to be minimally compatible with a number of other trojan horse clients and did work properly.

Privacy Software Corporation's "BOClean version 2.01" software, designed to detect and defeat the "Back Orifice" trojan horse program, is fully effective in removing the Master's Paradise server regardless of the filename or manner of delivery and, as is the case with "Back Orifice," can also disable this program instantly upon detection. BOClean version 2.01 will also remove the files and registry hooks without the need to disconnect from the internet or reboot the victim's machine. This precludes the risks of registry editing and possible loss of data and permits the victim to remove the program and continue their use of a TCP/IP connection without loss of work or time.

The server program can also be removed manually if it is delivered in its native state with the default filename of "SYSEDIT.EXE." In Windows95 and Windows98 machines, this server replaces the SYSEDIT utility, which would normally give the user access to a Microsoft supplied utility that permits editing of the system configurations, and deletes the original SYSEDIT.EXE file. Since the server program can be given any name, the registry will have to be examined to determine the name of the server program. A KeyHook.DLL file is also placed in the \WINDOWS or \WINDOWS\SYSTEM directory which replaces any copies of this file which may have been installed with other shareware legitimately. Both standard copies of these files will need to be replaced once removed. The proper SYSEDIT.EXE file can be recovered from the Windows setup disk(s) and the KeyHook.DLL file can be replaced from the original copy of the shareware which contained the proper DLL. There is no means of restoring the original files even with the use of BOClean version 2.01.

A knowledge of legitimate registry entries in the particular machine is required in order to determine the key which contains the pointer to the Master's Paradise server program. Once the added file is determined, the registry entry can be removed and the machine rebooted to permit deletion of the server file.

While the server is a completely different design from "Back Orifice," its behaviors are similar as is the means of exploitation of the victim's machine. The server is similar to but not the same as the server used in the "Netbus" exploit.

CAPABILITIES:

The Master's Paradise server permits anyone using the Master's Paradise client to remotely control the victim's machine. The capabilities of the Master's Paradise program are not as significant as "Back Orifice" but Privacy Software Corporation has already received reports of this and similar trojan horse programs from BOClean customers in actual operation on their machines. The Master's Paradise server has many of the same capabilities of the "Netbus" program but is not quite as sophisticated.

Open/close the CD-ROM once or in intervals (specified in seconds).
Show optional image. If no full path of the image is given it will look for it in the installed directory. The supported image-formats is BMP and JPG.
Swap mouse buttons the right mouse button gets the left mouse button's functions and vice versa.
Start optional application.
Play optional sound-file. If no full path of the sound-file is given it will look for it in the installed directory. The supported sound-format is WAV.
Point the mouse to optional coordinates. You can even navigate the mouse on the target computer with your own!
Send a message dialog to the victim's computer screen.
Shutdown the system, logoff the user etc.
Go to an optional URL within the default web-browser.
Send keystrokes to the active application on the target computer! The text in the field Message/text will be inserted in the application that has focus. (| represents enter).
Listen for keystrokes and send them back to you!
Get a screendump! (should not be used over slow connections)
Return information about the target computer.
Upload any file from you to the target computer.
Increase and decrease the sound-volume.
Record sounds from the computer's microphone.
Make click sounds every time a key is pressed.
Download and deletion of any file from the target.
Keys (letters) on the keyboard can be disabled.
Password-protection management.
Show, kill and focus windows on the system.

The ability to turn on a microphone is particularly threatening as this could permit the perpetrator the ability to listen to room audio and in effect "bug" the victim's room without detection. The ability to monitor keystrokes is also of concern as is the ability to read and write files or possibly destroy the operating system.

MANUAL REMOVAL OF MASTER'S PARADISE SERVER:

The Master's Paradise server will install its program in the registry under the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run key. The registry entry will point to the name of the file as the subkey name and will have as its value a pointer to the location where the server is installed. Unlike the similar "Master's Paradise" trojan horse program, there are no telltale command switches in the pointer registry entry.

It is necessary to remove the registry subkey first. It will not be possible to remove the program file while the server is running and you may also be prevented from shutting down the computer. A reboot will be required in order to restart the machine without the Master's Paradise server being reloaded at which time the file pointed to in the registry can be removed without further risk.

As a result, care should be taken to back up your registry first as well as your programs and files in the event that removal of the registry entry results in damage to your system. Use of Privacy Software Corporation's "BOClean version 2.01" program will safeguard against this possibility by removing the program and its registry entries automatically without risk of damage.

COPYRIGHTED MATERIAL:

Permission is granted for the retransmission of this advisory by electronic means. It is not to be edited in any way without the express consent of Privacy Software Corporation. Requests to reprint this information in whole or in part should be directed to technology@privsoft.com.

Disclaimer: The information within this advisory may change without notice and is provided by Privacy Software Corporation AS IS. No warrantees, express or implied, are provided with respect to this information nor should any be construed by the transmission of this information. Any use of this information or its recommendations is solely at the risk of the user.

Contact Privacy Software Corporation at http://www.privsoft.com, http://www.nsclean.com, email to technology@privsoft.com. Copies of the Master's Paradise distribution as captured by Privacy Software Corporation will only be provided to recognized security interests and responsible, recognized members of the press with the technical capability to conduct independent research on this trojan horse program or in the alternative, we will provide the URL where the programs can be obtained independently. Copies will NOT be provided by us to any other parties. Privacy Software Corporation reserves the right to refuse transmission without further explanation. Under the provisions of Privacy Software Corporation's customer and website privacy policies, we cannot divulge email from our customers regarding their experiences with these trojan horse programs nor can we divulge their identities under any circumstances.

TOP