SubSeven

 < Day Day Up > 



After BO2k, SubSeven (Sub7) was introduced to the security community. In its day, it was leaps and bounds beyond anything else available. Sub7 is especially lethal because latest versions that can mutate its own fingerprint have appeared “in the wild” and are able to thwart virus-scanning tools that usually catch the likes of Netbus and BO2k. In terms of its remote controlling functionality, though, Sub7 is similar to Netbus and BO2k.

Sub7 can be located at web sites such as http://www.packetstormsecurity.com, http://www.tlsecurity.com, and http://www.securityfocus.com. The main SubSeven web site, http://www.subseven.ws, lists versions as recent as March 2003.

Implementation

Just like Netbus and BO2k, Sub7 must also have its server configured before it can be used effectively. First, the attacker will need to open the server editing tool, which is found in the Sub7 file folder. The screen shown in Figure 10-3 is presented when this program is executed:

click to expand
Figure 10-3: Sub7 opening screen

  1. Select the server that will be configured by clicking the Browse button in the uppermiddle section of the window.

  2. Select the default Sub7 server, Server.exe.

  3. Modify any of the options contained within this window. The important options you may want to consider will be described in the upcoming paragraphs.

It’s best to use a password for the Sub7 server. In addition, Sub7 tries to make itself much more stealthy than other tools, and it has many methods of hiding itself when installed on the victim machine, as indicated by the Change Server Icon in the upper-right corner of the window.

Not only can Sub7 do a good job of controlling a machine, it can also notify you when it infects a new victim by using one of several options:

  • ICQ Chat Network

  • IRC Chat Network

  • Notification e-mails

In effect, what Sub7 does for the attacker is take some of the headache out of finding the machines that may be infected with his server.

For this attack, the server will listen on TCP port 62875. It isn’t a special port, just one chosen arbitrarily. If we wanted to, we could also bind this server to an innocuous file, such as an electronic greeting card, for delivery to our unsuspecting victim.

The last option we may choose is whether or not we would like to password protect the server executable itself. This is usually a good idea from an attacker’s standpoint because it prevents anyone else from playing with this tool. From a legitimate auditor’s standpoint, password protection is usually a bad idea. You may want to re-enter the server at a later date and time to change configurations, or you may want to look up information about how the server was set up.

Next, you have the sever executed on the victim machine. To execute it on the victim machine, you can use any of the methods that we reiterated in this chapter, such as binding it to an executable file and e-mailing it to your victim. After Sub7 has been executed, a single port (TCP 62875) is opened. We can see the results in the netstat output on the victim machine:

click to expand

After the server has been executed on the victim machine (and perhaps the attacker/auditor receives an automated notice), the attacker/auditor can then connect using the Sub7 client, shown in the following illustration:

click to expand

Note 

The web page presented in this startup screen was not available during the time this book was written. The authors found the tool at the following web site: http://www.tlsecurity.com.

Because the controlling features of Sub7 are not much different than those of Netbus or BO2k, the following examples summarize most of the important functionality of Sub7. First, the client can scan for an infected server, just like we scan with Netbus and BO2k, which may allow an attacker to find infected victims with Sub7 servers that do not require a password to connect:

click to expand

To capture typed passwords and other juicy information the user may be entering at the console, Sub7 provides the attacker with the proper functionality under Keys/Messages, as you can see in the next illustration.

click to expand

An attacker may want to redirect ports on the victim machine either to hide his IP address from logs or to evade a security architecture between the victim machine and the next target. The functionality to redirect ports may be found in the Advanced folder.

click to expand

The Miscellaneous folder contains items that allow an attacker to ravage the file system and to maintain processes (because he may have started a sniffer) or view the data on the clipboard of the victim machine, as shown in Figure 10-4.

click to expand click to expand
Figure 10-4: Managing files, Windows, and processes from the Miscellaneous folder

The Fun Manager and Extra Fun folders, shown in Figure 10-5, contain a lot of functionality useful to the attacker. If the victim has a camera attached to the machine, he could turn it on and view the video. Or, if the attacker chooses to be annoying, he could just flip the screen on the victim machine!

click to expand click to expand
Figure 10-5: Having fun with the Fun Manager and Extra Fun folders



 < Day Day Up > 



Anti-Hacker Tool Kit
Anti-Hacker Tool Kit, Third Edition
ISBN: 0072262877
EAN: 2147483647
Year: 2004
Pages: 189

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net