Use offense to inform defense. Find flaws before the bad guys do - SANS Cyber Defense

Page created by Michele Castillo
 
CONTINUE READING
Use offense to inform defense.
Find flaws before the bad guys do.

                           Copyright SANS Institute
                           Author Retains Full Rights
  This paper is from the SANS Penetration Testing site. Reposting is not permited without express written permission.

Interested in learning more?
Check out the list of upcoming events offering
"Hacker Tools, Techniques, Exploits, and Incident Handling (SEC504)"
at https://pen-testing.sans.org/events/
What is SubSeven?
               Giving away control of your machine!
               James Wentzel

               What is SubSeven

                                                                                                s.
                                                                                             ht
               SubSeven is a backdoor Trojan for Windows 95/98, now being referred to as a Remote

                                                                                         rig
               Administration Tool (RAT), which allows remote users to control and retrieve
               information from a system1. The SubSeven Trojan was first discovered in May of 1999

                                                                                     ull
               and has had many versions released since that time2. When SubSeven was developed it
               was done to improve on the capabilities that the NetBus Trojan was lacking. The powers

                                                                                     f
               of SubSeven can be grouped in to three major areas. File controls, Monitoring, and

                                                                                  ns
               Network
               Key       Control.
                    fingerprint    SubSeven
                                = AF19 FA27 is2F94
                                               now998D
                                                   becoming
                                                         FDB5the  mostF8B5
                                                                DE3D   popular RAT
                                                                            06E4    on the
                                                                                  A169     internet.
                                                                                        4E46

                                                                               tai
               Unlike most RAT’s SubSeven normally has an update to the server every couple of
               weeks and with each update, it has more features added.3

                                                                            re
                                                                        or
                                                                     th
                                                                 Au
                                                              2,
                                                          00
                                                       -2
                                                   00
                                                20
                                            te
                                          tu
                                       sti
                                    In
                               NS
                           SA

               The file controls of SubSeven include a huge number of utilities. Of these different
                        ©

               utilities some of the most powerful allow the remote user the ability to transfer files to or
               from the remote computer. The ability to move, copy, rename or delete files off of the
               remote computer, the ability to erase the entire users hard drive, and the ability to
               Execute programs.4 With these basic controls it gives the hacker the ability to install new
               versions of the Trojan onto the system, making all of the additional features that are
               Key
               added fingerprint = AF19
                       to the Trojan    FA27 to
                                     available 2F94
                                                 the 998D FDB5
                                                     hacker.     DE3D
                                                             These      F8B5
                                                                    features   06E4
                                                                             also     A169
                                                                                  allow for 4E46
                                                                                            the hacker to
               copy sensitive information off of the computer without the owner of the computer having
               any knowledge of it.

© SANS Institute 2000 - 2002                As part of GIAC practical repository.                   Author retains full rights.
The Monitoring controls give the person that is remotely accessing the machine the
               ability to collect huge amounts of information. This information that can be gathered
               includes the ability to see exactly what is on the screen of the computer that is being
               remotely accessed. The hacker also has the ability to see all of key presses that the
               person using the computer types and these keystrokes can also be logged, what this

                                                                                                s.
               means is that if a password is typed at the keyboard, the actual password will be logged.

                                                                                             ht
               This gives the hacker the ability to collect usernames and passwords for access to other

                                                                                         rig
               systems that the user has access to. You also have all of the capabilities as if you were
               using some type of package like PC-Anywhere to remotely access the computer.5

                                                                                     ull
               The Network controls have some powerful tools also. With these network tools you can

                                                                                     f
               see all open connections on a machine that is being accessed and the hacker can close any

                                                                                  ns
               openfingerprint
               Key   connections  that itFA27
                                = AF19   wants2F94
                                                to. One
                                                     998Dof FDB5
                                                            the most powerful
                                                                  DE3D  F8B5tools
                                                                              06E4isA169
                                                                                      the ability
                                                                                           4E46 to relay

                                                                               tai
               off of the computer to attack another system, limiting the chance that the actual hacker

                                                                            re
               will get caught and the person who’s computer is being used to do scan or attack will be
               the one to get the blame.6 In a recent release of SubSeven there is a new feature that is

                                                                        or
               undocumented, this feature allows the machine that is running the Trojan to be used to

