Privacy Software Corporation Security Advisory
Thursday, March 22, 2001
 
 BIONET TROJAN HORSE BACKDOOR PROGRAM

Screenshot of the program they use against your machine. What runs on your machine is completely invisible.
 

SYNOPSIS:

Recently, the media has reported that the nearly three year old "SubSeven" trojan has gained new capabilities including complete configurability as well as a tool that creates new variant trojan horses by means of a "toolkit" which causes these variants to no longer possess the same "signatures" as the original. This in turn was reported to make detecting that specific trojan all the more difficult in the future. Many trojan horses have had such capabilities for well over a year now as of this writing. Such is the nature of trojan horses since static scanning for "signatures" has been an obsolete method for some time now as a result of various "file compressors" and "binding tools."

A programmer named "Rezmond" maintains and distributes a remote control trojan horse backdoor program called "BioNet." BioNet has in the past been just another commonplace trojan horse until a new release approximately one month ago. The most recent "312 and 313" releases of BioNet now pose a severe risk as a result of new capabilities which exploit a major shortcoming in the design of ALL versions of Microsoft Windows which permits security software to be shut down without any indication to the user that their protective software is no longer functioning. In addition, the most recent releases of BioNet not only incapacitate security software, they can also corrupt the software in such a manner that it cannot be reloaded or replaced. This new capability destroys popular firewall, antivirus and antitrojan software prior to installing itself into the victim's system. Because of a major design flaw in Windows itself, there is no solution for this problem unless Microsoft redesigns Windows itself. Privacy Software Corporation and others in this business have brought this to Microsoft's attention on numerous occasions to no avail.

BioNet exploits a flaw in Windows involving a function called "TerminateProcess()" which unconditionally destroys a running program without any notification to the program that the "rug is being pulled from under it." Without any notification from Windows, a program cannot protect itself from being stopped. Once a process has been stopped, the underlying files can then be written to and corrupted by malicious software. BioNet and a number of other trojan horses are now starting to exploit this routinely, nullifying antivirus and other security programs such as firewalls or file scanners. Since the "TerminateProcess" function does not send a message from Windows to the affected program, allowing it to veto a shutdown, there is no defense for security software to prevent the function from serruptitously ending any security program. Our BOClean product has just been redesigned to attempt to protect against this in our own product but others in the security business need to take similar steps to at least notify people that their security software has been shut down. Ultimately, Microsoft must be encouraged to provide a message to running programs that they are about to be shut down so that some means of protection can be provided to users of these programs or at minimum the ability to provide a message that the program is being shut down.

Quoted from the AVPS.TXT file included with BioNet: 

This file lists the current firewalls /anti-virus programs bionet
will attempt to bypass if set up correctly.

Supported AV / Firewalls for terminating.

 avp
 norton internet security
 panda
 antitrojan
 ants
 atguard
 blackice
 conseal  pc
 zonealarm
 winroute
 cleaner3
 lockdown
 sphinx
 mcafee internet guard
 WinRoute

 Supported AV / Firewalls for corrupting installtions.
  AT Guard
  WinRoute
  McAfee internet guard
  the cleaner
  conseal pc
Screenshot of the program they use against your machine. What runs on your machine is completely invisible.

BioNet consists of four major components, a client program called "BioNet" which is run on a remote computer to gain access to any computer connected to a TCP/IP network or the internet, a server configuration tool called "EDITOR.EXE" and a DLL library file to permit the use of additional "plug-ins" on the machine owned by the intended victim. An executable server program is required to be installed on the victim's computer to permit the remote site access to the victim's computer in a manner similar to Back Orifice, Netbus "classic", SubSeven and other internet "Remote administration" trojan horses. This program exploits security vulnerabilities in every version of Windows including Windows95, Windows98, WindowsNT, WindowsME, Windows 2000 and the beta release of Windows "Whistler" (future "WindowsXP") platforms.

Like the majority of modern trojans, BioNet can be given any name by the party who places it on the victim's machine which makes it difficult, but not impossible to identify after it has been installed. The server is provided with the default name LIBUPDATE.EXE but it will function and place itself into a system using any filename given it thus the filename should not be expected to be consistent in any given infestation. The port number on which it sets up shop is set to 12349 by default, but can be configured on any of 65535 ports making identification by port number similarly useless.

Privacy Software Corporation's BOClean 4.07 software, designed to detect and defeat trojan horse programs, is fully effective in removing the BioNet server regardless of the filename or manner of delivery and, as is the case with other trojans, can also disable this program instantly upon detection. BOClean will also remove the files and registry hooks without the need to disconnect from the internet or reboot the victim's machine. This precludes the risks of registry editing and possible loss of data and permits the victim to remove the program and continue their use of a TCP/IP connection without loss of work or time.

