Sub7

For the band, see Subseven.

Sub7
Original author(s)	mobman

Stable release	Sub7 0.9 (2014)
Written in	Delphi
Operating system	Microsoft Windows
Type	remote administration/trojan
License	freeware
Website	SubSeven Site

Sub7, or SubSeven or Sub7Server, is a remote administration tool/trojan program (RAT—where the "T" can have a dual meaning in this case).^[1] Its name was derived by spelling NetBus backwards ("suBteN") and swapping "ten" with "seven". Sub7 was created by Mobman. Mobman has not maintained or updated the software since 2004, however an author known as Read101 has carried on the Sub7 legacy.

Because its typical use is to allow undetected and unauthorized access, Sub7 is usually described as a trojan horse by security experts.^[2]^[1]^[3]^[4]^[5]^[6] Starting with version 2.1 (1999) it could be controlled via IRC. As one security book phrased it: "This set the stage for all malicious botnets to come."^[4] Additionally Sub7 has some features deemed of little use in legitimate remote administration like keystroke logging.^[4]

Sub7 worked on the Windows 9x and on the Windows NT family of operating systems, up to and including Windows 8.1.^[5]

History

It was originally designed by someone with the handle 'mobman'. No development has occurred in several years until a new version scheduled for release on Feb. 28th, 2010. In October 2009 mobman was alleged to have stated via IRC that due to working and going to college full-time that he will not be able to help with Sub7.

In 2006 (sub7legends.net) re-opened with hundreds of thousands of users, and has kept Sub7 alive with clean downloads and support and new software releases.

SubSeven 2.3, released on March 9, 2010, was revamped to work on all 32-bit and 64-bit versions of Windows and includes TCP Tunnel and Password Recovery for browsers, instant messengers and email clients. It was very buggy and was not written in Delphi which the original author used. The website that claimed to do this is no longer active.

Architecture and features

Like other remote admin programs, Sub7 is distributed with a server and a client. The server is the program that the host must run in order to have their machines controlled remotely, and the client is the program with a GUI that the user runs on their own machine to control the server/host PC. Computer security expert Steve Gibson once said that with these features, Sub7 allows a hacker to take "virtually complete control" over a computer. Sub7 is so invasive, he said, that anyone with it on their computer "might as well have the hacker standing right next to them" while using their computer.^[7]

Sub7 has more features than Netbus (webcam capture, multiple port redirect, user-friendly registry editor, chat and more), but it always tries to install itself into windows directory and it does not have activity logging.

According to a security analysis,^[8] Sub7's server-side (target computer) features include:

recording:
- sound files from a microphone attached to the machine
- images from an attached video camera
- screen shots of the computer
retrieving a listing of recorded and cached passwords
taking over an ICQ account used on the target machine (back then the most popular messaging service); added in version 2.1. This included the ability to disable the local use of the account and read the chat history
features which were presumably intended to be used for prank or irritating purposes including:
- changing desktop colors
- opening and closing the optical drive
- swapping the mouse buttons
- turning the monitor off/on
- "text2speech" voice synthesizer which allowed the remote controller to have the computer "talk" to its user
penetration testing features, including a port scanner and a port redirector

On the client-side the software had an "address book" that allowed the controller to know when the target computers are online. Additionally the server program could be customized before being delivered by a so-called server editor (an idea borrowed from Back Orifice 2000). Customizations possible with the Sub7 server editor included changing the port addresses, displaying a customized message upon installation that could be used for example "to deceive the victim and mask the true intent of the program".^[8] The Sub7 server could also be configured to notify the controller of IP address changes of the host machine by email, ICQ or IRC.^[9]

Connections to Sub7 servers can be password protected with a chosen password.^[9] A deeper reverse engineering analysis revealed however that "SubSeven's author has secretly included a hardcoded master password for all of his Trojans! The Trojan itself has been Trojaned".^[6] The master password used to be "14438136782715101980", but this "feature" was removed in newer versions due to its discovery. ^[10]

Uses and incidents

SubSeven has been used to gain unauthorized access to computers. While it can be used for making mischief (such as making sound files play out of nowhere, change screen colors, etc.), it can also read keystrokes that occurred since the last boot—a capability that can be used to steal passwords and credit card numbers.^[11]

In 2003, a hacker began distributing a Spanish-language email purporting to be from security firm Symantec that was used to trick recipients into downloading Sub7.^[12]

Although Sub7 is not itself a worm (has no built-in self-propagation features) it has been leveraged by some worms such as W32/Leaves (2001).^[3]^[13]

Detection

Nearly all antivirus programs can detect Sub7 and prevent it from being installed unless steps are taken to hide it.

References

1 2 John R. Vacca (2013). Network and System Security (2nd ed.). Elsevier. p. 63. ISBN 978-0-12-416695-0.
↑ Christopher A. Crayton (2003). Security+ Exam Guide. Cengage Learning. p. 340. ISBN 1-58450-251-7.
1 2 Mohssen Mohammed; Al-Sakib Khan Pathan (July 2013). Automatic Defense Against Zero-day Polymorphic Worms in Communication Networks. CRC Press. p. 105. ISBN 978-1-4822-1905-0.
1 2 3 Craig Schiller; James R. Binkley (2011). Botnets: The Killer Web Applications. Syngress. p. 8. ISBN 978-0-08-050023-2.
1 2 Diane Barrett; Todd King (2005). Computer Networking Illuminated. Jones & Bartlett Learning. pp. 521–. ISBN 978-0-7637-2676-8.
1 2 Cyrus Peikari; Anton Chuvakin (2004). Security Warrior. O'Reilly Media. p. 31. ISBN 978-0-596-55239-8.
↑ Gibson, Steve. The strange tale of the denial of service attacks on grc.com. 2002-03-05.
1 2 Crapanzano, Jamie (2003), "Deconstructing SubSeven, the Trojan Horse of Choice., SANS Institute Information Security Reading
1 2 Eric Cole (2002). Hackers Beware. Sams Publishing. p. 569. ISBN 978-0-7357-1009-2.
↑ "Dissecting the hack: the f0rb1dd3n network"
↑ Sub7 analysis from Sophos
↑ "Symantec report on Sub7". Symantec.com. Retrieved 2012-08-28.
↑ http://www.cert.org/incident_notes/IN-2001-07.html

External links

Remote administration software

General	Remote desktop software Comparison of remote desktop software

Implementations	Absolute Manage AetherPal Apple Remote Desktop Citrix XenApp Crossloop LiteManager LogMeIn Netop Remote Control NetSupport Manager pcAnywhere Radmin RealVNC Remote Desktop Services Remote Utilities ScreenConnect Secure Shell System Center Configuration Manager TeamViewer ThinLinc TightVNC Timbuktu Tivoli Endpoint Manager UltraVNC Virtual Network Computing

Controversial Implementations	Back Orifice Back Orifice 2000 NetBus Sub7

This article is issued from Wikipedia - version of the 10/13/2016. The text is available under the Creative Commons Attribution/Share Alike but additional terms may apply for the media files.