Sub7 - Usage, Prevention, Removal
by CaS (cas@globalhacking.com)
Most of you out there will have heard of Trojan horse programs running under Windows, such as Back Orifice and NetBus.
Indeed, there have been articles in 2600 about them before. In this article, I will cover Sub7, an easy to learn, user friendly Trojan program. I will talk about Sub7 in general, how to remove it, how to prevent yourself becoming a victim, and how to get the most out of it.
This article is based on the 2.1 versions, which were the latest at the time of writing.
General Introduction
Sub7 first popped up some time ago and, for a while, was not as popular as NetBus or Back Orifice.
Clients were full of bugs which were very annoying (first IP scanner in 1.7 especially - it never worked for me!). However, as many Trojan and anti-virus sites will tell you, as of early 2000, it has become the most popular Trojan and has been estimated to continue being so for the next five years.
It is also described as the most powerful and most dangerous. Mobman, the creator, has been especially good with updating. Recently, a new version has come out every couple of months, sometimes much less.
By doing this, the newer versions are not detectable by most if not all virus scanners, and updating a server on a victim's computer is easy. Version 2.1 has been in existence a while now. There has also been 2.1 Gold, 2.1 MUTE, 2.1 Bonus, etc. The 2.2 Beta sucked ass in that it had limited features and just didn't look as nice.
However, something that looked promising in 2.2 was a program called SIN, which detected broadcasts from victims, i.e., you no longer have to scan for victims. This has potential, and would further improve the package.
Sub7 has a huge feature-set, meaning you can do practically anything with your victim - you have complete control.
Removal
CD drives popping open, messages being displayed on your screen, your printer printing out rubbish... all telltale signs of someone in control of your machine via a Trojan horse.
First thing to do:
Open a CMD.EXE prompt an type: netstat -a
This should show a list of listening ports, and a list of what is connected to you. Have a look at the ports, and see what is suspect. Default Sub7 ports are 1243 for older versions and 27374 for newer versions, although the port which the server runs on can be changed by the user. If you see connections to a suspect port, then most likely it's the server.
To make sure, at the CMD.EXE prompt type: telnet
In the window that comes up click Connect, Remote System, and in Host Name put 127.0.0.1 and in Port put the suspect port.
You will either get PWD if the server is password protected, or if it is not, something like:
connected. time/date: 14:27.09 - July 8, 2000, Saturday, version: M.U.I.E. 2.1Of course, time, date, and version may be different, but this is what it will look like.
Now you know you are infected. When first executed, the server creates an EXE file in the C:\Windows directory, either random such as HLSGHJSD.EXE, or a user defined EXE.
You will find pages on the Internet that say "Run REGEDIT, remove this and that, get this virus checker, get that Trojan detector," etc. This was true a while ago, but now a new solution is available.
Surf over to the Sub7 home page (subseven.slak.org) and download the newest version - 2.1 Bonus. This client has a password bypasser. Unzip and run: SUB7.EXE
In IP/UIN put 127.0.0.1 and in Port put the port the server is running on. When or if you are asked for a password, simply hit Enter. Now expand the Connection menu, click Server Options, click Remove Server, and confirm. Easy as pie.
If for some reason this does not work (it doesn't appear to work if the server on your machine is 2.1 Bonus), or if you don't want to download it, go into C:\Windows and find an EXE that is approximately 373 kb and delete it. That'll solve it as well.
You may also want to remove the "method" that starts the server, so refer to "Usage 1 - EditServer.exe" below and check the places I mention for the strings, and remove them.
Some "hackers" (using this program does not make you a "133t hax0r") may have been clever enough to delete netstat.
In this case, you should get a network monitor (it's a good idea to have one anyway) such as NeoMonitor v2.0, available from NYC Software, Inc., which will show you open ports and connections, just like netstat. From here, refer to the above sections.
At some point, a new version of Sub7 will be released and the "Bonus" version I talked about which can be used to remove servers will not be downloadable. Many users will probably complain to Mobman about the password bypasser feature, and I can see it being removed from newer versions. Newer versions will probably not be vulnerable to the password bypasser feature, so other methods I have described (manually deleting the sever and start-up strings) will be necessary.
Prevention
The most obvious way to prevent yourself from being 0wned is not to run any executable files that some "friend" may send you.
However, if you must run executable files which you have obtained from the Internet, then take the following precautions:
Scan it with everything you have. I've already mentioned the ineffectiveness of this method against Sub7, but do it anyway - it could be an older version.