While the server is a completely different design from other trojans, its behaviors are similar as is the means of exploitation of the victim's machine. This program will elude antivirus and signature detection because it is delivered in a compressed mode leaving no visible "strings" for comparison. The author also makes the raw code for this trojan available so that a number of different file compressors can be used to further elude traditional antivirus methods.
 

CAPABILITIES:

 The BioNet server permits anyone using the BioNet "Remote control" client on their end to remotely control the victim's machine. The capabilities of BioNet are substantial compared to even the popular SubSeven trojan. The BioNet server will run ONLY when you are connected to the internet to avoid detection as a static trojan. BioNet contains numerous functions including the ability to use victim machines to launch distributed denial of service attacks.

 From the author's own distribution notes, we quote: 

Why bionet?
BioNet has the most efficient server available today.
With its own Unique file transfer protocal making transfers up to 90% faster.
BoiNet has its own unique encryption engine making it one of the safest in the world.
We were the first to bring you functions such as ICQ notify , Flip VDU , AOL name stealer.
We set the standards that our competitors struggle to keep up.

With release 12 we are THE ONLY trojan currently to have a custom CGi notify.
We are the only torjan to use an automated email to send you all offline keystrokes when the server comes online.
No longer do you have to rely on ICQ to tell you when they are on
and no longer do you have to wait for them to come online to download their logs.

With broadband comming more widely available the new bionet 3 engine has the capacity
to provide a stable platform for high speed data connections with multi threaded file transfer
and realtime streaming media.
This is where you will see many other existing trojans fail to cope under the strain.


Latest UPDATES

Current BioNet Version : 3.13.X BIONET ME

New to release 22
  *Configurable shortcuts (client)
  *BioNix Intergration
  *Bug fixes

New to release 21
  *New keylogger No more DLL's
  *Delay server execution (good for stealth)
  *Bugfixes include upload >5meg and "disable ctrl alt del" buttons
  *Enchanced server much better performance more reliability
  *New ICQ Email express Notificaion
  *Static IP Notificaion
  *use random ports
  *disable local connections 

New to release 20

  * Shutdown bug fixed
  * Image Capture Quality Control 
    (less quality = quicker downloads)
  * Customise ICQ Pager messages
  * Have the server display an error message when it is first run.
  * give your server a name
  * matrix chat bug fixed 
  * Shedule Editor (no more writing scripts by hand)


New to release 19
 * Support for SDK 2 (client / server plugins)
 * fixed keylogger
 * fixed server info bug.
 * enchanced existsing features.
 * fixed webcam capture
 * added firewall evading features

New to release 18
 *  Plugin Manager and SDK sample code released
    (download at www.bionet.org.uk). You may also find plugins for bionet here.
 *  File upload bug fixed (would not upload large files)
 *  Improved interface
 *  added script functions
 *  DNS lookup tool added
 *  File manager improved
 *  Restart server feature (for loading in your scripts)

New to release 17
 * more IRC bot functions
   also changed reply method from notice to tell
 * TCP Port Redirector
 * Support for command shedlues at server startup / on connect /
   at a specific time and on specific days.
 * Enchanced File finder (download ,delete, execute found file).
 * added PC speaker tunes

New to release 16
 * local file manager fix
 * find files has a nice download button
 * some other bug fixes i missed in release 15.
 * and more features i forget what i changed cos
   I did this about 2am.

New to release 15
 More bug fixes mainly NT security fixes.
 you can now shutdown an NT machine.
 * capture a frame from a remote video
   capture device. e.g webcam (support fot multiple devices)
 * Time Date changer
 * IRC bot
 * Enchaned Window Manager (more control)
 * Enchanced Desktop management
 * improved main interface
 * plus small feature enchanements / addons
 
New to release 14

  ALL KNOWN BUGS FIXED.
  At last bionet is looking complete.
  After release 13 there was still alot that needed doing.
  BioNet client has new dialogs , and the existing functions
  have been improved such as a new "smart" resolution changer.
  The only thing to note is that the new change resolution
  is not compatible with old servers.
  We have a new IP scanner , a new Port scanner and tons of other
  things have been changed , the registry Editor is now complete
  it supports delete/create keys , strings and integers
  - Rezmond


New to release 13

 Bug Fixes and GUI enhancements I have spent along time
 making bionet nicer to use and getting rid of the bugs
 rather than adding in new features.
 There are still a few known bugs but I have been busy
 with bionet lite (bionet 4) so far the server is 5kb.
 I will be releasing aload more stuff next weekend.


