| Quick Links | ||
| Trojan Zoo | Security @EHugin | |
|
Sub7 Additional Info: Current exhibits: Sub7 Back Orifice Hack'a'Tack |
Sub7This analysis is based on Sub7 version 1.8
A full list of its capabilities, along with some screen shots of the client, are available on the Client Info page. Ports UsedThe Windows "netstat -an" command shows the Sub7 server listening on the following ports:
TCP 6711
6776
1243
UDP none
Note: These are merely the default port numbers. Sub7 includes a utility to alter the third port, which is apparently used only for connection/control, not for locating Sub7 servers. Scan SignatureThe Sub7 client's scanner does not use a fixed port number for its side of the connection, but will apparently always try to connect with TCP 6776 when scanning for servers on other machines. Log entries generated by a Sub7 client scanning your machine will therefore look like:
from: remotehostaddr tcp (anything)
to : yourhostaddr tcp 6776
Trojan DetectionThe easiest way I can think of to determine if your machine is infected with Sub7 is simply to open up a DOS Command window and run "netstat -an". If you see any of the ports listed in the Ports Used section above then you've probably got Sub7 on your machine. (See the Server Info page for screen shots of the netstat output.) Another spot to look for Sub7 server activity is in: \WINDOWS\SYSTEM.INIOn a stock Windows98 distribution, there's a line in this file that should read: shell=Explorer.exeSub7 will have altered this line to read: shell=Explorer.exe kerne132.dl Note: That's "kerne" followed by the number 132, not "kernel" followed by 32. You'll find this file in: \WINDOWS\SYSTEM\kerne132.dl You can also use the registry editor to look for Sub7. It makes two rather distinctive additions to the registry keys in. The first is a new section:
HKEY_LOCAL_MACHINE
\Software
\CLASSES
\.dl
which has two entries:
Name Data
@ "exefile"
"Content Type" "application/x-msdownload"
The combination of this registry entry plus the altered shell setting in the WINDOWS.INI file form the means by which the Sub7 server automatically launches itself. Note: This is just the standard server configuration. If you examine the Server Editor screenshot in the Client Info area, you'll notice that there's three other possible launch methods. I have not tried these yet. The second registry entry is another new section:
HKEY_LOCAL_MACHINE
\Enum
\SBSV
Presumably the "SBSV" is short for "SubSeven". I suspect that this is where Sub7 stores its current settings, but this is pure speculation on my part. The entries appear to be binary, so trying to represent them in HTML would be pointless. Sub7 will also make sure that the AVI capture DLL (which is a standard Windows file) is loaded. My guess is that this is done to allow the Sub7 client to take pictures using any teleconferencing cameras that you might have on your computer, but it installs the DLL even if the computer doesn't have such peripherals.
HKEY_LOCAL_MACHINE
\System
\CurrentControlSet
\Control
\SessionManager
\Known16DLLs
section that looks like this:
Name Data
AVICAP.DLL "AVICAP.DLL"
I believe you want to leave this alone if you've actually installed any kind of AVI hardware already. If you're absolutely positive that this file wasn't being loaded earlier, you might want to delete the entry, but since this is a legitimate Windows DLL it's probably safe to leave it alone. |