Look at the file size - newer versions of Sub7 are 373 kb, but a clever user will have binded it with a small game or something similar (in which case it will be larger, so you cannot use this method). If a friend asks you to test his first C program, and it's like 10 kb, chances are it will be O.K.
Download Sub7 and attempt to open the EXE you've been sent with EditServer.exe. Click Read Current Settings. If it says "Invalid server, proceed anyway?" chances are it isn't Sub7 (but it could be another Trojan). If it asks for a password or displays settings, then it's Sub7. If there is no password, you can gather info on the person trying to hack you (ICQ UIN, email address, etc.).
Finally, if you are pretty sure that it's clean, go into C:\Windows, Ctrl+F to find, uncheck the Include Subfolders box, and search for EXEs created in the last one day. Remember what's there, then run the EXE and do the find again. If there is a new EXE, chances are it was Sub7 after all, and you should refer to removal instructions above.
You can also look for a new port opening on your Network Monitor, or in netstat, after running the EXE.
Usage 1 - EditServer.exe
So you got Sub7 (2.1 Bonus, I hope, or latest version), and it's sitting there waiting to get used. Look at all those options!
Let's get started, shall we? If you have a specific person you wish to get, then it is necessary to read this section. If you just wanna have some fun with a random victim, then you can skip to "Usage 2 - Finding a Victim."
First off, open EditServer.exe, click Browse at the top, select the SERVER.EXE, and choose Read Current Settings.
The first thing you need to do is choose how the server will be started each time the computer is booted.
The two registry options will place it in the registry under HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run or RunServices depending on which you choose.
These options are fine if the victim is fairly inexperienced with Windows. You need to choose a registry key, so choose something that looks important that the victim won't mess with (i.e., don't choose Hacker_Program).
WIN.INI is also for the inexperienced victim, and simply places the server EXE path (C:\Windows\SERVERNAME.EXE) as the WIN.INI so it is started each time Windows starts.
"Less Known Method" places the server in the SYSTEM.INI as shown:
[boot] shel1=EXPLORER.EXE SERVERNAME.EXEwhich will also start it each time Windows starts, and will make Windows think it's a parameter or extra option to EXPLORER.EXE.
Finally, there is "Not Known Method", which changes HKEY_LOCAL_MACHINE\Software\Classes\exefile\shell\open\command from "%1" %* to SERVERNAME.EXE "%1" %* which will cause the server to be run and re-run every time an EXE file is opened. You probably won't need to use this setting unless you think the victim knows quite a bit about Windows.
The next section is notification. Put a victim name, and I would recommend ICQ notify. Put your ICQ UIN in and the server will send you a message through the ICQ WWW pager, which will look like:
Sender IP: 127.0.0.1 Subject: my_victim {port=27374}-{ip=127.0.0.1}-{victim=my_victim}-{info=UserName:New_User}-{version=M.U.I.E._2.1}-{password=yes_(sub7)}This shows who the victim is, what the IP and port is, and if there is a password, and what the password is. "IRC Notify" will cause the server to connect to the specified IRC server on the specified port and join the specified channel and broadcast the above info, or message the info to a specified nickname. Email notify is a little trickier. You should just choose one of the servers in the list, leave the "User" field blank, and enter your email address in the "Notify To" box. From experience I have found that the "ICQ Notify" (www.icq.com) is the most efficient, although you may prefer the others.
Next is the installation box. You can choose what port you want to run the server on. I would recommend not using defaults, as they kinda give the game away. "Random Port" is also useful, and you'll a-ways know which one it is, as you selected an appropriate notification method, didn't you? Putting in a server password, and protecting the port and password is recommended.
The "IRC Bot" section is something that does not appeal to me, but if you want to use it, there is a text file that comes with Sub7 that explains the whole thing fully. Specifying a server name is a good idea, rather than the random UIJHARG.EXE and will also make the server harder to find for the victim. As before, naming it something important looking may make the victim cautious when removing it.
"Melt Server After Installation" will install the server in C:\Windows with the filename you specified, and then delete the SERVER.EXE or whatever you called it which you sent to the victim. A fake error message will display your chosen message when the victim runs the server. You can choose the icon, the text, the buttons, etc.
Finally, "Bind With Another EXE", an excellent idea. Try binding the server with a small game or something, and make sure you send the server, not the EXE you binded it with. An EXE that does something is less suspicious to a victim than an EXE that does nothing. Also, in the top-right corner, you may want to change the server icon to fool the victim further.
Finally, at the bottom, check the "Protect Server" box and enter a password. You should do this so a clever victim can't find out your ICQ UIN or email address by using EditServer.exe. If you chose to bind an EXE, click on Save A New Copy. If you did not bind an EXE, click Save New Settings.
