NetBus: What Type of Malware Is It and Why It Still Matters

Table of Contents

Long before today's sophisticated banking trojans and nation-state implants, a program called NetBus introduced millions of internet users in the late 1990s to the concept of covert remote access. Understanding NetBus — what type of malware it is, how it worked, and what legacy it left — provides important historical context for understanding modern threats.

What Type of Malware Is NetBus?

NetBus belongs to the Remote Access Trojan (RAT) category of malware.

More specifically, it is:
- A Trojan horse: It was distributed disguised as a legitimate game or utility
- A Remote Access Trojan (RAT): It provided the attacker with covert remote control over the infected machine
- A backdoor: It opened a persistent hidden port on the victim's machine that allowed unauthorized access

The "Trojan" component is essential — NetBus could not spread autonomously like a worm. It required the victim to willingly execute the client installation component, typically disguised as something harmless.

History of NetBus

NetBus was created by Swedish developer Carl-Fredrik Neikter and released in 1998. Neikter initially claimed it was designed as a remote administration tool — similar to the legitimate pcAnywhere software of the era.

The program quickly gained notoriety in cybercrime circles and among early internet prankers, who used it to:
- Open CD-ROM drives remotely
- Take screenshots without user knowledge
- Swap mouse buttons
- Display messages on screen
- Control the mouse and keyboard
- Execute programs remotely
- Upload and download files
- Capture keystrokes

What made NetBus particularly controversial was a documented case in 1999 where child pornography was planted on a prosecutor's computer via NetBus — used as a defense strategy in a Swedish court case. The incident highlighted the serious legal implications of RAT tools.

How NetBus Worked

NetBus had two components:

The Server (Patch.exe): The malicious component installed on the victim's machine. Once running, it listened for connections on TCP port 12345 (or 12346 in some versions). It ran silently with no visible window and added itself to the Windows registry for persistence.

The Client: The attacker's interface, which connected to the server component on the victim's IP address and provided a graphical panel to control the infected machine.

The victim received the server component disguised as a game called Whack-a-Mole, a screensaver, or other innocuous software. Executing the program installed the NetBus server invisibly in the background.

NetBus vs. Back Orifice

NetBus competed with Back Orifice — a RAT released by the hacker collective Cult of the Dead Cow in 1998 — for notoriety during the same period. Back Orifice targeted Windows 98 and was released specifically to embarrass Microsoft over Windows security. Both tools normalized the concept of covert remote access in both security research and criminal communities.

Legacy and Impact on Modern Malware

NetBus directly influenced RAT development that followed. Key concepts it pioneered became standard in modern RATs:

  • Client-server architecture: Separate attacker interface and victim-side server
  • Persistent port listener: Establishing a persistent backdoor
  • Disguised distribution: Trojan-style delivery through appealing fake software
  • Multi-function capability: Combining surveillance, file access, and control

Modern RATs like AsyncRAT, QuasarRAT, Cobalt Strike, and DarkComet are direct descendants conceptually — they implement the same architecture with vastly more sophisticated evasion, encryption, and capability.

Why NetBus Matters Today

For security education: NetBus is widely referenced in security textbooks and certification curricula (including CompTIA and CEH) as a foundational example of RAT malware — making it a common exam topic.

For historical context: Understanding where modern threats came from helps analysts recognize patterns. The client-server RAT model that NetBus popularized is still the dominant architecture in use.

For AV detection history: NetBus signatures remain in every major antivirus database — it's a simple detection test that confirms basic AV functionality.

FAQ

Is NetBus still used today?
Original NetBus is obsolete — antivirus products detect it universally. However, its concepts persist in every modern RAT.

Is NetBus illegal?
Distributing or using NetBus without the target's consent is illegal in most jurisdictions under computer fraud and unauthorized access laws. Creating or possessing it for security research is generally legal.

What port does NetBus use?
TCP ports 12345 and 12346. These ports became so associated with NetBus that firewalls commonly blocked them by default.

What's the difference between NetBus and legitimate remote admin tools?
Consent and transparency. Legitimate tools (TeamViewer, RDP) require explicit user consent and show their presence clearly. NetBus operated covertly without the victim's knowledge.


This article is published by ScamSandbox to help users understand and avoid malware threats and online scams.

Sc

ScamSandbox Team

Cybersecurity Expert at ScamSandbox

Share: