SYNOPSIS:
Recently, the media has reported that the nearly three year old "SubSeven" trojan has gained new capabilities including complete configurability as well as a tool that creates new variant trojan horses by means of a "toolkit" which causes these variants to no longer possess the same "signatures" as the original. This in turn was reported to make detecting that specific trojan all the more difficult in the future. Many trojan horses have had such capabilities for well over a year now as of this writing. Such is the nature of trojan horses since static scanning for "signatures" has been an obsolete method for some time now as a result of various "file compressors" and "binding tools."
A programmer named "Rezmond" maintains and distributes a remote control trojan horse backdoor program called "BioNet." BioNet has in the past been just another commonplace trojan horse until a new release approximately one month ago. The most recent "312 and 313" releases of BioNet now pose a severe risk as a result of new capabilities which exploit a major shortcoming in the design of ALL versions of Microsoft Windows which permits security software to be shut down without any indication to the user that their protective software is no longer functioning. In addition, the most recent releases of BioNet not only incapacitate security software, they can also corrupt the software in such a manner that it cannot be reloaded or replaced. This new capability destroys popular firewall, antivirus and antitrojan software prior to installing itself into the victim's system. Because of a major design flaw in Windows itself, there is no solution for this problem unless Microsoft redesigns Windows itself. Privacy Software Corporation and others in this business have brought this to Microsoft's attention on numerous occasions to no avail.
BioNet exploits a flaw in Windows involving a function called "TerminateProcess()" which unconditionally destroys a running program without any notification to the program that the "rug is being pulled from under it." Without any notification from Windows, a program cannot protect itself from being stopped. Once a process has been stopped, the underlying files can then be written to and corrupted by malicious software. BioNet and a number of other trojan horses are now starting to exploit this routinely, nullifying antivirus and other security programs such as firewalls or file scanners. Since the "TerminateProcess" function does not send a message from Windows to the affected program, allowing it to veto a shutdown, there is no defense for security software to prevent the function from serruptitously ending any security program. Our BOClean product has just been redesigned to attempt to protect against this in our own product but others in the security business need to take similar steps to at least notify people that their security software has been shut down. Ultimately, Microsoft must be encouraged to provide a message to running programs that they are about to be shut down so that some means of protection can be provided to users of these programs or at minimum the ability to provide a message that the program is being shut down.
Quoted from the AVPS.TXT file included with BioNet:
This file lists the current firewalls /anti-virus programs bionet will attempt to bypass if set up correctly. Supported AV / Firewalls for terminating. avp norton internet security panda antitrojan ants atguard blackice conseal pc zonealarm winroute cleaner3 lockdown sphinx mcafee internet guard WinRoute Supported AV / Firewalls for corrupting installtions. AT Guard WinRoute McAfee internet guard the cleaner conseal pc
BioNet consists of four major components, a client program called "BioNet" which is run on a remote computer to gain access to any computer connected to a TCP/IP network or the internet, a server configuration tool called "EDITOR.EXE" and a DLL library file to permit the use of additional "plug-ins" on the machine owned by the intended victim. An executable server program is required to be installed on the victim's computer to permit the remote site access to the victim's computer in a manner similar to Back Orifice, Netbus "classic", SubSeven and other internet "Remote administration" trojan horses. This program exploits security vulnerabilities in every version of Windows including Windows95, Windows98, WindowsNT, WindowsME, Windows 2000 and the beta release of Windows "Whistler" (future "WindowsXP") platforms.
Like the majority of modern trojans, BioNet can be given any name by the party who places it on the victim's machine which makes it difficult, but not impossible to identify after it has been installed. The server is provided with the default name LIBUPDATE.EXE but it will function and place itself into a system using any filename given it thus the filename should not be expected to be consistent in any given infestation. The port number on which it sets up shop is set to 12349 by default, but can be configured on any of 65535 ports making identification by port number similarly useless.
Privacy Software Corporation's BOClean 4.07 software, designed to detect and defeat trojan horse programs, is fully effective in removing the BioNet server regardless of the filename or manner of delivery and, as is the case with other trojans, can also disable this program instantly upon detection. BOClean will also remove the files and registry hooks without the need to disconnect from the internet or reboot the victim's machine. This precludes the risks of registry editing and possible loss of data and permits the victim to remove the program and continue their use of a TCP/IP connection without loss of work or time.
