Sub7

Last updated
Sub7
Original author(s) mobman
Preview release
2.3 / 2010
Written in Delphi
Operating system Microsoft Windows
Type Trojan horse (computing)
License freeware
Website sub7crew.org

Sub7, or SubSeven or Sub7Server, is a Trojan horse program originally released in February 1999. [1] [2] Its name was derived by spelling NetBus backwards ("suBteN") and swapping "ten" with "seven". As of June 2021, the development of Sub7 is being continued. [3]

Contents

Because its typical use is to allow undetected and unauthorized access, Sub7 is usually described as a trojan horse by security experts. [4] [2] [5] [6] [7] [8] Starting with version 2.1 (1999) it could be controlled via IRC. As one security book phrased it: "This set the stage for all malicious botnets to come." [6] Additionally Sub7 has some features deemed of little use in legitimate remote administration like keystroke logging. [6]

Sub7 worked on the Windows 9x and on the Windows NT family of operating systems, up to and including Windows 8.1. [7]

History

SubSeven was developed by mobman, a computer programmer originally from Craiova, Romania. [9]

In 2006 (sub7legends.net) re-opened with hundreds of thousands of users, and has kept Sub7 alive with clean downloads and support and new software releases.

No development had occurred for several years until version 2.3 in 2010. This release was based on the genuine SubSeven 2.2 and 2.1.3 source code, which mobman himself shared to his close friends, "Read101" and "fc" and were responsible for this update. Unfortunately, the reborn did not capture the public's attention as anticipated. This lack of interest was primarily due to "fc", who was more interested in monetizing the new version than enhancing its quality. [10]

SubSeven 2.3, released on March 9, 2010, was revamped to work on all 32-bit and 64-bit versions of Windows and includes TCP Tunnel and Password Recovery for browsers, instant messengers and email clients. It was very buggy. The website that claimed to do this is no longer active.

In June 2021, Jean-Pierre Lesueur (DarkCoderSc) released from scratch a complete remake of SubSeven version 2.2. This version maintained a similar look and feel to the original. Since then, development has ceased, and the source code has been made available to the public. [11]

In October 2023, "IllWill", a former member of the Sub7 Crew from the 1990s and early 2000s, delivered a talk at BSides CT 2023 [12] . This presentation delved into the story behind mobman, revealing several unknown facts about the mysterious developer. The talk concluded with IllWill releasing the official and genuine source code of SubSeven 2.1.2/3 in his Gitlab [13] . This release was made possible by mobman's direct contribution and with his blessing.

As of now, no other versions of SubSeven have been officially released, apart from version 2.1.2/3 by IllWill. The SubSeven 2.2 version remains exclusively in the possession of mobman, Read101, fc, and DarkCoderSc.

Architecture and features

Like other remote admin programs, Sub7 is distributed with a server and a client. The server is the program that the host must run in order to have their machines controlled remotely, and the client is the program with a GUI that the user runs on their own machine to control the server/host PC. Computer security expert Steve Gibson once said that with these features, Sub7 allows a hacker to take "virtually complete control" over a computer. Sub7 is so invasive, he said, that anyone with it on their computer "might as well have the hacker standing right next to them" while using their computer. [14]

Sub7 has more features than Netbus (webcam capture, multiple port redirect, user-friendly registry editor, chat and more).

According to a security analysis, [15] Sub7's server-side (target computer) features include:

On the client-side the software had an "address book" that allowed the controller to know when the target computers are online. Additionally the server program could be customized before being delivered by a so-called server editor (an idea borrowed from Back Orifice 2000). Customizations possible with the Sub7 server editor included changing the port addresses, displaying a customized message upon installation that could be used for example "to deceive the victim and mask the true intent of the program". [15] The Sub7 server could also be configured to notify the controller of IP address changes of the host machine by email, ICQ or IRC. [16]

Connections to Sub7 servers can be password protected with a chosen password. [16] A deeper reverse engineering analysis revealed however that "SubSeven's author has secretly included a hardcoded master password for all of his Trojans! The Trojan itself has been Trojaned". [8] For Version 1.9 the master password is predatox and 14438136782715101980 for versions 2.1 through 2.2b. The Master Password for SubSeven DEFCON8 2.1 Backdoor is acidphreak. [17]

Uses and incidents

SubSeven has been used to gain unauthorized access to computers. While it can be used for making mischief (such as making sound files play out of nowhere, change screen colors, etc.), it can also read keystrokes that occurred since the last boot—a capability that can be used to steal passwords and credit card numbers. [18]

In 2003, a hacker began distributing a Spanish-language email purporting to be from security firm Symantec that was used to trick recipients into downloading Sub7. [19]

Although Sub7 is not itself a worm (has no built-in self-propagation features) it has been leveraged by some worms such as W32/Leaves (2001). [5] [20]

Some versions of Sub7 include code from Hard Drive Killer Pro to format the hard drive, this code will only run if it matched the ICQ number of "7889118" (mobman's rival trojan author.) [21]

See also

Related Research Articles

In computing, a Trojan horse is any malware that misleads users of its true intent by disguising itself as a standard program. The term is derived from the ancient Greek story of the deceptive Trojan Horse that led to the fall of the city of Troy.

