Trojan horse and remote access software
Sub7
, or
SubSeven
or
Sub7Server
, is a
Trojan horse
program originally released in February 1999.
[1]
[2]
Its name was derived by spelling
NetBus
backwards ("suBteN") and swapping "ten" with "seven". As of June 2021, the development of Sub7 is being continued.
[3]
Because its typical use is to allow undetected and unauthorized access, Sub7 is usually described as a
trojan horse
by security experts.
[4]
[2]
[5]
[6]
[7]
[8]
Starting with version 2.1 (1999) it could be controlled via
IRC
. As one security book phrased it: "This set the stage for all malicious
botnets
to come."
[6]
Additionally Sub7 has some features deemed of little use in legitimate remote administration like
keystroke logging
.
[6]
Sub7 worked on the
Windows 9x
and on the
Windows NT
family of operating systems, up to and including
Windows 8.1
.
[7]
History
[
edit
]
![[icon]](//upload.wikimedia.org/wikipedia/commons/thumb/1/1c/Wiki_letter_w_cropped.svg/20px-Wiki_letter_w_cropped.svg.png) | This section
needs expansion
with: early history. You can help by
adding to it
.
(
January 2014
)
|
SubSeven was developed by mobman, a computer programmer originally from Craiova, Romania.
[9]
In 2006 (sub7legends.net) re-opened with hundreds of thousands of users, and has kept Sub7 alive with clean downloads and support and new software releases.
No development had occurred for several years until version 2.3 in 2010. This release was based on the genuine SubSeven 2.2 and 2.1.3 source code, which mobman himself shared to his close friends, "Read101" and "fc" and were responsible for this update. Unfortunately, the reborn did not capture the public's attention as anticipated. This lack of interest was primarily due to "fc", who was more interested in monetizing the new version than enhancing its quality.
[10]
SubSeven 2.3, released on March 9, 2010, was revamped to work on all 32-bit and 64-bit versions of Windows and includes TCP Tunnel and Password Recovery for browsers, instant messengers and email clients. It was very buggy. The website that claimed to do this is no longer active.
In June 2021, Jean-Pierre Lesueur (DarkCoderSc) released from scratch a complete remake of SubSeven version 2.2. This version maintained a similar look and feel to the original. Since then, development has ceased, and the source code has been made available to the public.
[11]
In October 2023, "IllWill", a former member of the Sub7 Crew from the 1990s and early 2000s, delivered a talk at BSides CT 2023.
[12]
This presentation delved into the story behind mobman, revealing several unknown facts about the mysterious developer. The talk concluded with IllWill releasing the official and genuine source code of SubSeven 2.1.2/3 in his Gitlab.
[13]
This release was made possible by mobman's direct contribution and with his blessing.
As of now, no other versions of SubSeven have been officially released, apart from version 2.1.2/3 by IllWill. The SubSeven 2.2 version remains exclusively in the possession of mobman, Read101, fc, and DarkCoderSc.
Architecture and features
[
edit
]
Like other remote admin programs, Sub7 is distributed with a
server
and a
client
. The server is the program that the host must run in order to have their machines controlled remotely, and the client is the program with a
GUI
that the user runs on their own machine to control the server/host PC. Computer security expert
Steve Gibson
once said that with these features, Sub7 allows a hacker to take "virtually complete control" over a computer. Sub7 is so invasive, he said, that anyone with it on their computer "might as well have the hacker standing right next to them" while using their computer.
[14]
Sub7 has more features than
Netbus
(webcam capture, multiple port redirect, user-friendly registry editor, chat and more).
According to a security analysis,
[15]
Sub7's server-side (target computer) features include:
- recording:
- sound files from a microphone attached to the machine
- images from an attached video camera
- screen shots of the computer
- retrieving a listing of recorded and cached passwords
- taking over an
ICQ
account used on the target machine (back then the most popular messaging service); added in version 2.1. This included the ability to disable the local use of the account and read the chat history
- features which were presumably intended to be used for prank or irritating purposes including:
- changing desktop colors
- opening and closing the optical drive
- swapping the mouse buttons
- turning the monitor off/on
- "text2speech" voice synthesizer which allowed the remote controller to have the computer "talk" to its user
- penetration testing
features, including a
port scanner
and a
port redirector
On the client-side the software had an "address book" that allowed the controller to know when the target computers are online. Additionally the server program could be customized before being delivered by a so-called server editor (an idea borrowed from
Back Orifice 2000
). Customizations possible with the Sub7 server editor included changing the port addresses, displaying a customized message upon installation that could be used for example "to deceive the victim and mask the true intent of the program".
[15]
The Sub7 server could also be configured to notify the controller of
IP address
changes of the host machine by email, ICQ or IRC.
[16]
Connections to Sub7 servers can be password protected with a chosen password.
[16]
A deeper
reverse engineering
analysis revealed however that "SubSeven's author has secretly included a hardcoded master password for all of his Trojans! The Trojan itself has been Trojaned".
[8]
For Version 1.9 the master password is predatox and 14438136782715101980 for versions 2.1 through 2.2b. The Master Password for SubSeven DEFCON8 2.1 Backdoor is acidphreak.
[17]
Uses and incidents
[
edit
]
SubSeven has been used to gain unauthorized access to computers. While it can be used for making mischief (such as making sound files play out of nowhere, change screen colors, etc.), it can also read keystrokes that occurred since the last boot?a capability that can be used to steal passwords and credit card numbers.
[18]
In 2003, a hacker began distributing a Spanish-language email purporting to be from security firm
Symantec
that was used to trick recipients into downloading Sub7.
[19]
Although Sub7 is not itself a
worm
(has no built-in self-propagation features) it has been leveraged by some worms such as W32/Leaves (2001).
[5]
[20]
Some versions of Sub7 include code from Hard Drive Killer Pro to format the hard drive; this code will only run if it matches the
ICQ
number of "7889118" (mobman's rival trojan author.)
[21]
See also
[
edit
]
References
[
edit
]
External links
[
edit
]
|
---|
General
| |
---|
Implementations
| |
---|
Controversial Implementations
| |
---|