This article needs additional citations for verification .(April 2014) |
Original author(s) | mobman |
---|---|
Preview release | 2.3 / 2010 |
Written in | Delphi |
Operating system | Microsoft Windows |
Type | Trojan horse (computing) |
License | freeware |
Website | sub7crew |
Sub7, or SubSeven or Sub7Server, is a Trojan horse - more specifically a Remote Trojan Horse - program originally released in February 1999. [1] [2] [3] Its name was derived by spelling NetBus backwards ("suBteN") and swapping "ten" with "seven". As of June 2021, the development of Sub7 is being continued. [4]
Because its typical use is to allow undetected and unauthorized access, Sub7 is usually described as a trojan horse by security experts. [5] [2] [6] [7] [8] [9] Starting with version 2.1 (1999) it could be controlled via IRC. As one security book phrased it: "This set the stage for all malicious botnets to come." [7] Additionally Sub7 has some features deemed of little use in legitimate remote administration like keystroke logging. [7]
Sub7 worked on the Windows 9x and on the Windows NT family of operating systems, up to and including Windows 8.1. [8]
This section needs expansionwith: early history. You can help by adding to it. (January 2014) |
SubSeven was developed by mobman, a computer programmer originally from Craiova, Romania. [10]
Mobman released SubSeven on February 28, 1999. His first edition was titled SubSeven v1.0 carried echos of another Trojan of the time, Back Orifice (BO). Mobman described SubSeven as a clone of BO. The inaugural branch of versions v1.0 to v1.9 restricted user experience to a single window, making them straightforward and easy to use. In a experimental version of 1.9, the SubSeven 1.9 Apocalypse, Mobman revamped the previous blue/purple design that had been in use since v1.5.
In 2001, in an attempt to reinvent the design again, the v2.2x branch was created. It proved to be short-lived as its modular approach allowing for the creation of plugins and custom features did not resonate with users who lacked either the skills or the motivation to create new extensions and plugins. Thus, Mobman decided to continue the 2.1.x branch. In 2003 2.1.5, known as the "SubSeven Legends", marked the end of SubSeven development under Mobman. [3]
In 2006 (sub7legends.net) re-opened with hundreds of thousands of users, and has kept Sub7 alive with clean downloads and support and new software releases.
No development had occurred for several years until version 2.3 in 2010. This release was based on the genuine SubSeven 2.2 and 2.1.3 source code, which mobman himself shared to his close friends, "Read101" and "fc" and were responsible for this update. Unfortunately, the reborn did not capture the public's attention as anticipated. This lack of interest was primarily due to "fc", who was more interested in monetizing the new version than enhancing its quality. [11]
SubSeven 2.3, released on March 9, 2010, was revamped to work on all 32-bit and 64-bit versions of Windows and includes TCP Tunnel and Password Recovery for browsers, instant messengers and email clients. It was very buggy. The website that claimed to do this is no longer active.
In June 2021, Jean-Pierre Lesueur (DarkCoderSc) released from scratch a complete remake of SubSeven version 2.2. This version maintained a similar look and feel to the original. Since then, development has ceased, and the source code has been made available to the public. [12]
In October 2023, "IllWill", a former member of the Sub7 Crew from the 1990s and early 2000s, delivered a talk at BSides CT 2023. [13] This presentation delved into the story behind mobman, revealing several unknown facts about the mysterious developer. The talk concluded with IllWill releasing the official and genuine source code of SubSeven 2.1.2/3 in his Gitlab. [14] This release was made possible by mobman's direct contribution and with his blessing.
As of now, no other versions of SubSeven have been officially released, apart from version 2.1.2/3 by IllWill. The SubSeven 2.2 version remains exclusively in the possession of mobman, Read101, fc, and DarkCoderSc.
In a 2013 article of Rolling Stone , mobman was identified to be an American man. [15] In an October 2024 episode of the podcast Darknet Diaries , a man claiming to be from Romania and residing in Canada and to be the real mobman confronted the American, pointing out inconsistencies in his story such as that the first version of Sub7 said "From Windsor, Ontario", to which the American said he had never been. [16]
Like other remote admin programs, Sub7 is distributed with a server and a client. The server is the program that the host must run in order to have their machines controlled remotely, and the client is the program with a GUI that the user runs on their own machine to control the server/host PC. Computer security expert Steve Gibson once said that with these features, Sub7 allows a hacker to take "virtually complete control" over a computer. Sub7 is so invasive, he said, that anyone with it on their computer "might as well have the hacker standing right next to them" while using their computer. [17]
Sub7 has more features than Netbus (webcam capture, multiple port redirect, user-friendly registry editor, chat and more).
