Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2001.115 -- Internet Security Systems Security Alert A New Version of the SubSeven Backdoor 13 March 2001 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: SubSeven Operating System: Microsoft Windows Impact: Administrator Compromise Access Required: Remote - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Internet Security Systems Security Alert March 12, 2001 A New Version of the SubSeven Backdoor Synopsis: Internet Security Systems (ISS) X-Force is aware of a new version of the SubSeven backdoor. This new version, 2.2, has been updated with features that make it easier for a malicious user to access your computer system without your knowledge or consent. An attacker can use this backdoor as a remote control and carry out activities as if he or she were a local user. Description: SubSeven is a powerful backdoor program, and is the most popular backdoor used against Windows systems. SubSeven allows an attacker to perform actions such as shut down or restart a computer, retrieve most saved and cached passwords, modify the system registry, and upload, download, and delete files from a system. Due to the potential for damage, SubSeven should be removed immediately if present on a network. New Functionality Included in SubSeven 2.2: SOCKS4/SOCKS5 Proxy Support: Proxies are intermediaries between two systems, such as a malicious user's computer and their intended target. Web sites maintain lists of 'open' proxies, which are known by attackers and traded among them so proxies can be as starting points. These proxies function to add another location, or hop, between the user's machine and their target, thereby obscuring the true location of the attacker's computer. Packet Sniffer: SubSeven now includes packet sniffing capabilities via a GUI (Graphical User Interface). The GUI makes the packet sniffer easily accessible and simple to use. The packet sniffer can be configured to collect network traffic, save this information into a log, and relay these logs. This information can be useful for a hacker wishing to mount further attacks on the target network, as well as obtain more information about the target individual or host. Ability to Listen on a Random Port: The SubSeven server can be configured to listen on a random port each time it is started. This makes the program harder to detect than previous versions. SubSeven can be configured to notify the hacker of the port change. Expanded Notification Capability: SubSeven has expanded notification capabilities. In addition to IRC (Internet Relay Chat), Mirabilis ICQ, and email notification, SubSeven can relay information to web sites using CGI (Common Gateway Interface) scripts as well as route information to an IP address determined by the operator. CGI notification was designed and integrated in response to SubSeven's popularity as a DDoS (Distributed Denial of Service) agent. Lists of compromised computers are traded for use in DDoS networks. With CGI notification enabled, attackers can configure SubSeven agents to automatically post information to a URL using CGI. This allows a list of SubSeven agents to be easily distributed among those wishing to use them for DDoS attacks. Static IP number notification is a new feature that sends customized IP traffic to an IP address specified during the program's configuration. Ability to E-mail Keystroke Logs: SubSeven has been able to log keystrokes in previous versions. In version 2.2, the program has the ability to send logs of entered keystrokes via email. This can be used to gather information such as user and network passwords and email this information to be used at a later time. SubSeven can also send passwords stored on the system (RAS, dialup, etc.) as well as passwords captured from password dialogues. Modular Design and SDK: The architecture of SubSeven 2.2 is modular, with most of the program's functionality residing in plugin DLL's. There are plans to release an SDK for creating custom plugins, which (combined with the program's modular design) will make SubSeven 2.2 harder to detect than previous versions. The SDK will also provide a means for adding functionality and some customization the program's features. Recommendations: Support to detect SubSeven is available for Internet Scanner customers in X-Press Update v4.6 and for RealSecure customers in X-Press Update v1.1. Refer to the ISS Alert titled "Widespread incidents of SubSeven DEFCON8 2.1 Backdoor" at <http://xforce.iss.net/alerts/advise65.php> for more information. Additional Information: The Common Vulnerabilities and Exposures (CVE) project has assigned the following names to these issues. These are candidates for inclusion in the CVE list (<http://cve.mitre.org>), which standardizes names for security problems. CAN-1999-0660 A hacker utility or Trojan Horse is installed on a system. CAN-2000-0138 A system has a distributed denial of service (DDOS) attack master, agent, or zombie installed. About Internet Security Systems (ISS) Internet Security Systems (ISS) is a leading global provider of security management solutions for the Internet. By providing industry-leading SAFEsuite security software, remote managed security services, and strategic consulting and education offerings, ISS is a trusted security provider to its customers, protecting digital assets and ensuring safe and uninterrupted e-business. ISS' security management solutions protect more than 5,500 customers worldwide including 21 of the 25 largest U.S. commercial banks, 10 of the largest telecommunications companies and over 35 government agencies. Founded in 1994, ISS is headquartered in Atlanta, GA, with additional offices throughout North America and international operations in Asia, Australia, Europe, Latin America and the Middle East. For more information, visit the Internet Security Systems web site at www.iss.net or call 888-901-7477. Copyright (c) 2001 Internet Security Systems, Inc. Permission is hereby granted for the redistribution of this Alert electronically. It is not to be edited in any way without express consent of the X-Force. If you wish to reprint the whole or any part of this Alert in any other medium excluding electronic medium, please e-mail xforce@iss.net for permission. Disclaimer The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties with regard to this information. In no event shall the author be liable for any damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk. X-Force PGP Key available at: <http://xforce.iss.net/sensitive.php> as well as on MIT's PGP key server and PGP.com's key server. Please send suggestions, updates, and comments to: X-Force xforce@iss.net <mailto:xforce@iss.net> of Internet Security Systems, Inc. - -----BEGIN PGP SIGNATURE----- Version: 2.6.3a Charset: noconv iQCVAwUBOq1wXDRfJiV99eG9AQFLBAQAqAMZIrzj6Z4OC09dnigrmJ0OXUetH72y g33QnDxCAVNQB+5qlyEdxwJzWYaSbLi5UenwXffUFsHE5weYvbN963aGe317V35i +fe/OaJ1FU1fsW05UHn02N/aRedttjkY62IylrKQuX6AyG6SNomJEy9G69k/xiEz mhL/mqkB16w= =gnsD - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to use any or all of this information is the responsibility of each user or organisation, and should be done so in accordance with site policies and procedures. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the original authors to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/Information/advisories.html If you believe that your system has been compromised, contact AusCERT or your representative in FIRST (Forum of Incident Response and Security Teams). Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for emergencies. -----BEGIN PGP SIGNATURE----- Version: 2.6.3i Charset: noconv Comment: ftp://ftp.auscert.org.au/pub/auscert/AUSCERT_PGP.key iQCVAwUBOq4j/ih9+71yA2DNAQEcywQAm4H3YfHfAK9Xyh9klAFjrPF2JKv5rM7n 2A47k5n/Abju5lzIr1jblsG4Oi1zGhGUWIFQfUcJdskMjPrA4PhBnt/EDM8uTy+2 a5In4+2dhI1fEu0yz+FJ6pblLDKOL/oWU3kcrT/V6lVU98rIkijPgvyxdhNgFPMW 0Uz1G72qm1A= =ggUT -----END PGP SIGNATURE-----