Security Incidents mailing list archives

Re: Sub-7

From: mparkin () PBI NET (PARKIN, MICHAEL (PBI))
Date: Thu, 8 Jun 2000 12:54:11 -0500


I administer an IRC server on a small network as a hobby, and we've seen
more than our fair share of Sub7 infected clients.  The Sub7Server listens
to port 27374 by default, and that is the default port for client
connections.  Like most of the current Trojan Servers (BO2k, Hack'a'tack,
etc.) S7S gives the intruder fairly complete control over the victim's
machine.  This includes hijacking the mouse, altering registry settings,
getting the password files from the system, etc.

The IRC connection is an optional "feature" of the Server, and the Attacker
can specify the IRC server and channel the server should connect to.  We
mostly dealt with three "series" of infections.  Evidently, one or more
individuals infected a large number of machines between late January and
early March 2000 and sent them all to our Net.  All of these servers
connected to a "generic" server (i.e. irc.ircnetwork.net, rather than a
specific server on the net) and joined the same channel.  They would send
their IP address, listening port, and password, to the channel at roughly
five minute intervals.  We monitored the channel under the impression that a
living person coming to a hidden channel was probably well aware of the
existence of the S7's and possibly the actual Attacker.

In any case, the S7S can act as a more or less typical IRC bot, issuing
channel commands and such.  It does not, as far as I know, broadcast
detailed system information to the channel.  However, in a case such as
ours, with the server putting its password information in an open channel,
it would be possible for anyone in the channel with the Sub7Client to
connect to the infected machine and do what they will.

Hope this helps.

Mike Parkin
Network Reliability Center
SBC Internet Services
415.442.5108

-----Original Message-----
From: Incidents Mailing List [mailto:INCIDENTS () SECURITYFOCUS COM]On
Behalf Of Khan, Mansoor
Sent: Monday, June 05, 2000 10:49 AM
To: 'INCIDENTS () SECURITYFOCUS COM'
Subject: Sub-7

I was wondering if any one has any experience with this Trojan (Sub-7).
I am interested in finding out if it sends info through a general
broadcast to chat rooms.  Additionally, what specific info does it send
(from a w-95 machine) e.g. registry settings, user ids and passwords
etc.

Thanks,

Current thread:

FW: Sub-7 Abel Wisman (Jun 08)
- <Possible follow-ups>
- Re: Sub-7 PARKIN, MICHAEL (PBI) (Jun 08)
- Re: FW: Sub-7 Brooke, O'Neil (Jun 09)