According to a security analysis, [18] Sub7's server-side (target computer) features include:
On the client-side the software had an "address book" that allowed the controller to know when the target computers are online. Additionally the server program could be customized before being delivered by a so-called server editor (an idea borrowed from Back Orifice 2000). Customizations possible with the Sub7 server editor included changing the port addresses, displaying a customized message upon installation that could be used for example "to deceive the victim and mask the true intent of the program". [18] The Sub7 server could also be configured to notify the controller of IP address changes of the host machine by email, ICQ or IRC. [19]
Connections to Sub7 servers can be password protected with a chosen password. [19] A deeper reverse engineering analysis revealed however that "SubSeven's author has secretly included a hardcoded master password for all of his Trojans! The Trojan itself has been Trojaned". [9] For Version 1.9 the master password is predatox and 14438136782715101980 for versions 2.1 through 2.2b. The Master Password for SubSeven DEFCON8 2.1 Backdoor is acidphreak. [20]
SubSeven has been used to gain unauthorized access to computers since it also worked as a keylogger. While it can be used for causing mischief (such as making sound files play out of nowhere, changing screen colors, etc.), it can also read keystrokes that were made since the last boot—a capability that can be used to steal passwords, credit card numbers, and other sensitive data. [21]
In 2003, a hacker began distributing a Spanish-language email purporting to be from security firm Symantec that was used to trick recipients into downloading Sub7. [22]
Although Sub7 is not itself a worm (it has no built-in self-propagation features) it has been leveraged by some worms such as W32/Leaves (2001). [6] [23]
Some versions of Sub7 include code from Hard Drive Killer Pro to format the hard drive; this code will only run if it matches the ICQ number of "7889118" (mobman's rival trojan author.) [24]
Malware is any software intentionally designed to cause disruption to a computer, server, client, or computer network, leak private information, gain unauthorized access to information or systems, deprive access to information, or which unknowingly interferes with the user's computer security and privacy. Researchers tend to classify malware into one or more sub-types.
In computing, a Trojan horse is any malware that misleads users of its true intent by disguising itself as a standard program. The term is derived from the ancient Greek story of the deceptive Trojan Horse that led to the fall of the city of Troy.
Back Orifice is a computer program designed for remote system administration. It enables a user to control a computer running the Microsoft Windows operating system from a remote location. The name is a play on words on Microsoft BackOffice Server software. It can also control multiple computers at the same time using imaging.
Back Orifice 2000 is a computer program designed for remote system administration. It enables a user to control a computer running the Microsoft Windows operating system from a remote location. The name is a pun on Microsoft BackOffice Server software.
This timeline of computer viruses and worms presents a chronological timeline of noteworthy computer viruses, computer worms, Trojan horses, similar malware, related research and events.
A rootkit is a collection of computer software, typically malicious, designed to enable access to a computer or an area of its software that is not otherwise allowed and often masks its existence or the existence of other software. The term rootkit is a compound of "root" and the word "kit". The term "rootkit" has negative connotations through its association with malware.
A backdoor is a typically covert method of bypassing normal authentication or encryption in a computer, product, embedded device, or its embodiment. Backdoors are most often used for securing remote access to a computer, or obtaining access to plaintext in cryptosystems. From there it may be used to gain access to privileged information like passwords, corrupt or delete data on hard drives, or transfer information within autoschediastic networks.
Linux malware includes viruses, Trojans, worms and other types of malware that affect the Linux family of operating systems. Linux, Unix and other Unix-like computer operating systems are generally regarded as very well-protected against, but not immune to, computer viruses.
Agobot, also frequently known as Gaobot, is a family of computer worms. Axel "Ago" Gembe, a German programmer also known for leaking Half-Life 2 a year before release, was responsible for writing the first version. The Agobot source code describes it as: “a modular IRC bot for Win32 / Linux”. Agobot was released under version 2 of the GNU General Public License. Agobot is a multi-threaded and mostly object oriented program written in C++ as well as a small amount of assembly. Agobot is an example of a Botnet that requires little or no programming knowledge to use.
