HOME

TheInfoList



OR:

Sub7, or SubSeven or Sub7Server, is a
Trojan horse The Trojan Horse was a wooden horse said to have been used by the Greeks during the Trojan War to enter the city of Troy and win the war. The Trojan Horse is not mentioned in Homer's ''Iliad'', with the poem ending before the war is concluded, ...
program originally released in 1999. Its name was derived by spelling NetBus backwards ("suBteN") and swapping "ten" with "seven". As of June 2021, the development of Sub7 is being continued. Because its typical use is to allow undetected and unauthorized access, Sub7 is usually described as a
trojan horse The Trojan Horse was a wooden horse said to have been used by the Greeks during the Trojan War to enter the city of Troy and win the war. The Trojan Horse is not mentioned in Homer's ''Iliad'', with the poem ending before the war is concluded, ...
by security experts. Starting with version 2.1 (1999) it could be controlled via
IRC Internet Relay Chat (IRC) is a text-based chat system for instant messaging. IRC is designed for group communication in discussion forums, called '' channels'', but also allows one-on-one communication via private messages as well as chat an ...
. As one security book phrased it: "This set the stage for all malicious
botnets A botnet is a group of Internet-connected devices, each of which runs one or more Internet bot, bots. Botnets can be used to perform distributed denial-of-service attack, Distributed Denial-of-Service (DDoS) attacks, steal data, send Spamming, s ...
to come." Additionally Sub7 has some features deemed of little use in legitimate remote administration like
keystroke logging Keystroke logging, often referred to as keylogging or keyboard capturing, is the action of recording (logging) the keys struck on a keyboard, typically covertly, so that a person using the keyboard is unaware that their actions are being monitored ...
. Sub7 worked on the
Windows 9x Windows 9x is a generic term referring to a series of Microsoft Windows computer operating systems produced from 1995 to 2000, which were based on the Windows 95 kernel and its underlying foundation of MS-DOS, both of which were updated in subs ...
and on the
Windows NT Windows NT is a proprietary graphical operating system An operating system (OS) is system software that manages computer hardware, software resources, and provides common services for computer programs. Time-sharing operating systems sc ...
family of operating systems, up to and including
Windows 8.1 Windows 8.1 is a release of the Windows NT operating system developed by Microsoft. It was released to manufacturing on August 27, 2013, and broadly released for retail sale on October 17, 2013, about a year after the retail release of its pre ...
.


History

Sub7 has been claimed to be the creation of a hacker with the handle "mobman". Some sources claim that the software has been developed by an unknown Romanian programmer. Until today, "mobman" claims to be the creator, but the original ownership of the software is not yet clearly attributed to a specific individual. No development had occurred in several years until a new version was scheduled for release on Feb. 28th, 2010. In 2006 (sub7legends.net) re-opened with hundreds of thousands of users, and has kept Sub7 alive with clean downloads and support and new software releases. SubSeven 2.3, released on March 9, 2010, was revamped to work on all 32-bit and 64-bit versions of Windows and includes TCP Tunnel and Password Recovery for browsers, instant messengers and email clients. It was very buggy and was not written in Delphi which the original author used. The website that claimed to do this is no longer active. In June 2021, a completely new alpha version was released with a similar look and feel to the original release, but it is not developed by the original author.