Now you need to get the server over to your victim. If they are a friend you want to monitor and you can get access to their PC, then simply put the server on disk, take it to your friend's computer, copy it to the desktop, and run it. If you did not enable "Melt Server", simply delete it and Empty Recycle Bin (although this won't completely remove it, as we already know, refer to article "Killing a File" in issue 16:3). It would be better to have the "Melt Server" option enabled. If you can't get to the victim PC, then you will need to choose an icon for the EXE, bind it with something, and rename it (all optional but recommended). Then send it to your victim through email, DCC, etc. When and if the victim runs it, you will get your notification via ICQ, email, or IRC. Bingo! You're in.
Usage 2 - Finding a Victim
For the user who has given the server to a desired victim, skip this part, as it describes how to find a random victim. For those who need a random victim, read on!
Open SUB7.EXE and expand the Connection menu. Click IP Scanner and enter some values. I recommend keeping the first two numbers the same, and using a range of 10 for the third, and 1 to 255 in the fourth, e.g.:
start ip: 212.126.150.1 port: 27374 end ip: 212.126.160.255 delay: 4Specify a port (27374 and 1243 are defaults, remember) and a delay time (4 recommended). You should get a range of victims to use.
If you want an IP range to scan, /dns someone on IRC and base your choice of IP range on that. Select a victim and put the IP in the IP/UIN box at the top of the client, and the port you chose to scan in the port box. Click Connect.
Hopefully you are using 2.1 Bonus and should be able to bypass the password. If you can't, go back and select another victim until you find one that you can use. Bingo! You're in.
Usage 3 - The Client
O.K., now I'll explain all the options which you can use, menu by menu. We'll start from the top, shall we?
Connection: "IP Scanner" I have explained, although now you have a victim you can scan with their computer by using "Remote Scan", which is nice. "PC Info" shows info about the PC, stuff that was typed in during Windows setup (duh). "Retrieve" gets it, "Clear" clears it, "Save" saves it. Easy. "Home Info" may not work, as it relies on the victim inputting that information when they installed Windows. Retrieve and clear as before.
Server Options: "Change Port" enables you to specify a new port for the server to run on. It will disconnect you, and you have to reconnect on the new port. "Set Default Port" changes the port to 27374 and disconnects you as before. "Set Password" sets a password on the server, "Remove Password" removes it. "Disconnect Victim" hangs up the victim's dial-up, and obviously disconnects you as well. "Restart Server" restarts the server - if things are playing up you can use this. You will be disconnected and should be able to reconnect in about five seconds. "Remove Server" removes the server (do I really need to explain these?). "Close Server" renders the server useless until reboot. "Update Server From Local File" enables you to upload a new server from your machine, "From URL" requires that you specify the URL of a new server. "IP Notify" is the same as in edit-server (see above). If this is a random victim and you want to use them again, you need to set the server to notify your ICQ number, email address, or whatever.
Keys/Messages: "Open Keylogger" will open a new window, with which you can log the keys that are being pressed on the victim's computer. You can start, stop, clear, and save. "Send Keys" will allow you to send text to a specified window on the victim's computer (you can make the victim say "I AM GAY" on IRC). "Get Offline Keys" will retrieve keys that have been pressed while the keylogger has not been enabled. "Clear" will clear them (this feature has been a bit... "dodgy" and I'm still not certain it works 100 percent). "Disable Keyboard" will render the victim's keyboard useless (process cannot be reversed until reboot!).
Chat: You can chat with the victim (brings up a chat window that is only closed when you close yours), or with other users of the server. It's pretty self explanatory. "Matrix" is a neat little feature. It mimics the part of the film The Matrix when Neo's screen goes black and Trinity sends stuff to it. Delete all the stuff in the box and if you want anything to be displayed when you activate it, type it in. Once activated, you will be able to send stuff and see what the victim is typing. "Msg Manager" is like in EditServer.exe - it displays a fake message. Again you can define icons, title, text, and buttons. "Spy" enables you to see incoming messages to the victim's computer on several Instant messaging programs. "Enable" enables it, "Disable" disables it (I never would have guessed). "ICQ Takeover" transfers that UIN's database to your computer, so you can view the friends list, etc.
Advanced
FTP/HTTP: Enables browsing through the victim's hard drive like FTP. "Address" is the victim's IP, "Port" is whatever you want it to be. You can set a password and mask it, set maximum number of connections, and the root folder. When done, enable FTP and copy what's in the bar to a browser. Easy. "Find Files" will find files! Use it like you would use it on your own PC.
