Use offense to inform defense. Find flaws before the bad guys do - SANS Cyber Defense
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
Use offense to inform defense. Find flaws before the bad guys do. Copyright SANS Institute Author Retains Full Rights This paper is from the SANS Penetration Testing site. Reposting is not permited without express written permission. Interested in learning more? Check out the list of upcoming events offering "Hacker Tools, Techniques, Exploits, and Incident Handling (SEC504)" at https://pen-testing.sans.org/events/
What is SubSeven? Giving away control of your machine! James Wentzel What is SubSeven s. ht SubSeven is a backdoor Trojan for Windows 95/98, now being referred to as a Remote rig Administration Tool (RAT), which allows remote users to control and retrieve information from a system1. The SubSeven Trojan was first discovered in May of 1999 ull and has had many versions released since that time2. When SubSeven was developed it was done to improve on the capabilities that the NetBus Trojan was lacking. The powers f of SubSeven can be grouped in to three major areas. File controls, Monitoring, and ns Network Key Control. fingerprint SubSeven = AF19 FA27 is2F94 now998D becoming FDB5the mostF8B5 DE3D popular RAT 06E4 on the A169 internet. 4E46 tai Unlike most RAT’s SubSeven normally has an update to the server every couple of weeks and with each update, it has more features added.3 re or th Au 2, 00 -2 00 20 te tu sti In NS SA The file controls of SubSeven include a huge number of utilities. Of these different © utilities some of the most powerful allow the remote user the ability to transfer files to or from the remote computer. The ability to move, copy, rename or delete files off of the remote computer, the ability to erase the entire users hard drive, and the ability to Execute programs.4 With these basic controls it gives the hacker the ability to install new versions of the Trojan onto the system, making all of the additional features that are Key added fingerprint = AF19 to the Trojan FA27 to available 2F94 the 998D FDB5 hacker. DE3D These F8B5 features 06E4 also A169 allow for 4E46 the hacker to copy sensitive information off of the computer without the owner of the computer having any knowledge of it. © SANS Institute 2000 - 2002 As part of GIAC practical repository. Author retains full rights.
The Monitoring controls give the person that is remotely accessing the machine the ability to collect huge amounts of information. This information that can be gathered includes the ability to see exactly what is on the screen of the computer that is being remotely accessed. The hacker also has the ability to see all of key presses that the person using the computer types and these keystrokes can also be logged, what this s. means is that if a password is typed at the keyboard, the actual password will be logged. ht This gives the hacker the ability to collect usernames and passwords for access to other rig systems that the user has access to. You also have all of the capabilities as if you were using some type of package like PC-Anywhere to remotely access the computer.5 ull The Network controls have some powerful tools also. With these network tools you can f see all open connections on a machine that is being accessed and the hacker can close any ns openfingerprint Key connections that itFA27 = AF19 wants2F94 to. One 998Dof FDB5 the most powerful DE3D F8B5tools 06E4isA169 the ability 4E46 to relay tai off of the computer to attack another system, limiting the chance that the actual hacker re will get caught and the person who’s computer is being used to do scan or attack will be the one to get the blame.6 In a recent release of SubSeven there is a new feature that is or undocumented, this feature allows the machine that is running the Trojan to be used to th send a huge number of ping to a Web server from numerous infected clients simultaneously causing a distributed denial of service attack. This information was Au gotten from research completed by the security outfit iDefense.7 2, When a hacker is creating the Trojan to be sent to an unsuspecting person, one of the 00 features of SubSeven is the ability for it to be configured to inform the hacker by many -2 different means that a machine has been infected and in this notification it contains all of the information that is necessary for the hacker to use the Trojan on the infected 00 computer8. 20 When configuring the SubSeven Trojan the hack can select up to 4 different notification te methods that a machine has been infected. The notification methods include ICQ tu notification to a specific user, IRC Notification using a specific server, port and user, or an e-mail notification sending the message to a specific user relaying off of a predefined sti relay server. Any one of these methods can be selected or any combination of these In methods can be selected. If none of these methods are selected then no notification will be sent. NS SA © Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 © SANS Institute 2000 - 2002 As part of GIAC practical repository. Author retains full rights.