Architecture and features

Like other remote admin programs, Sub7 is distributed with a
server Server may refer to: Computing *Server (computing), a computer program or a device that provides functionality for other programs or devices, called clients Role * Waiting staff, those who work at a restaurant or a bar attending customers and su ...
and a
client Client(s) or The Client may refer to: * Client (business) * Client (computing), hardware or software that accesses a remote service on another computer * Customer or client, a recipient of goods or services in return for monetary or other valuable ...
. The server is the program that the host must run in order to have their machines controlled remotely, and the client is the program with a
GUI The GUI ( "UI" by itself is still usually pronounced . or ), graphical user interface, is a form of user interface that allows users to interact with electronic devices through graphical icons and audio indicator such as primary notation, inste ...
that the user runs on their own machine to control the server/host PC. Computer security expert Steve Gibson once said that with these features, Sub7 allows a hacker to take "virtually complete control" over a computer. Sub7 is so invasive, he said, that anyone with it on their computer "might as well have the hacker standing right next to them" while using their computer. Gibson, Steve
The strange tale of the denial of service attacks on grc.com
2002-03-05.
Sub7 has more features than Netbus (webcam capture, multiple port redirect, user-friendly registry editor, chat and more), but it always tries to install itself into windows directory and it does not have activity logging. According to a security analysis,Crapanzano, Jamie (2003),
Deconstructing SubSeven, the Trojan Horse of Choice.
SANS Institute The SANS Institute (officially the Escal Institute of Advanced Technologies) is a private U.S. for-profit company founded in 1989 that specializes in information security, cybersecurity training, and selling certificates. Topics available for tr ...
Information Security Reading
Sub7's server-side (target computer) features include: * recording: ** sound files from a microphone attached to the machine ** images from an attached video camera ** screen shots of the computer * retrieving a listing of recorded and cached passwords * taking over an ICQ account used on the target machine (back then the most popular messaging service); added in version 2.1. This included the ability to disable the local use of the account and read the chat history * features which were presumably intended to be used for prank or irritating purposes including: ** changing desktop colors ** opening and closing the optical drive ** swapping the mouse buttons ** turning the monitor off/on ** "text2speech" voice synthesizer which allowed the remote controller to have the computer "talk" to its user *
penetration test A penetration test, colloquially known as a pen test or ethical hacking, is an authorized simulated cyberattack on a computer system, performed to evaluate the security of the system; this is not to be confused with a vulnerability assessment. T ...
ing features, including a
port scanner A port scanner is an application designed to probe a server or host for open ports. Such an application may be used by administrators to verify security policies of their networks and by attackers to identify network services running on a host and ...
and a port redirector On the client-side the software had an "address book" that allowed the controller to know when the target computers are online. Additionally the server program could be customized before being delivered by a so-called server editor (an idea borrowed from
Back Orifice 2000 Back Orifice 2000 (often shortened to BO2k) is a computer program designed for remote system administration. It enables a user to control a computer running the Microsoft Windows operating system from a remote location. The name is a pun on Micr ...
). Customizations possible with the Sub7 server editor included changing the port addresses, displaying a customized message upon installation that could be used for example "to deceive the victim and mask the true intent of the program". The Sub7 server could also be configured to notify the controller of
IP address An Internet Protocol address (IP address) is a numerical label such as that is connected to a computer network that uses the Internet Protocol for communication.. Updated by . An IP address serves two main functions: network interface ident ...
changes of the host machine by email, ICQ or IRC. Connections to Sub7 servers can be password protected with a chosen password. A deeper
reverse engineering Reverse engineering (also known as backwards engineering or back engineering) is a process or method through which one attempts to understand through deductive reasoning how a previously made device, process, system, or piece of software accompli ...
analysis revealed however that "SubSeven's author has secretly included a hardcoded master password for all of his Trojans! The Trojan itself has been Trojaned". For Version 1.9 the master password is predatox and 14438136782715101980 for versions 2.1 through 2.2b. The Master Password for SubSeven DEFCON8 2.1 Backdoor is acidphreak.


Uses and incidents

SubSeven has been used to gain unauthorized access to computers. While it can be used for making mischief (such as making sound files play out of nowhere, change screen colors, etc.), it can also read keystrokes that occurred since the last boot—a capability that can be used to steal passwords and credit card numbers. In 2003, a hacker began distributing a Spanish-language email purporting to be from security firm Symantec that was used to trick recipients into downloading Sub7. Although Sub7 is not itself a
worm Worms are many different distantly related bilateral animals that typically have a long cylindrical tube-like body, no limbs, and no eyes (though not always). Worms vary in size from microscopic to over in length for marine polychaete wor ...
(has no built-in self-propagation features) it has been leveraged by some worms such as W32/Leaves (2001). Some versions of Sub7 include code from Hard Drive Killer Pro to format the hard drive, this code will only run if it matched the ICQ number of "7889118" (mobman's rival trojan author.)


See also

*
Back Orifice Back Orifice (often shortened to BO) is a computer program designed for remote administration, remote system administration. It enables a user to control a computer running the Microsoft Windows operating system from a remote location.Richtel, M ...
*
Back Orifice 2000 Back Orifice 2000 (often shortened to BO2k) is a computer program designed for remote system administration. It enables a user to control a computer running the Microsoft Windows operating system from a remote location. The name is a pun on Micr ...
*
Trojan horse (computing) In computing, a Trojan horse is any malware that misleads users of its true intent. The term is derived from the Ancient Greek story of the deceptive Trojan Horse that led to the fall of the city of Troy. Trojans generally spread by some form ...
*
Malware Malware (a portmanteau for ''malicious software'') is any software intentionally designed to cause disruption to a computer, server, client, or computer network, leak private information, gain unauthorized access to information or systems, depri ...
*
Backdoor (computing) A backdoor is a typically covert method of bypassing normal authentication or encryption in a computer, product, embedded device (e.g. a home router), or its embodiment (e.g. part of a cryptosystem, algorithm, chipset, or even a "homunculus compu ...
*
Rootkit A rootkit is a collection of computer software, typically malicious, designed to enable access to a computer or an area of its software that is not otherwise allowed (for example, to an unauthorized user) and often masks its existence or the exis ...
*
MiniPanzer and MegaPanzer MiniPanzer and MegaPanzer are two variants of ''Bundestrojaner'' (German for federal Trojan horse) written for ERA IT Solutions (a Swiss federal government contractor) by software engineer Ruben Unteregger, and later used by Switzerland's Feder ...
*
File binder File binders are utility software that allow a user to "bind" multiple files together resulting in a single executable. They are commonly used by hackers to insert other programs such as Trojan horses into otherwise harmless files, making them mor ...


References


External links


Website
* http://www.giac.org/paper/gcih/36/subseven-213-bonus/100239
Darknet Diaries Podcast Ep 20:mobman

Screenshot of subseven V2.2 readme
{{remote administration software Windows remote administration software Remote administration software Windows trojans Pascal (programming language) software