Security Incidents mailing list archives
Re: Sub-7
From: mparkin () PBI NET (PARKIN, MICHAEL (PBI))
Date: Thu, 8 Jun 2000 12:54:11 -0500
I administer an IRC server on a small network as a hobby, and we've seen more than our fair share of Sub7 infected clients. The Sub7Server listens to port 27374 by default, and that is the default port for client connections. Like most of the current Trojan Servers (BO2k, Hack'a'tack, etc.) S7S gives the intruder fairly complete control over the victim's machine. This includes hijacking the mouse, altering registry settings, getting the password files from the system, etc. The IRC connection is an optional "feature" of the Server, and the Attacker can specify the IRC server and channel the server should connect to. We mostly dealt with three "series" of infections. Evidently, one or more individuals infected a large number of machines between late January and early March 2000 and sent them all to our Net. All of these servers connected to a "generic" server (i.e. irc.ircnetwork.net, rather than a specific server on the net) and joined the same channel. They would send their IP address, listening port, and password, to the channel at roughly five minute intervals. We monitored the channel under the impression that a living person coming to a hidden channel was probably well aware of the existence of the S7's and possibly the actual Attacker. In any case, the S7S can act as a more or less typical IRC bot, issuing channel commands and such. It does not, as far as I know, broadcast detailed system information to the channel. However, in a case such as ours, with the server putting its password information in an open channel, it would be possible for anyone in the channel with the Sub7Client to connect to the infected machine and do what they will. Hope this helps. Mike Parkin Network Reliability Center SBC Internet Services 415.442.5108 -----Original Message----- From: Incidents Mailing List [mailto:INCIDENTS () SECURITYFOCUS COM]On Behalf Of Khan, Mansoor Sent: Monday, June 05, 2000 10:49 AM To: 'INCIDENTS () SECURITYFOCUS COM' Subject: Sub-7 I was wondering if any one has any experience with this Trojan (Sub-7). I am interested in finding out if it sends info through a general broadcast to chat rooms. Additionally, what specific info does it send (from a w-95 machine) e.g. registry settings, user ids and passwords etc. Thanks,
Current thread:
- FW: Sub-7 Abel Wisman (Jun 08)
- <Possible follow-ups>
- Re: Sub-7 PARKIN, MICHAEL (PBI) (Jun 08)
- Re: FW: Sub-7 Brooke, O'Neil (Jun 09)