While the server is a completely different design from other trojans, its
behaviors are similar as is the means of exploitation of the victim's machine.
This program will elude antivirus and signature detection because it is
delivered in a compressed mode leaving no visible "strings" for comparison. The
author also makes the raw code for this trojan available so that a number of
different file compressors can be used to further elude traditional antivirus
methods.
CAPABILITIES:
The BioNet server permits anyone using the BioNet "Remote control" client on their end to remotely control the victim's machine. The capabilities of BioNet are substantial compared to even the popular SubSeven trojan. The BioNet server will run ONLY when you are connected to the internet to avoid detection as a static trojan. BioNet contains numerous functions including the ability to use victim machines to launch distributed denial of service attacks.
From the author's own distribution notes, we quote:
Why bionet? BioNet has the most efficient server available today. With its own Unique file transfer protocal making transfers up to 90% faster. BoiNet has its own unique encryption engine making it one of the safest in the world. We were the first to bring you functions such as ICQ notify , Flip VDU , AOL name stealer. We set the standards that our competitors struggle to keep up. With release 12 we are THE ONLY trojan currently to have a custom CGi notify. We are the only torjan to use an automated email to send you all offline keystrokes when the server comes online. No longer do you have to rely on ICQ to tell you when they are on and no longer do you have to wait for them to come online to download their logs. With broadband comming more widely available the new bionet 3 engine has the capacity to provide a stable platform for high speed data connections with multi threaded file transfer and realtime streaming media. This is where you will see many other existing trojans fail to cope under the strain. Latest UPDATES Current BioNet Version : 3.13.X BIONET ME New to release 22 *Configurable shortcuts (client) *BioNix Intergration *Bug fixes New to release 21 *New keylogger No more DLL's *Delay server execution (good for stealth) *Bugfixes include upload >5meg and "disable ctrl alt del" buttons *Enchanced server much better performance more reliability *New ICQ Email express Notificaion *Static IP Notificaion *use random ports *disable local connections New to release 20 * Shutdown bug fixed * Image Capture Quality Control (less quality = quicker downloads) * Customise ICQ Pager messages * Have the server display an error message when it is first run. * give your server a name * matrix chat bug fixed * Shedule Editor (no more writing scripts by hand) New to release 19 * Support for SDK 2 (client / server plugins) * fixed keylogger * fixed server info bug. * enchanced existsing features. * fixed webcam capture * added firewall evading features New to release 18 * Plugin Manager and SDK sample code released (download at www.bionet.org.uk). You may also find plugins for bionet here. * File upload bug fixed (would not upload large files) * Improved interface * added script functions * DNS lookup tool added * File manager improved * Restart server feature (for loading in your scripts) New to release 17 * more IRC bot functions also changed reply method from notice to tell * TCP Port Redirector * Support for command shedlues at server startup / on connect / at a specific time and on specific days. * Enchanced File finder (download ,delete, execute found file). * added PC speaker tunes New to release 16 * local file manager fix * find files has a nice download button * some other bug fixes i missed in release 15. * and more features i forget what i changed cos I did this about 2am. New to release 15 More bug fixes mainly NT security fixes. you can now shutdown an NT machine. * capture a frame from a remote video capture device. e.g webcam (support fot multiple devices) * Time Date changer * IRC bot * Enchaned Window Manager (more control) * Enchanced Desktop management * improved main interface * plus small feature enchanements / addons New to release 14 ALL KNOWN BUGS FIXED. At last bionet is looking complete. After release 13 there was still alot that needed doing. BioNet client has new dialogs , and the existing functions have been improved such as a new "smart" resolution changer. The only thing to note is that the new change resolution is not compatible with old servers. We have a new IP scanner , a new Port scanner and tons of other things have been changed , the registry Editor is now complete it supports delete/create keys , strings and integers - Rezmond New to release 13 Bug Fixes and GUI enhancements I have spent along time making bionet nicer to use and getting rid of the bugs rather than adding in new features. There are still a few known bugs but I have been busy with bionet lite (bionet 4) so far the server is 5kb. I will be releasing aload more stuff next weekend. ** NOTE BIONET 3 IS NOT COMPATABLE WITH BIONET 2 ** New to release 12 * New filemanager , with popup menus , drag drop set