                                                                     th
               send a huge number of ping to a Web server from numerous infected clients
               simultaneously causing a distributed denial of service attack. This information was
                                                                 Au
               gotten from research completed by the security outfit iDefense.7
                                                              2,

               When a hacker is creating the Trojan to be sent to an unsuspecting person, one of the
                                                          00

               features of SubSeven is the ability for it to be configured to inform the hacker by many
                                                       -2

               different means that a machine has been infected and in this notification it contains all of
               the information that is necessary for the hacker to use the Trojan on the infected
                                                   00

               computer8.
                                                20

               When configuring the SubSeven Trojan the hack can select up to 4 different notification
                                            te

               methods that a machine has been infected. The notification methods include ICQ
                                          tu

               notification to a specific user, IRC Notification using a specific server, port and user, or
               an e-mail notification sending the message to a specific user relaying off of a predefined
                                       sti

               relay server. Any one of these methods can be selected or any combination of these
                                    In

               methods can be selected. If none of these methods are selected then no notification will
               be sent.
                               NS
                           SA
                        ©

               Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46

© SANS Institute 2000 - 2002                As part of GIAC practical repository.                   Author retains full rights.
s.
                                                                                          ht
                                                                                      rig
                                                                                  ull
                                                                                   f
                                                                                ns
               Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46

                                                                             tai
                                                                          re
                                                                      or
                                                                   th
                                                               Au
                                                            2,
                                                        00
                                                     -2
                                                 00
                                              20

               When configuring the SubSeven server, there are many ways to select for the SubSeven
               server to startup automatically on the infected computer. For these different methods to
                                           te

               work, the installation of SubSeven modifies some key files on the infected machine. The
                                        tu

               normal files and entries that get updated are the following:
                                     sti
                                   In

                   1) an entry on the “shell=” line in the SYSTEM.INI file
                   2) an entry on the “load=” or “run=” line in the WIN.INI file
                               NS

                   3) In the registry
                      “HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
                           SA

                      ”
                   4) In the registry
                        ©

                      “HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
                      Services”

               On most of the systems that have been compromised with SubSeven, it has been found
                                                     9
               mostfingerprint
               Key  often to be=inAF19
                                   the first
                                        FA27 location.
                                               2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46

© SANS Institute 2000 - 2002              As part of GIAC practical repository.                 Author retains full rights.
The full list of features offered as part of SubSeven v2.1 are:
               Address book
               Wwp pager retriever
               Win2ip
               Remote IP scanner

                                                                                          s.
               Host lookup

                                                                                       ht
               Get Windows CD-KEY

                                                                                   rig
               Update victim from URL
               ICQ takeover

                                                                               ull
               FTP root folder
               Retrieve dial-up passwords along with phone numbers and usernames

                                                                                f
               Port redirect

                                                                             ns
               IRC bot
               Key  fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46

                                                                          tai
               File Manager bookmarks

                                                                       re
               Make folder, delete folder [empty or full]
               Process manager

                                                                   or
               Text 2 speech

                                                                th
               Clipboard manager [EDIT SERVER CHANGES]
               Customizable colors                          Au
               Change server ICON
               Pick random port on server startup
                                                         2,

               Irc bot configuration
                                                     00

               Restart server
                                                  -2

               AOL Instant messenger spy
               Yahoo messenger spy
                                              00

               Microsoft messenger spy
                                           20

               Retrieve list of ICQ usernames and passwords
               Retrieve list of AIM users and passwords
                                        te

               App redirect
                                     tu

               Edit file
               Perform clicks on victim’s desktop
                                    sti

               Set/change screen saver settings [Scrolling Marquee]
                                In

               Restart Windows
               Ping server
                               NS

               Compress/Decompress files before and after transfers
               The matrix
                           SA

               Ultra fast IP scanner
               IP Tool [Resolve Host names/Ping IP addresses]
                        ©

               Get victim’s home info
                        Address
                        Business name
                        City
                        Company
               Key fingerprint   = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
                        Country
                        Customer type
                        e-mail

© SANS Institute 2000 - 2002           As part of GIAC practical repository.              Author retains full rights.
real name
                       state
                       city code
                       country colde
                       local phone

                                                                                            s.
                       zip code

                                                                                         ht
                                                                                     rig
               Configure Client colors
               Configure menu options ]add/delete pages, change names]

                                                                                 ull
               Automatically Display Image when downloaded [jpg, bmp]
               Automatically edit files when downloaded [txt, bat]