s. ht rig ull f ns Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 tai re or th Au 2, 00 -2 00 20 When configuring the SubSeven server, there are many ways to select for the SubSeven server to startup automatically on the infected computer. For these different methods to te work, the installation of SubSeven modifies some key files on the infected machine. The tu normal files and entries that get updated are the following: sti In 1) an entry on the “shell=” line in the SYSTEM.INI file 2) an entry on the “load=” or “run=” line in the WIN.INI file NS 3) In the registry “HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run SA ” 4) In the registry © “HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run Services” On most of the systems that have been compromised with SubSeven, it has been found 9 mostfingerprint Key often to be=inAF19 the first FA27 location. 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 © SANS Institute 2000 - 2002 As part of GIAC practical repository. Author retains full rights.
The full list of features offered as part of SubSeven v2.1 are: Address book Wwp pager retriever Win2ip Remote IP scanner s. Host lookup ht Get Windows CD-KEY rig Update victim from URL ICQ takeover ull FTP root folder Retrieve dial-up passwords along with phone numbers and usernames f Port redirect ns IRC bot Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 tai File Manager bookmarks re Make folder, delete folder [empty or full] Process manager or Text 2 speech th Clipboard manager [EDIT SERVER CHANGES] Customizable colors Au Change server ICON Pick random port on server startup 2, Irc bot configuration 00 Restart server -2 AOL Instant messenger spy Yahoo messenger spy 00 Microsoft messenger spy 20 Retrieve list of ICQ usernames and passwords Retrieve list of AIM users and passwords te App redirect tu Edit file Perform clicks on victim’s desktop sti Set/change screen saver settings [Scrolling Marquee] In Restart Windows Ping server NS Compress/Decompress files before and after transfers The matrix SA Ultra fast IP scanner IP Tool [Resolve Host names/Ping IP addresses] © Get victim’s home info Address Business name City Company Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 Country Customer type e-mail © SANS Institute 2000 - 2002 As part of GIAC practical repository. Author retains full rights.
real name state city code country colde local phone s. zip code ht rig Configure Client colors Configure menu options ]add/delete pages, change names] ull Automatically Display Image when downloaded [jpg, bmp] Automatically edit files when downloaded [txt, bat] f Change port numbers for The Matrix, Keylogger and Spies ns Retrieve Key “SubSeven fingerprint message = AF19 FA27 of the998D 2F94 day” FDB5 DE3D F8B5 06E4 A169 4E46 tai Protect Server’s port and Password once installed re Melt server when executed Protect server settings with a password or Open Web Browser to specified location th Restart Windows [5 methods]: Normal shutdown Au Forced Windows shutdown Log off Windows user 2, Shutdown Windows and turn off computer 00 Reboot System -2 Reverse/restore Mouse buttons Hide/Show Mouse Pointer 00 Control Mouse 20 Mouse Trail Config Set Volume te Record Sound file from remote mic. tu Change Windows Colors / Restore Hang up Internet Connection sti Change Time In Change Date Change Screen resolution NS Hide Desktop Icons / show Hide Start Button / show SA Hide taskbar / show Open CD-Rom Drive / Close © Beep computer Speaker /stop Turn Monitor off /on Disable CTRL+ALT+DEL / Enable Turn on Scroll Lock / off Turnfingerprint Key on Caps Lock / OffFA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 = AF19 Turn on Num Lock / Off Connect / Disconnect Fast IP Scanner © SANS Institute 2000 - 2002 As part of GIAC practical repository. Author retains full rights.
Get Computer Name Get User Name Get Windows and System Folder Names Get Computer Company Get Windows Version s. Get Windows Platform ht Get Current Resolution rig Get DirectX Version Get Current Bytes per Pixel settings ull Get CPU Vendor Get CPU Speed f Get Hard Drive Size ns Get Hard Key Drive=Free fingerprint Space AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 tai Change Server Port re Set / Remove Server Password Update Server or Close Server th Remove Server ICQ Pager Connection Notify Au IRC Connection Notify E-Mail Connection Notify 2, Enable Key Logger /Disable 00 Clear the Key Logger Windows -2 Collect Keys pressed while Offline Open Chat Victim + Controller 00 Open Chat among all Connected Controllers 20 Windows Pop-up Message Manager Disable Keyboard te Send Keys to a remote Window tu ICQ Spy Full Screen Capture sti Continues Thumbnail Capture In Flip Screen Open FTP server NS Find Files Capture from Computer Camera SA List Recorded Passwords List Cached Passwords © Clear Password List Registry Editor Sent Text to Printer Show files/folders and navigate List Drives Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 Execute Application Enter Manual Command Type Path Manually © SANS Institute 2000 - 2002 As part of GIAC practical repository. Author retains full rights.
