I have always been playing around with Trojans, and one of the easiest and most versatile over the past three years has been Sub Seven.

It was one of the first to have the web cam capture built in (NetBus 1.6 beat it only by a few months). It was also had a good working ICQ spy and other instant messenger sniffers. Also, the offline key logger was incredible. Well now that 2.2.x is out, I am amazed at all the features and the ease it provides for a script kiddie.

At the 2000 Defcon Convention, Mobman showed the latest version of his “Remote administration” tool. Like any hacker, it is said that this was done to show exploits in the Win.x OS.   But the variety of cheap tricks that are provided in the client app really pushes this line. Things like the instant messenger sniffer, keyboard disable, password capture, port re-direct, flip screen, fake error messages, and many other silly stuff are hard to justify for a network administrator.

First, you have to set up a server file for your “victim” to run. The intruder edits this file to fit their needs (the intruder is the client machine, the victim will be the server). You can change the icon of this executable, or even bind it to another exe, like the silly elf bowl or ANY executable. You can even have this file produce a silly error, which will discourage the person from even bothering with it after that point. After that, the victim is infected, and the client is notified via ICQ, E-mail, or IRC. The victim has no idea that he is now a server.

From there, the client can do pretty much what ever they want. The Client is notified whenever the server boots up and connects to the Internet. This includes turning on web cams, grabbing browser passwords, deleting, uploading, and downloading files.   Activities done by the client are almost completely transparent to the server (this is a compromised machine).

There are just too many things to mention about the victims privacy. The key logger will log everything typed in from the keyboard. This bypasses any encryption.

The microphone and the servers’ web cam can be turned on. The client can also watch where the victim goes on the Internet, and what applications are running.

The client has full access to all files on the server.   In fact, you can set up an FTP as a feature for better ease. Any personal files may be stolen.

This also includes mapped drives.   During the Microsoft Crack, it is believed that this was used on a Microsoft employee’s home computer that logged into Microsoft’s network. This may have compromised Microsoft’s trade secrets.

This is a definite problem for any company employee that may work from home. It should be understood that any network that the server has access to, also permits the client to access.

The most useful thing for a cracker, or a vandal, is the port re-direct. The client can set the server to re-direct all data going into one port of the server machine, to any IP address and port of any other IP address.   This is commonly used with DOS attacks.   The administrator of a site will see the server/victim as the source IP of the attack, when it’s actually coming from the client machine.

This is the difference between routing and re-direction.   There is no simple way to find out the source of a DOS attack without someone investigating this deeply.   It has been used commonly, and these attackers have not been caught. Mafia Boy did use this product when he did his infamous attacks.  The servers simply saw his machine as the source. However, most DOS attacks remained unsolved due to port re-directing with SubSeven, and other Trojans.

Virus products will not pick this up.   And with social engineering, you can infect any machine. It will only work if the client can get to the server directly.   This means that Firewalls and NAT (Network Address Translation, like shared routers for Cable and DSL, and most corporate firewalls) will not allow the clients to connect. So if your PC is infected, the router will not allow incoming connections.

Using any NAT device will currently prevent this.   When you go to the store and see a Cable/DSL router with “NAT” on the side of the box, it will prevent the client from reaching the server. The client would have to crack into the router to get by this.   This is very difficult.

If you have no use for a router with NAT, use a personal firewall like MacAfee.   This will easily tell you what is going out from your computer to the Internet.

If you’re a company, get a Firewall or Proxy Server.   You should have one for the safety of your business and your employees.

If you suspect that you are infected, you can investigate the multiple places that it is installed in you machine.   Check out http://www.hackfix.org/subseven/ for information. Also, going to a dos prompt and typing in “Netstat” will reveal all connections currently on your PC. This may help you determine if someone is in your PC.

SubSeven is not a nice product.   It is well written for malicious intent.   Almost anyone can figure out its simplistic interface. Back Orifice is the only product I see superior to this, however you need to know how to code to take full advantage of Back Orifice. Netbus is a commercial product, but that’s another issue.   Other Trojans seem too buggy.

I hope that you have taken precautions to avoid being a victim of SubSeven.

11/6/00 9:40:23 PM