Norton AntiVirus is an anti-virus or anti-malware software product founded by Peter Norton, developed and distributed by Symantec since 1990 as part of its Norton family of computer security products. It uses signatures and heuristics to identify viruses. Other features included in it are e-mail spam filtering and phishing protection.
Norton Internet Security, developed by Symantec Corporation, is a discontinued computer program that provides malware protection and removal during a subscription period. It uses signatures and heuristics to identify viruses. Other features include a personal firewall, email spam filtering, and phishing protection. With the release of the 2015 line in summer 2014, Symantec officially retired Norton Internet Security after 14 years as the chief Norton product. It was superseded by Norton Security, a rechristened adaptation of the original Norton 360 security suite. The suite was once again rebranded to Norton 360 in 2019.
Ransomware is a type of malware that permanently blocks access to the victim's personal data unless a "ransom" is paid. While some simple ransomware may lock the system without damaging any files, more advanced malware uses a technique called cryptoviral extortion. It encrypts the victim's files, making them inaccessible, and demands a ransom payment to decrypt them. In a properly implemented cryptoviral extortion attack, recovering the files without the decryption key is an intractable problem, and difficult-to-trace digital currencies such as paysafecard or Bitcoin and other cryptocurrencies are used for the ransoms, making tracing and prosecuting the perpetrators difficult.
Crimeware is a class of malware designed specifically to automate cybercrime.
In computing, the term remote desktop refers to a software- or operating system feature that allows a personal computer's desktop environment to be run remotely from one system, while being displayed on a separate client device. Remote desktop applications have varying features. Some allow attaching to an existing user's session and "remote controlling", either displaying the remote control session or blanking the screen. Taking over a desktop remotely is a form of remote administration.
Symantec Endpoint Protection, developed by Broadcom Inc., is a security software suite that consists of anti-malware, intrusion prevention and firewall features for server and desktop computers.
Koobface is a network worm that attacks Microsoft Windows, Mac OS X, and Linux platforms. This worm originally targeted users of networking websites such as Facebook, Skype, Yahoo Messenger, and email websites such as GMail, Yahoo Mail, and AOL Mail. It also targets other networking websites, such as MySpace, Twitter, and it can infect other devices on the same local network. Technical support scammers also fraudulently claim to their intended victims that they have a Koobface infection on their computer by using fake popups and using built-in Windows programs.
Form grabbing is a form of malware that works by retrieving authorization and log-in credentials from a web data form before it is passed over the Internet to a secure server. This allows the malware to avoid HTTPS encryption. This method is more effective than keylogger software because it will acquire the user’s credentials even if they are input using virtual keyboard, auto-fill, or copy and paste. It can then sort the information based on its variable names, such as email, account name, and password. Additionally, the form grabber will log the URL and title of the website the data was gathered from.
Zeus is a Trojan horse malware package that runs on versions of Microsoft Windows. It is often used to steal banking information by man-in-the-browser keystroke logging and form grabbing. Zeus is spread mainly through drive-by downloads and phishing schemes. First identified in July 2007 when it was used to steal information from the United States Department of Transportation, it became more widespread in March 2009. In June 2009 security company Prevx discovered that Zeus had compromised over 74,000 FTP accounts on websites of such companies as the Bank of America, NASA, Monster.com, ABC, Oracle, Play.com, Cisco, Amazon, and BusinessWeek. Similarly to Koobface, Zeus has also been used to trick victims of technical support scams into giving the scam artists money through pop-up messages that claim the user has a virus, when in reality they might have no viruses at all. The scammers may use programs such as Command prompt or Event viewer to make the user believe that their computer is infected.
SpyEye is a malware program that attacks users running Google Chrome, Safari, Opera, Firefox and Internet Explorer on Microsoft Windows operating systems. This malware uses keystroke logging and form grabbing to steal user credentials for malicious use. SpyEye allows hackers to steal money from online bank accounts and initiate transactions even while valid users are logged into their bank account
Norton 360 was an "all-in-one" security suite for the consumer market developed by Symantec. Originally released in 2006, it was discontinued in 2014; its features were carried over to its successor, Norton Security. However, in 2019, Symantec released a new Norton 360, as a product replacement for Norton Security.