Intrusion Detection FAQ: SubSeven Trojan v 1.1

A large number of the detects we have received are apparently SubSeven Trojan related. From time to time we get questions asking what is SubSeven? Analyst Georg Wagner provided the following description.

SubSeven is a trojan for the windows platform. It comes at least in two parts a client and a server. The client is used by the hacker to connect to the victim' s machine. Once the server.exe is installed on the victim's machine the hacker has full access to the victim's machine.

The zip-file I downloaded contained 3 executables:
  • server.exe The real trojan, which is installed on the victim's machine
  • sub7.exe The client used by the hacker to connect to his victim's machine
  • EditServer.exe A configuration utility to set several configuration options on server.exe.
The EditServer.exe gives the hacker the opportunity to configure:
  • the port used by server.exe
  • to set a password for the server
  • several other values
and most important to set some notification options, to notify the hacker when his victim(s) are online. This notification can be done using ICQ, IRC, or e mail.

Known Information about SubSeven
Known TCP ports for SubSeven:
  • 1243
  • 6711
  • 6712
  • 6713
  • 6776
Known TCP ports for SubSeven 2.1
  • 27374
Files on an infected machine:
  • server.exe
  • rundll1.exe
  • systray.dl
  • Task_bar.exe
  • FAVPNMCFEE.dll
  • MVOKH_32.dll
  • nodll.exe
  • watching.dll
Entries in configuration files:
  • in system.ini:
    an entry on the line containing "shell="
  • in win.ini:
    an entry on the line containing "load=" or "run= "
  • in the registry:
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Current\Version\Run HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices
To be able to connect to the victims machine the hacker needs the ip address of that machine. There are two methods to get this ip address:

  1. Using ICQ
    If the victim has not enabled IP Hiding in his ICQ User Profile, then the hacker can retrieve this information from the victim's profile.
  2. To use the notification option of the trojan. That way the hacker is always notified when his victim(s) connect to the internet. He will even get the IP address and the port number delivered.
It is claimed in the description of SubSeven that most Antivirus Software won't be able to detect newer versions of it. Have a look in your registry whether the strings SubSeven, "Sub Seven" or "Sub 7" are found. If yes, your machine got infected. If no, well that does not mean that your machine is not infected, since the hacker can set the values used in the registry with the EditServer.exe.

The server.exe can be removed using the file client.exe. If you downloaded and extracted the zip-archive of the subseven-trojan do not click on the file server.exe. Otherwise you will have infected your machine.

Detecting SubSeven on the Net


The following attack patterns for the NIDS snort can be used to recognize SubSeven network activity: 
alert tcp $HOME_NET 1243 -> !$HOME_NET any (msg:"

TROJAN ACTIVITY-Possible Subseven"; flags:SA;)

alert tcp any -> any (msg:"TROJAN ACTIVITY-Possible 

SubSeven access"; content:"connected. time/date"; flags:PA;)

alert tcp !$HOME_NET any -> $HOME_NET 6776 (msg:"TROJAN ATTEMPT-
 
SubS even access"; flags:S;) 

alert tcp !$HOME_NET any -> $HOME_NET 6711 (msg:"TROJAN ATTEMPT- 

Deep Throat/SubSeven"; flags:S;) 

alert tcp !$HOME_NET any -> $HOME_NET 1243 (msg:"TROJAN ATTEMPT- 

Subseven"; flags:S;)

Removing SubSeven

  1. Edit SYSTEM.INI
    If you find the line shell=Explorer.exe Task_Bar.exe, remove the Task_Bar.exe entry. Ave SYSTEM.INI
  2. Edit win.ini and look at the lines containing run= and load=. If you find one of the files listed above, remove this entry (entries).
  3. Start the regedit.exe and search for the files listed above. If you find an entry with one of the files, remove it.
  4. Reboot


top^

Intense, fast paced. Modern day Sherlock Holmes!
-Cody Drake, Allstate Ins. Co.

SANSFIRE 2013 - Washington

Latest Whitepapers

Securing BYOD With Network Access Control, a Case Study
By Lawrence Orans

Event Monitoring and Incident Response
By Ryan Boyle

Dead Linux Machines Do Tell Tales
By James Fung

Latest Tweets

SANS San Francisco 2013 offers 7 courses to boost your Cyber [...]
May 23, 2013 - 3:06 PM

Excellent blog post by @MarkBaggett on pen testing MS SQL vi [...]
May 22, 2013 - 7:39 PM

#appsec "WhatWorks in AppSec: Log Forging" http://t.co/Gsq91O7UAH
May 22, 2013 - 10:00 AM

Contact Us

(301) 654-SANS (7267)
Mon-Fri 9am - 8pm EST/EDT
info@sans.org

"It has really been an eye opener concerning the depth of security training & awareness that SANS has to offer."
- Michael Hall, Drivesavers

"SANS is a great place to enhance your technical and hands-on skills and tools. I thoroughly recommend it."
- Aaron Waugh, Datacom NZ Ltd

"SANS is far more in-depth than other training I have attended."
- Frank Rajnai, Sears Canada Inc