                                                                                  f
               Change port numbers for The Matrix, Keylogger and Spies

                                                                               ns
               Retrieve
               Key       “SubSeven
                    fingerprint      message
                                = AF19   FA27 of the998D
                                              2F94  day” FDB5 DE3D F8B5 06E4 A169 4E46

                                                                            tai
               Protect Server’s port and Password once installed

                                                                         re
               Melt server when executed
               Protect server settings with a password

                                                                     or
               Open Web Browser to specified location

                                                                  th
               Restart Windows [5 methods]:
                       Normal shutdown                        Au
                       Forced Windows shutdown
                       Log off Windows user
                                                           2,

                       Shutdown Windows and turn off computer
                                                       00

                       Reboot System
                                                    -2

               Reverse/restore Mouse buttons
               Hide/Show Mouse Pointer
                                                00

               Control Mouse
                                             20

               Mouse Trail Config
               Set Volume
                                         te

               Record Sound file from remote mic.
                                        tu

               Change Windows Colors / Restore
               Hang up Internet Connection
                                       sti

               Change Time
                                   In

               Change Date
               Change Screen resolution
                               NS

               Hide Desktop Icons / show
               Hide Start Button / show
                           SA

               Hide taskbar / show
               Open CD-Rom Drive / Close
                        ©

               Beep computer Speaker /stop
               Turn Monitor off /on
               Disable CTRL+ALT+DEL / Enable
               Turn on Scroll Lock / off
               Turnfingerprint
               Key   on Caps Lock   / OffFA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
                                = AF19
               Turn on Num Lock / Off
               Connect / Disconnect
               Fast IP Scanner

© SANS Institute 2000 - 2002             As part of GIAC practical repository.              Author retains full rights.
Get Computer Name
               Get User Name
               Get Windows and System Folder Names
               Get Computer Company
               Get Windows Version

                                                                                          s.
               Get Windows Platform

                                                                                       ht
               Get Current Resolution

                                                                                   rig
               Get DirectX Version
               Get Current Bytes per Pixel settings

                                                                               ull
               Get CPU Vendor
               Get CPU Speed

                                                                                f
               Get Hard Drive Size

                                                                             ns
               Get Hard
               Key        Drive=Free
                    fingerprint      Space
                                  AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46

                                                                          tai
               Change Server Port

                                                                       re
               Set / Remove Server Password
               Update Server

                                                                   or
               Close Server

                                                                th
               Remove Server
               ICQ Pager Connection Notify                  Au
               IRC Connection Notify
               E-Mail Connection Notify
                                                         2,

               Enable Key Logger /Disable
                                                     00

               Clear the Key Logger Windows
                                                  -2

               Collect Keys pressed while Offline
               Open Chat Victim + Controller
                                              00

               Open Chat among all Connected Controllers
                                           20

               Windows Pop-up Message Manager
               Disable Keyboard
                                       te

               Send Keys to a remote Window
                                     tu

               ICQ Spy
               Full Screen Capture
                                    sti

               Continues Thumbnail Capture
                                In

               Flip Screen
               Open FTP server
                               NS

               Find Files
               Capture from Computer Camera
                           SA

               List Recorded Passwords
               List Cached Passwords
                        ©

               Clear Password List
               Registry Editor
               Sent Text to Printer
               Show files/folders and navigate
               List Drives
               Key  fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
               Execute Application
               Enter Manual Command
               Type Path Manually

© SANS Institute 2000 - 2002           As part of GIAC practical repository.              Author retains full rights.
Download Files
               Upload Files
               Get File Size
               Delete File
               Play *.wav

                                                                                               s.
               Set Wallpaper

                                                                                            ht
               Print .txt/.rtf file

                                                                                        rig
               Show image
               List Visible Windows

                                                                                    ull
               List all active Applications
               Focus on Window

                                                                                     f
               Close Window

                                                                                  ns
               Disable
               Key       X (close]
                    fingerprint     buttonFA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
                                  = AF19

                                                                               tai
               Hide/unhide a Window from view

                                                                            re
               Enable Disable Window
               Set Quality of Full Screen Capture

                                                                        or
               Set Quality of Thumbnail Capture

                                                                     th
               Set Chat font size and Colors
               Set Client’s User Name                            Au
               Set Local ‘Download’ directory
               Set quick help [hints]
                                                              2,

               Pre Set Target Port
                                                          00

               Preset Server Password
                                                         -2