Back Orifice is a computer program designed for remote system administration. It enables a user to control a computer running the Microsoft Windows operating system from a remote location. The name is a play on words on Microsoft BackOffice Server software. It can also control multiple computers at the same time using imaging.

<span class="mw-page-title-main">Timeline of computer viruses and worms</span> Computer malware timeline

This timeline of computer viruses and worms presents a chronological timeline of noteworthy computer viruses, computer worms, Trojan horses, similar malware, related research and events.

Linux malware includes viruses, Trojans, worms and other types of malware that affect the Linux family of operating systems. Linux, Unix and other Unix-like computer operating systems are generally regarded as very well-protected against, but not immune to, computer viruses.

<span class="mw-page-title-main">Botnet</span> Collection of compromised internet-connected devices controlled by a third party

A botnet is a group of Internet-connected devices, each of which runs one or more bots. Botnets can be used to perform Distributed Denial-of-Service (DDoS) attacks, steal data, send spam, and allow the attacker to access the device and its connection. The owner can control the botnet using command and control (C&C) software. The word "botnet" is a portmanteau of the words "robot" and "network". The term is usually used with a negative or malicious connotation.

Internet security is a branch of computer security. It encompasses the Internet, browser security, web site security, and network security as it applies to other applications or operating systems as a whole. Its objective is to establish rules and measures to use against attacks over the Internet. The Internet is an inherently insecure channel for information exchange, with high risk of intrusion or fraud, such as phishing, online viruses, trojans, ransomware and worms.

Agobot, also frequently known as Gaobot, is a family of computer worms. Axel "Ago" Gembe, a German programmer also known for leaking Half-Life 2 a year before release, was responsible for writing the first version. The Agobot source code describes it as: “a modular IRC bot for Win32 / Linux”. Agobot was released under version 2 of the GNU General Public License. Agobot is a multi-threaded and mostly object oriented program written in C++ as well as a small amount of assembly. Agobot is an example of a Botnet that requires little or no programming knowledge to use.

Remote administration refers to any method of controlling a computer from a remote location. There are many commercially available and free-to-use software that make remote administration easy to set up and use. Remote administration is often used when it's difficult or impractical to be physically near a system in order to use it or troubleshoot it. Many server administrators also use remote administration to control the servers around the world at remote locations. It is also used by companies and corporations to improve overall productivity as well as promote remote work. It may also refer to both legal and illegal remote administration.

Crimeware is a class of malware designed specifically to automate cybercrime.

In computing, the term remote desktop refers to a software- or operating system feature that allows a personal computer's desktop environment to be run remotely from one system, while being displayed on a separate client device. Remote desktop applications have varying features. Some allow attaching to an existing user's session and "remote controlling", either displaying the remote control session or blanking the screen. Taking over a desktop remotely is a form of remote administration.

<span class="mw-page-title-main">Symantec Endpoint Protection</span> Computer security software

Symantec Endpoint Protection, developed by Broadcom Inc., is a security software suite that consists of anti-malware, intrusion prevention and firewall features for server and desktop computers. It has the largest market-share of any product for endpoint security.

Srizbi BotNet is considered one of the world's largest botnets, and responsible for sending out more than half of all the spam being sent by all the major botnets combined. The botnets consist of computers infected by the Srizbi trojan, which sent spam on command. Srizbi suffered a massive setback in November 2008 when hosting provider Janka Cartel was taken down; global spam volumes reduced up to 93% as a result of this action.

Koobface is a network worm that attacks Microsoft Windows, Mac OS X, and Linux platforms. This worm originally targeted users of networking websites like Facebook, Skype, Yahoo Messenger, and email websites such as GMail, Yahoo Mail, and AOL Mail. It also targets other networking websites, such as MySpace, Twitter, and it can infect other devices on the same local network. Technical support scammers also fraudulently claim to their intended victims that they have a Koobface infection on their computer by using fake popups and using built-in Windows programs.

Clampi is a strain of computer malware which infects Windows computers. More specifically, as a man-in-the-browser banking trojan designed to transmit financial and personal information from a compromised computer to a third party for potential financial gain as well as report on computer configuration, communicate with a central server, and act as downloader for other malware. Clampi was first observed in 2007 affecting computers running the Microsoft Windows operating system.