 ** NOTE BIONET 3 IS NOT COMPATABLE WITH BIONET 2 **

New to release 12

  * New filemanager , with popup menus , drag drop
    set file as desktop wallpaper , play sound , show image
  * get IE cache
  * get/set IE start page.
  * Show Image
  * Play sound
  * PC speaker control
  * Send user to a webpage (load their default browser and go to the site)
  * Hide / Show system clock
  * Better compression optimised for image files
    Unlike other trojans bionet compresses its bitmaps before sending, the compression
    makes these files smaller than if they were saved as .jpg yet you have the quality of a bmp
  * Advanced Builder features
    it will now let you change the default filename for the bionet server and the startup key alias
  * 3meg limit bug fix , you may now download files > 3meg without any error messages ;o)
  * Speech Engine list out of bounds error fixed.
  * Cannot resolve host for 127.0.0.1 fixed.


New to release 11

 BioNEt now has a new engine , it is alot smaller faster and will provide
 a platform to take bionet even further giving endless posiblities.
 It is now only limited for data packets over 4gigabytes in size.



 * AutoEmailer now will email you details of their computer when they come online
 * Text to speech engine will allow you to make their computer talk
 * Advanced window manager now supports moving their windows around on the target desktop
 * Screen capture now downloads and is displayed in an internal image viewr
   the viewr allows you to zoom in / out and save the image
 * Keylog file can now be downloaded easily and displayed automatically in 
   a text viwer , the data may be exported to  file.
 * streaming Audio, listen in on their machine in real time
 * File manager vastly improved , new look and feel icons.
   3meg download limit bug fixed


** New Advanced Notify CGI option (Versions above 2.9) ***

When the server is online it may send data to execute a remote perl script file.
The format box will define what is posted to the CGI script.
see the appropriate help file.

New to release 10

 * Advanced CGI notification
   now the posiblilities are endless 
   create a victims web page.
 * keylog fix the offline keyloger will nolonger cause file io errors 
 * Offline keylogger can now email you the recorded strokes when they come online
 * improved accessability , GUI changes , huge performance enhancements
   tidyed up the code made the server execute about 90% more efficient
   server now executes almost instantly.
 * Client shortcut bar as requested making the most used functions easy to access
 

New to Release 09

This is a quick fix release due to the ICQ Protocal change. I would like to have
put more features into it and made sure all the bugs are gone but you will have to wait
till release 3. If you find any bugs let me know I havent tested it enough.


 * Window manager , Task Manager , Keyloger opens up in new window
   This was requested by many users.
 * Alot less buggy File uploads now with any luck no longer cause errors when 
   you close the bionet client.
 * Offline Key Strokes , BioNet will record all keystrokes so you can download 
   them later
 * ICQ 2000 FIX - ICQ pager now compliant with the new ICQ protocals
 * Matrix chat buffers the text so no more odd looking strings of numbers
 * file manager rename folder fixed does not display anyoing messages when 
   you cancel
 * Deltree Added to BNFTP be carefull with this one ;o).
 * a Few minor changes I cant remember them all 
   You can now use sendkeys I forgot to add that when I made the new GUI.

New to Release 08 ( Millennium Edition )
errm well so many features its been over 2 months work on BioNet ME
on and off so I cant remember everything.

 * New Gui
 * Ras Stealer
 * Ras Disconect
 * Screen Saver Control
 * Mouse Trails
 * Disable / Enable ctrl + alt + del
 * Email Stealer
 * More System Info
 * Enhanced keylogger
 * File Search
 * Matrix chat
 * and other shit


New to Release 07
Version 7 was never released to the public but some people have the server
on their machines. Loads of new stuff lol release 7 was a beta.

New to Release 06
Bug fixes release 2.5 did not hide from control alt delete in win 9x
this is now fixed :o) also the cached passwords now can be stolen
before it was not finding the windows DLL (it was looking in the wrong place)

New to Release 05
 * port scanner is more responsive
 * you may now launch an IGMP attack from the remote host to any target
   heh get 5 victims online at once and you could bring down a small server :)
 * re-added hide desktop + hide task bar from bionet 1 as
   these seemed popular
 * flip VDU added in at long last i have promised this for months
 * Remote power management put their computer on suspend / hibernate
 * Windows colour manager - Change the windows color settings
 * Remote Printer control - send data to the remote printer have it
   print out a message
 * added a ping button on client so you can see if your target
   is still alive.
 * remote port redirector