               Attach EXE File
               Pre Set filename after installation
                                                   00

               Pre Set Registry Key
                                                20

               Pre Set Auto Start Methods:
                        Registry: Run
                                            te

                        Registry: RunServices
                                         tu

                        Win.ini
                        Less Known Method
                                      sti

                        Not Known Method
                                    In

               Pre Set Fake error message
               Pre Set Connection Notify Username
                               NS

               Pre Set Connection Notify to ICQ#
               Pre Set Connection Notify to E-Mail
                           SA

               Pre Set Connection Notify to IRC Channel or Nickname
                        ©

               All of the listed features are available in version 2.1 and will be included in newer
               releases of the program.10 This list is a constantly changing list as newer versions of the
               program become available.

               If you
               Key     find that =your
                    fingerprint        machine
                                    AF19 FA27 has
                                               2F94been
                                                    998Dinfected
                                                           FDB5 with
                                                                 DE3DSubSeven, youA169
                                                                       F8B5 06E4   are not completely
                                                                                        4E46
               out of luck. SubSeven is actually very easy to remove from the system. You just need to
               do some very basic steps.

                   1) delete the virus executable file

© SANS Institute 2000 - 2002                As part of GIAC practical repository.                  Author retains full rights.
2) remove the virus startup entries in the registry
                   3) Correct the changed settings in the registry and system.ini file
                   4) After all is done, reboot and let the new settings take effect11

               The best way to prevent a machine from being infected with subseven is to practice good

                                                                                                          s.
               habits. These good habits include no opening anything that you do not know the original

                                                                                                       ht
               source of. Also, you always want to have current Anti-Virus software running on your

                                                                                                   rig
               computer, what this does for you is to prevent older versions of the Trojan from infecting
               your computer and if your computer has been compromised when a new update becomes

                                                                                               ull
               available it may find that your machine has been compromised. Finally, it is always a
               good idea to have some type of personal firewall running on your computer. I have

                                                                                            f
               found that the personal firewalls that prevent all outbound traffic from programs that

                                                                                         ns
               havefingerprint
               Key   not been given thisFA27
                               = AF19    type of access
                                              2F94  998Dto FDB5
                                                           be the DE3D
                                                                  best to F8B5
                                                                          prevent thisA169
                                                                               06E4   type of a Trojan.
                                                                                           4E46

                                                                                      tai
               The only draw back to this is if the Trojan is installed with the name of an application

                                                                                   re
               that does have the type of access out of your computer to send the notification. However,
               most of these personal firewalls by default block outbound traffic from your computer on

                                                                               or
               the standard ports that are used by this and many other Trojans.

                                                                            th
               1
                 Symantec, “ SunSeven 2.0 Server”, 10/4/1999
                                                                       Au
               http://www.sym ant ec. com/avcent er/v enc/dat a/sub.seven.20.html (1/ 19/2001)
                                                                    2,
               2
                 rmbox, windos.ex e/sub 7in fo, 2/7/200 0, http://discussions.virtu aldr.com/Forum 1/HTML/007663.html
                                                                00

               (2/13/200 1)
               3
                 The Next Generation is No w, http://www.sub7.org.uk/mai n.htm (2/13/200 1)
                                                            -2

               4
                 HackFix “SubSeven – Ab out SubSev en ” http://www.hackfix.org/subs even/about.shtml (1/19/200 1)
               5
                 ibid.
                                                        00

               6
                 ibid.
               7
                 Chris Pallack, Sub7 vid Trojan can launch distribut ed attacks, 6/17/20 00,
                                                    20

               http://www.linux fw.o rg/articl es/n etwo rk_s ecurity_ arti cle-903.html, (2/13/2001)
               8
                 HackFix “SubSeven – About SubSev en ” http://www.hackfix.org/subs even/about.shtml (1/19/200 1)
                                                 te

               9
                 Donald F. Kelloway, “ The Basics of SubS even (aks Sub7 or Backdoo r_ G)
                                              tu

               http://www. commodon.com/th reat/threat-su b7.htm, (1/24/2001 )
               10
                  About SubSev en, http://www.sub7 fil es.com/ about/index.shtml (2/1 3/2001)
                                          sti

               11
                  rmbox, windos.ex e/sub 7in fo, 2/7/200 0, http://discussions.virtu aldr.com/Forum 1/HTML/007663.html
                                       In