Zeus is a Trojan horse malware package that runs on versions of Microsoft Windows. It is often used to steal banking information by man-in-the-browser keystroke logging and form grabbing. Zeus is spread mainly through drive-by downloads and phishing schemes. First identified in July 2007 when it was used to steal information from the United States Department of Transportation, it became more widespread in March 2009. In June 2009 security company Prevx discovered that Zeus had compromised over 74,000 FTP accounts on websites of such companies as the Bank of America, NASA, Monster.com, ABC, Oracle, Play.com, Cisco, Amazon, and BusinessWeek. Similarly to Koobface, Zeus has also been used to trick victims of technical support scams into giving the scam artists money through pop-up messages that claim the user has a virus, when in reality they might have no viruses at all. The scammers may use programs such as Command prompt or Event viewer to make the user believe that their computer is infected.

Alureon is a trojan and rootkit created to steal data by intercepting a system's network traffic and searching for banking usernames and passwords, credit card data, PayPal information, social security numbers, and other sensitive user data. Following a series of customer complaints, Microsoft determined that Alureon caused a wave of BSoDs on some 32-bit Microsoft Windows systems. The update, MS10-015, triggered these crashes by breaking assumptions made by the malware author(s).

The Bredolab botnet, also known by its alias Oficla, was a Russian botnet mostly involved in viral e-mail spam. Before the botnet was eventually dismantled in November 2010 through the seizure of its command and control servers, it was estimated to consist of millions of zombie computers.

OSX.FlashBack, also known as the Flashback Trojan, Fakeflash, or Trojan BackDoor.Flashback, is a Trojan horse affecting personal computer systems running Mac OS X. The first variant of Flashback was discovered by antivirus company Intego in September 2011.

Brambul is an SMB protocol computer worm that decrypts and automatically moves from one computer to its second computer.

Cryptojacking is the act of exploiting a computer to mine cryptocurrencies, often through websites, against the user's will or while the user is unaware. One notable piece of software used for cryptojacking was Coinhive, which was used in over two-thirds of cryptojacks before its March 2019 shutdown. The cryptocurrencies mined the most often are privacy coins—coins with hidden transaction histories—such as Monero and Zcash.

References

  1. "Sub7 Legacy". www.sub7crew.org. Retrieved 2021-06-19.
  2. 1 2 John R. Vacca (2013). Network and System Security (2nd ed.). Elsevier. p. 63. ISBN   978-0-12-416695-0.
  3. "Sub7 Legacy". www.sub7crew.org. Retrieved 2021-06-19.
  4. Christopher A. Crayton (2003). Security+ Exam Guide. Cengage Learning. p. 340. ISBN   1-58450-251-7.
  5. 1 2 Mohssen Mohammed; Al-Sakib Khan Pathan (July 2013). Automatic Defense Against Zero-day Polymorphic Worms in Communication Networks. CRC Press. p. 105. ISBN   978-1-4822-1905-0.
  6. 1 2 3 Craig Schiller; James R. Binkley (2011). Botnets: The Killer Web Applications. Syngress. p. 8. ISBN   978-0-08-050023-2.
  7. 1 2 Diane Barrett; Todd King (2005). Computer Networking Illuminated. Jones & Bartlett Learning. pp. 521–. ISBN   978-0-7637-2676-8.
  8. 1 2 Cyrus Peikari; Anton Chuvakin (2004). Security Warrior . O'Reilly Media. p.  31. ISBN   978-0-596-55239-8.
  9. "A Malware retrospective: SubSeven". medium.com. Retrieved 2024-02-05.
  10. "A Malware retrospective: SubSeven". medium.com. Retrieved 2024-02-05.
  11. "Sub7 Legacy". www.github.com. Retrieved 2021-06-19.
  12. "BSides CT 2023 - illwill: FINDING MOBMAN". www.youtube.com. Retrieved 2023-10-07.
  13. "Sub7". www.gitlab.com. Retrieved 2023-10-07.
  14. Gibson, Steve. The strange tale of the denial of service attacks on grc.com. 2002-03-05.
  15. 1 2 Crapanzano, Jamie (2003), "Deconstructing SubSeven, the Trojan Horse of Choice., SANS Institute Information Security Reading
  16. 1 2 Eric Cole (2002). Hackers Beware. Sams Publishing. p. 569. ISBN   978-0-7357-1009-2.
  17. SANS, A Risk to Your Internet Security Chapter Name: "The Inner Workings of Sub7" on page 14 notes several master passwords used.
  18. Sub7 analysis from Sophos
  19. "Symantec report on Sub7". Symantec.com. Retrieved 2012-08-28.
  20. "The CERT Division | Software Engineering Institute".
  21. admin (2018-12-14). "Who is the real mobman?". illmob. Retrieved 2020-07-15.
Sub7 readme screenshot.png
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.