file as desktop wallpaper , play sound , show image * get IE cache * get/set IE start page. * Show Image * Play sound * PC speaker control * Send user to a webpage (load their default browser and go to the site) * Hide / Show system clock * Better compression optimised for image files Unlike other trojans bionet compresses its bitmaps before sending, the compression makes these files smaller than if they were saved as .jpg yet you have the quality of a bmp * Advanced Builder features it will now let you change the default filename for the bionet server and the startup key alias * 3meg limit bug fix , you may now download files > 3meg without any error messages ;o) * Speech Engine list out of bounds error fixed. * Cannot resolve host for 127.0.0.1 fixed. New to release 11 BioNEt now has a new engine , it is alot smaller faster and will provide a platform to take bionet even further giving endless posiblities. It is now only limited for data packets over 4gigabytes in size. * AutoEmailer now will email you details of their computer when they come online * Text to speech engine will allow you to make their computer talk * Advanced window manager now supports moving their windows around on the target desktop * Screen capture now downloads and is displayed in an internal image viewr the viewr allows you to zoom in / out and save the image * Keylog file can now be downloaded easily and displayed automatically in a text viwer , the data may be exported to file. * streaming Audio, listen in on their machine in real time * File manager vastly improved , new look and feel icons. 3meg download limit bug fixed ** New Advanced Notify CGI option (Versions above 2.9) *** When the server is online it may send data to execute a remote perl script file. The format box will define what is posted to the CGI script. see the appropriate help file. New to release 10 * Advanced CGI notification now the posiblilities are endless create a victims web page. * keylog fix the offline keyloger will nolonger cause file io errors * Offline keylogger can now email you the recorded strokes when they come online * improved accessability , GUI changes , huge performance enhancements tidyed up the code made the server execute about 90% more efficient server now executes almost instantly. * Client shortcut bar as requested making the most used functions easy to access New to Release 09 This is a quick fix release due to the ICQ Protocal change. I would like to have put more features into it and made sure all the bugs are gone but you will have to wait till release 3. If you find any bugs let me know I havent tested it enough. * Window manager , Task Manager , Keyloger opens up in new window This was requested by many users. * Alot less buggy File uploads now with any luck no longer cause errors when you close the bionet client. * Offline Key Strokes , BioNet will record all keystrokes so you can download them later * ICQ 2000 FIX - ICQ pager now compliant with the new ICQ protocals * Matrix chat buffers the text so no more odd looking strings of numbers * file manager rename folder fixed does not display anyoing messages when you cancel * Deltree Added to BNFTP be carefull with this one ;o). * a Few minor changes I cant remember them all You can now use sendkeys I forgot to add that when I made the new GUI. New to Release 08 ( Millennium Edition ) errm well so many features its been over 2 months work on BioNet ME on and off so I cant remember everything. * New Gui * Ras Stealer * Ras Disconect * Screen Saver Control * Mouse Trails * Disable / Enable ctrl + alt + del * Email Stealer * More System Info * Enhanced keylogger * File Search * Matrix chat * and other shit New to Release 07 Version 7 was never released to the public but some people have the server on their machines. Loads of new stuff lol release 7 was a beta. New to Release 06 Bug fixes release 2.5 did not hide from control alt delete in win 9x this is now fixed :o) also the cached passwords now can be stolen before it was not finding the windows DLL (it was looking in the wrong place) New to Release 05 * port scanner is more responsive * you may now launch an IGMP attack from the remote host to any target heh get 5 victims online at once and you could bring down a small server :) * re-added hide desktop + hide task bar from bionet 1 as these seemed popular * flip VDU added in at long last i have promised this for months * Remote power management put their computer on suspend / hibernate * Windows colour manager - Change the windows color settings * Remote Printer control - send data to the remote printer have it print out a message * added a ping button on client so you can see if your target is still alive. * remote port redirector New to Release 04 * Brand new GUI * stealth server startup time is extremly quick * Remote Keylogger * Superfast threaded port scanner * Remote INstaller - have the server download a file from a URL and execute it (usefull for updating the server saves your bandwidth) * Hole punch! - this new option cant really be explained it in the window manager it punches holes in application windows so that they have a