               (2/13/200 1)
                                 NS
                             SA
                          ©

               Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46

© SANS Institute 2000 - 2002                    As part of GIAC practical repository.                           Author retains full rights.
Last Updated: May 13th, 2019

       Upcoming SANS Penetration Testing

SANS New Orleans 2019                                           New Orleans, LA         May 19, 2019 - May 24, 2019         Live Event

SANS Northern VA Spring- Reston 2019                            Reston, VA              May 19, 2019 - May 24, 2019         Live Event

SANS Autumn Sydney 2019                                         Sydney, Australia       May 20, 2019 - May 25, 2019         Live Event

Community SANS Portland SEC504                                  Portland, OR            May 20, 2019 - May 25, 2019 Community SANS

SANS Amsterdam May 2019                                         Amsterdam, Netherlands May 20, 2019 - May 25, 2019          Live Event

SANS Krakow May 2019                                            Krakow, Poland          May 27, 2019 - Jun 01, 2019         Live Event

SANS San Antonio 2019                                           San Antonio, TX         May 28, 2019 - Jun 02, 2019         Live Event

SANS Atlanta 2019                                               Atlanta, GA             May 28, 2019 - Jun 02, 2019         Live Event

Enterprise Defense Summit & Training 2019                       Redondo Beach, CA       Jun 03, 2019 - Jun 10, 2019         Live Event

SANS London June 2019                                           London, United          Jun 03, 2019 - Jun 08, 2019         Live Event
                                                                Kingdom
SANS Kansas City 2019                                           Kansas City, MO         Jun 10, 2019 - Jun 15, 2019         Live Event

Mentor Session - SEC504                                         Austin, TX              Jun 13, 2019 - Aug 08, 2019            Mentor

SANSFIRE 2019                                                   Washington, DC          Jun 15, 2019 - Jun 22, 2019         Live Event

SANSFIRE 2019 - SEC504: Hacker Tools, Techniques, Exploits,     Washington, DC          Jun 17, 2019 - Jun 22, 2019             vLive
and Incident Handling
Community SANS Alpharetta SEC504 @ Cisco                        Alpharetta, GA          Jun 17, 2019 - Jun 22, 2019 Community SANS

Community SANS Nashville SEC542                                 Nashville, TN           Jun 17, 2019 - Jun 22, 2019 Community SANS

Community SANS Santa Monica SEC504                              Santa Monica, CA        Jun 24, 2019 - Jun 29, 2019 Community SANS

Security Operations Summit & Training 2019                      New Orleans, LA          Jun 24, 2019 - Jul 01, 2019        Live Event

Mentor Session - SEC504                                         Des Moines, IA           Jun 24, 2019 - Jul 24, 2019           Mentor

SANS Cyber Defence Canberra 2019                                Canberra, Australia      Jun 24, 2019 - Jul 13, 2019        Live Event

SANS Munich July 2019                                           Munich, Germany          Jul 01, 2019 - Jul 06, 2019        Live Event

SANS Paris July 2019                                            Paris, France            Jul 01, 2019 - Jul 06, 2019        Live Event

SANS Cyber Defence Japan 2019                                   Tokyo, Japan             Jul 01, 2019 - Jul 13, 2019        Live Event

Community SANS Colorado Springs SEC504                          Colorado Springs, CO     Jul 08, 2019 - Jul 13, 2019   Community SANS

SANS Cyber Defence Singapore 2019                               Singapore, Singapore     Jul 08, 2019 - Jul 20, 2019        Live Event

SANS London July 2019                                           London, United           Jul 08, 2019 - Jul 13, 2019        Live Event
                                                                Kingdom
Pittsburgh 2019 - SEC560: Network Penetration Testing and       Pittsburgh, PA           Jul 08, 2019 - Jul 13, 2019            vLive
Ethical Hacking
Community SANS Madison SEC504                                   Madison, WI              Jul 08, 2019 - Jul 13, 2019   Community SANS

Pittsburgh 2019 - SEC504: Hacker Tools, Techniques, Exploits,   Pittsburgh, PA           Jul 08, 2019 - Jul 13, 2019            vLive
and Incident Handling
SANS Pittsburgh 2019                                            Pittsburgh, PA           Jul 08, 2019 - Jul 13, 2019        Live Event

SANS Charlotte 2019                                             Charlotte, NC            Jul 08, 2019 - Jul 13, 2019        Live Event
You can also read