Download Files Upload Files Get File Size Delete File Play *.wav s. Set Wallpaper ht Print .txt/.rtf file rig Show image List Visible Windows ull List all active Applications Focus on Window f Close Window ns Disable Key X (close] fingerprint buttonFA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 = AF19 tai Hide/unhide a Window from view re Enable Disable Window Set Quality of Full Screen Capture or Set Quality of Thumbnail Capture th Set Chat font size and Colors Set Client’s User Name Au Set Local ‘Download’ directory Set quick help [hints] 2, Pre Set Target Port 00 Preset Server Password -2 Attach EXE File Pre Set filename after installation 00 Pre Set Registry Key 20 Pre Set Auto Start Methods: Registry: Run te Registry: RunServices tu Win.ini Less Known Method sti Not Known Method In Pre Set Fake error message Pre Set Connection Notify Username NS Pre Set Connection Notify to ICQ# Pre Set Connection Notify to E-Mail SA Pre Set Connection Notify to IRC Channel or Nickname © All of the listed features are available in version 2.1 and will be included in newer releases of the program.10 This list is a constantly changing list as newer versions of the program become available. If you Key find that =your fingerprint machine AF19 FA27 has 2F94been 998Dinfected FDB5 with DE3DSubSeven, youA169 F8B5 06E4 are not completely 4E46 out of luck. SubSeven is actually very easy to remove from the system. You just need to do some very basic steps. 1) delete the virus executable file © SANS Institute 2000 - 2002 As part of GIAC practical repository. Author retains full rights.
2) remove the virus startup entries in the registry 3) Correct the changed settings in the registry and system.ini file 4) After all is done, reboot and let the new settings take effect11 The best way to prevent a machine from being infected with subseven is to practice good s. habits. These good habits include no opening anything that you do not know the original ht source of. Also, you always want to have current Anti-Virus software running on your rig computer, what this does for you is to prevent older versions of the Trojan from infecting your computer and if your computer has been compromised when a new update becomes ull available it may find that your machine has been compromised. Finally, it is always a good idea to have some type of personal firewall running on your computer. I have f found that the personal firewalls that prevent all outbound traffic from programs that ns havefingerprint Key not been given thisFA27 = AF19 type of access 2F94 998Dto FDB5 be the DE3D best to F8B5 prevent thisA169 06E4 type of a Trojan. 4E46 tai The only draw back to this is if the Trojan is installed with the name of an application re that does have the type of access out of your computer to send the notification. However, most of these personal firewalls by default block outbound traffic from your computer on or the standard ports that are used by this and many other Trojans. th 1 Symantec, “ SunSeven 2.0 Server”, 10/4/1999 Au http://www.sym ant ec. com/avcent er/v enc/dat a/sub.seven.20.html (1/ 19/2001) 2, 2 rmbox, windos.ex e/sub 7in fo, 2/7/200 0, http://discussions.virtu aldr.com/Forum 1/HTML/007663.html 00 (2/13/200 1) 3 The Next Generation is No w, http://www.sub7.org.uk/mai n.htm (2/13/200 1) -2 4 HackFix “SubSeven – Ab out SubSev en ” http://www.hackfix.org/subs even/about.shtml (1/19/200 1) 5 ibid. 00 6 ibid. 7 Chris Pallack, Sub7 vid Trojan can launch distribut ed attacks, 6/17/20 00, 20 http://www.linux fw.o rg/articl es/n etwo rk_s ecurity_ arti cle-903.html, (2/13/2001) 8 HackFix “SubSeven – About SubSev en ” http://www.hackfix.org/subs even/about.shtml (1/19/200 1) te 9 Donald F. Kelloway, “ The Basics of SubS even (aks Sub7 or Backdoo r_ G) tu http://www. commodon.com/th reat/threat-su b7.htm, (1/24/2001 ) 10 About SubSev en, http://www.sub7 fil es.com/ about/index.shtml (2/1 3/2001) sti 11 rmbox, windos.ex e/sub 7in fo, 2/7/200 0, http://discussions.virtu aldr.com/Forum 1/HTML/007663.html In (2/13/200 1) NS SA © Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 © SANS Institute 2000 - 2002 As part of GIAC practical repository. Author retains full rights.