transparent area * Record Wav - lets you record remote sounds compresses the wav before transfer to save your download time by around 60% * CLipboard manager This little tool will allow you to manipulate the remote clipboard * The server is now even smaller than ever * Server builder has a better design and more options * Update manager - find out if your version is the latest with the option of downloading the latest version of bionet. Features to Release 02,03 * New Drive Icons in the FTP manager Added CDUP button * Server Now supports Cashed Password Stealing in win9X * ICQ UIN stealer and AOL screen name grabber also completed so you may find out contact info of your victim. Release 01 Notes Its been over 6 months since BioNet 1. I am the only programmer working on it so progress has been slow. I have rewriten most of it from scratch and programmed all the popular functions of BioNet 1 as well as a few improvements. This version has been tested over and over and .. over again with well over 1000 builds im sure all bugs are ironed out. Current Features * Notify By ICQ this will send an ICQ message tellign you when the victim is online. Add as many ICQ's as you want * File Manager standard remote upload/download , delete etc with multi threading you may upload / download multiple files at the same time * Misc API Includes mouse control, hiding / showing start menu * Open CDROM a Classic function to open the remote CD drive * Remote Shutdown turn off their PC , Exit Windows , Reboot * Window Manager still in its developing stages you can browse though their open applications * Bionet includes a new higly detailed log to see whats going on. * Server Builder Build the server to your specs disable functions password protect it etc. * Message Manager make a message box pop up , choose what buttons, what icon and you will recieve the reply.
MANUAL REMOVAL OF BIONET SERVER:
The BioNet server will install its program in the registry under the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run key with a DEFAULT string value of "LibUpdate" with data pointing to the file which was installed. However, this is completely configurable and could be any other key value name or filename. Only examination of the files associated with each entry can determine if it's BioNet. There are numerous releases of BioNet and over a hundred variants all uniquely constructed so as to have very little in common with one another without spohisticated antitrojan tools. We consider it one of the more challenging trojans in the wild.
It is necessary to remove the registry subkey first. It will not be possible to remove the program file while the server is running and you may also be prevented from shutting down the computer. A reboot will be required in order to restart the machine without the BioNet server being reloaded at which time the file pointed to in the registry can be removed without further risk. The BioNet trojan, like most others, will not be visible to the Windows task listing program. You need to make note of the filename referred to in the registry and manually remove same.
As a result, care should be taken to back up your registry first as well as
your programs and files in the event that removal of the registry entry results
in damage to your system. Use of Privacy Software Corporation's BOClean 4.07 program will
safeguard against this possibility by removing the program and its registry
entries automatically without risk of damage, or the need to disconnect the
infected machine or reboot.
COPYRIGHTED MATERIAL:
Copyright (c) 2001 by Privacy Software Corporation.
Permission is granted for the retransmission of this advisory by electronic means. It is not to be edited in any way without the express consent of Privacy Software Corporation. Requests to reprint this information in whole or in part should be directed to [email protected].
Disclaimer: The information within this advisory may change without notice and is provided by Privacy Software Corporation AS IS. No warrantees, express or implied, are provided with respect to this information nor should any be construed by the transmission of this information. Any use of this information or its recommendations is solely at the risk of the user.
Contact Privacy Software Corporation at http://www.privsoft.com, http://www.nsclean.com, email to [email protected]. Copies of the BioNet distribution(s) as captured by Privacy Software Corporation will only be provided to recognized security interests and responsible, recognized members of the press with the technical capability to conduct independent research on this trojan horse program or in the alternative, we will provide the URL where the programs can be obtained independently. Copies will NOT be provided by us to any other parties. Privacy Software Corporation reserves the right to refuse transmission without further explanation. Under the provisions of Privacy Software Corporation's customer and website privacy policies, we cannot divulge email from our customers regarding their experiences with these trojan horse programs nor can we divulge their identities under any circumstances.