Passwords
"Get Cached or Recorded Passwords" will display passwords that have been stored by Windows. There's loads in here, such as Hotmail accounts, porn sites, etc. "RAS Passwords" will show all the dial-up accounts on the victim's computer. "Get ICQ and AIM Passwords" will do just that. "Reg Edit" enables you to alter the registry on the victim's computer. It's pretty cool and easy to use. "App Redirect" lets you run a command in dos on their computer (dir, netstat, etc.) and will display the output in the window. "Port Redirect" is cool. It allows you to say, reconnect to IRC if you have been G-lined using their host. It's kinda like a WinGate. It's also kinda hard to explain, but the text file accompanying Sub7 does it perfectly, so refer to that!
Miscellaneous
"File Manager" has loads of cool options, but remember that it does the stuff on the victim's computer, so "Display Image" will display it on their computer, not yours. You can upload, download, edit, delete (listen to your conscience), etc. One thing I suggest you do is to delete netstat.exe from C:\Windows. (My ethics on data destroyal/modification on someone else's box states that you may only do so to lower the risks of being caught. Deleting netstat complies with this.) "Windows Manager" shows what windows are open and lets you play with them, "Refresh" refreshes the list, and "Show All" will show all that's running (like background stuff, etc.). "Process Manager" brings up a list of what's running on the victim's computer. "Refresh" refreshes the list, "Kill App" kills the app, and "Thread Priority" will change the priority level (killing the kernel will crash the victim's computer, if you see something stupidly obvious like netmon.exe, you may want to kill it). "Text To Speech" lets you say stuff out of the victim's speakers. You must first upload the text-to-speech engine, which can be obtained from the Sub7 homepage. Type what you wanna say and click Say It! "Clipboard Manager" lets you see what's on the clipboard, change what's on the clipboard, or clear the clipboard. "IRC Bot" is explained fully in the text file that accompanies Sub7.
Fun Manager
Desktop/Webcam: This lets you have a preview of the desktop in a small window. You can also have continuous capture by lowering the interval time. "Full Screen Capture" shows you the victim's screen in full detail. "Webcam Capture" will show you the victim's ugly mug, or whatever the webcam is pointing at (if they have one). "Flip Screen" lets you flip the victim's screen horizontally and vertically. It can be restored by a double-click. (I once found someone playing Red Alert online - this feature was hilarious!) "Print" allows you to specify text, size, and font style, and then print it ("I know where you live" works kinda well!). "Browser" opens the victim's browser and points it to the specified URL. "Resolution" lets you change the victim's resolution. "Win Colors" lets you change the colors of the various parts of a window. Test it on yourself first to see what it will look like. Psychedelic baybee...
Extra Fun
"Screensaver" lets you change the scrolling marquee screensaver to say whatever you want. All the options are there as they would appear in Control Panel, except password protection. "Restart Win" allows you to restart Windows or shut down in a variety of ways. "Mouse" has several options. It lets you reverse and restore the buttons, hide and show the cursor, control the mouse, and set and show mouse trails. "Sound" lets you record sound and play it. It also lets you change the sound settings of the victim's computer (read them first). "Time/Date" lets you read and change the victim's time and date. "Extra" has all the other fun features, which are pretty self explanatory and quite cool to play about with.
Local Options
"Quality" lets you define the quality of the images you retrieve in "Desktop Capture", and also the quality of the webcam transmission. Higher quality means slower transfer time. "Local Folder" is where all the downloaded stuff is stored. "Skins" just make the client look pretty - you can get them from the Sub7 home page. "Misc Options" are pretty self-explanatory and have some neat little tools you can toggle to customize Sub7 to your needs. "Advanced" show the ports for three of the features. You only need to change them if the features aren't working properly, but this shouldn't be necessary. "Run EditServer" will run EditServer.exe (sheesh). Finally, at the top of the client there is an "IP Address Book" feature to store victims, an exclamation mark button which pings the victim's computer to make sure it's still alive, and two shortcut menus which can be configured to what you use most. I almost forgot "IP Tool"! A cool little option which resolves host names to IPs, to UINs, and back and forth.
Conclusion
So now you know pretty much everything there is to know about this hugely popular Trojan tool.
When you're roaming through a victim's box, listen to your conscience. Don't delete random stuff and don't scare the shit out of them. (I once found some 80-year-old guy and promptly removed the server for him. That shit's just way out of line.) You can get decent stuff out of their box (passwords, port redirects, etc.) so don't abuse it.
Do nothing to their box that you wouldn't like done to your own.