Last Updated: May 13th, 2019 Upcoming SANS Penetration Testing SANS New Orleans 2019 New Orleans, LA May 19, 2019 - May 24, 2019 Live Event SANS Northern VA Spring- Reston 2019 Reston, VA May 19, 2019 - May 24, 2019 Live Event SANS Autumn Sydney 2019 Sydney, Australia May 20, 2019 - May 25, 2019 Live Event Community SANS Portland SEC504 Portland, OR May 20, 2019 - May 25, 2019 Community SANS SANS Amsterdam May 2019 Amsterdam, Netherlands May 20, 2019 - May 25, 2019 Live Event SANS Krakow May 2019 Krakow, Poland May 27, 2019 - Jun 01, 2019 Live Event SANS San Antonio 2019 San Antonio, TX May 28, 2019 - Jun 02, 2019 Live Event SANS Atlanta 2019 Atlanta, GA May 28, 2019 - Jun 02, 2019 Live Event Enterprise Defense Summit & Training 2019 Redondo Beach, CA Jun 03, 2019 - Jun 10, 2019 Live Event SANS London June 2019 London, United Jun 03, 2019 - Jun 08, 2019 Live Event Kingdom SANS Kansas City 2019 Kansas City, MO Jun 10, 2019 - Jun 15, 2019 Live Event Mentor Session - SEC504 Austin, TX Jun 13, 2019 - Aug 08, 2019 Mentor SANSFIRE 2019 Washington, DC Jun 15, 2019 - Jun 22, 2019 Live Event SANSFIRE 2019 - SEC504: Hacker Tools, Techniques, Exploits, Washington, DC Jun 17, 2019 - Jun 22, 2019 vLive and Incident Handling Community SANS Alpharetta SEC504 @ Cisco Alpharetta, GA Jun 17, 2019 - Jun 22, 2019 Community SANS Community SANS Nashville SEC542 Nashville, TN Jun 17, 2019 - Jun 22, 2019 Community SANS Community SANS Santa Monica SEC504 Santa Monica, CA Jun 24, 2019 - Jun 29, 2019 Community SANS Security Operations Summit & Training 2019 New Orleans, LA Jun 24, 2019 - Jul 01, 2019 Live Event Mentor Session - SEC504 Des Moines, IA Jun 24, 2019 - Jul 24, 2019 Mentor SANS Cyber Defence Canberra 2019 Canberra, Australia Jun 24, 2019 - Jul 13, 2019 Live Event SANS Munich July 2019 Munich, Germany Jul 01, 2019 - Jul 06, 2019 Live Event SANS Paris July 2019 Paris, France Jul 01, 2019 - Jul 06, 2019 Live Event SANS Cyber Defence Japan 2019 Tokyo, Japan Jul 01, 2019 - Jul 13, 2019 Live Event Community SANS Colorado Springs SEC504 Colorado Springs, CO Jul 08, 2019 - Jul 13, 2019 Community SANS SANS Cyber Defence Singapore 2019 Singapore, Singapore Jul 08, 2019 - Jul 20, 2019 Live Event SANS London July 2019 London, United Jul 08, 2019 - Jul 13, 2019 Live Event Kingdom Pittsburgh 2019 - SEC560: Network Penetration Testing and Pittsburgh, PA Jul 08, 2019 - Jul 13, 2019 vLive Ethical Hacking Community SANS Madison SEC504 Madison, WI Jul 08, 2019 - Jul 13, 2019 Community SANS Pittsburgh 2019 - SEC504: Hacker Tools, Techniques, Exploits, Pittsburgh, PA Jul 08, 2019 - Jul 13, 2019 vLive and Incident Handling SANS Pittsburgh 2019 Pittsburgh, PA Jul 08, 2019 - Jul 13, 2019 Live Event SANS Charlotte 2019 Charlotte, NC Jul 08, 2019 - Jul 13, 2019 Live Event
You can also read