New to Release 04

 * Brand new GUI
 * stealth server startup time is extremly quick
 * Remote Keylogger 
 * Superfast threaded port scanner
 * Remote INstaller - have the server download a file from a URL and execute it
   (usefull for updating the server saves your bandwidth)
 * Hole punch! - this new option cant really be explained it in the window manager
   it punches holes in application windows so that they have a transparent area
 * Record Wav - lets you record remote sounds compresses the wav before
   transfer to save your download time by around 60%
 * CLipboard manager This little tool will allow you to manipulate the
   remote clipboard 
 * The server is now even smaller than ever
 * Server builder has a better design and more options
 * Update manager - find out if your version is the latest with the option
   of downloading the latest version of bionet.


Features to Release 02,03

* New Drive Icons in the FTP manager Added CDUP button
* Server Now supports Cashed Password Stealing in win9X
* ICQ UIN stealer and AOL screen name grabber also completed
  so you may find out contact info of your victim.


Release 01 Notes
Its been over 6 months since BioNet 1. I am the only programmer
working on it so progress has been slow. I have rewriten most
of it from scratch and programmed all the popular functions of
BioNet 1 as well as a few improvements. This version has been
tested over and over and .. over again with well over 1000 builds
im sure all bugs are ironed out.


Current Features

 * Notify By ICQ   this will send an ICQ message tellign you when the
                   victim is online. Add as many ICQ's as you want
 * File Manager    standard remote upload/download , delete etc
                   with multi threading you may upload / download
                   multiple files at the same time
 * Misc API        Includes mouse control, hiding / showing start menu
 * Open CDROM      a Classic function to open the remote CD drive
 * Remote Shutdown turn off their PC , Exit Windows , Reboot
 * Window Manager  still in its developing stages
                   you can browse though their open applications
 * Bionet includes a new higly detailed log to see whats going on.
 * Server Builder  Build the server to your specs disable functions
                   password protect it etc.
 * Message Manager make a message box pop up , choose what buttons,
                   what icon and you will recieve the reply.





MANUAL REMOVAL OF BIONET SERVER: 

The BioNet server will install its program in the registry under the 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run key with a 
DEFAULT string value of "LibUpdate" with data pointing to the file which was 
installed. However, this is completely configurable and could be any other key 
value name or filename. Only examination of the files associated with each entry 
can determine if it's BioNet. There are numerous releases of BioNet and over a 
hundred variants all uniquely constructed so as to have very little in common 
with one another without spohisticated antitrojan tools. We consider it one of 
the more challenging trojans in the wild. 

It is necessary to remove the registry subkey first. It will not be possible 
to remove the program file while the server is running and you may also be 
prevented from shutting down the computer. A reboot will be required in order to 
restart the machine without the BioNet server being reloaded at which time the 
file pointed to in the registry can be removed without further risk. The BioNet 
trojan, like most others, will not be visible to the Windows task listing 
program. You need to make note of the filename referred to in the registry and 
manually remove same. 

As a result, care should be taken to back up your registry first as well as 
your programs and files in the event that removal of the registry entry results 
in damage to your system. Use of Privacy Software Corporation's BOClean 4.07 program will 
safeguard against this possibility by removing the program and its registry 
entries automatically without risk of damage, or the need to disconnect the 
infected machine or reboot. 
  

COPYRIGHTED MATERIAL: 

Copyright (c) 2001 by Privacy Software Corporation. 

Permission is granted for the retransmission of this advisory by electronic 
means. It is not to be edited in any way without the express consent of Privacy 
Software Corporation. Requests to reprint this information in whole or in part 
should be directed to [email protected]. 

Disclaimer: The information within this advisory may change without notice 
and is provided by Privacy Software Corporation AS IS. No warrantees, express or 
implied, are provided with respect to this information nor should any be 
construed by the transmission of this information. Any use of this information 
or its recommendations is solely at the risk of the user. 

Contact Privacy Software Corporation at http://www.privsoft.com, 
http://www.nsclean.com, email to [email protected]. Copies of the BioNet 
distribution(s) as captured by Privacy Software Corporation will only be 
provided to recognized security interests and responsible, recognized members of 
the press with the technical capability to conduct independent research on this 
trojan horse program or in the alternative, we will provide the URL where the 
programs can be obtained independently. Copies will NOT be provided by us to any 
other parties. Privacy Software Corporation reserves the right to refuse 
transmission without further explanation. Under the provisions of Privacy 
Software Corporation's customer and website privacy policies, we cannot divulge 
email from our customers regarding their experiences with these trojan horse 
programs nor can we divulge their identities under any circumstances.