iDEFENSE Intelligence Services
Wednesday, June 14, 2000
12:45 pm (EST)

iDEFENSE Analysis Reveals Additional Capabilities
of SubSeven Trojan

Utilizing IRC, Hackers Can Bypass Corporate Firewalls
to Send Distributed Ping Flood Commands

Last week (June 8), security consultants at NetSec announced that malicious hackers were planning to use a network of servers compromised by the SubSeven Trojan to launch a distributed denial of service attack (DDoS). In the wake of this announcement, differing views about the capabilities of SubSeven have emerged. In light of these differences and concerns, iDEFENSE is conducting further analysis on the SubSeven Trojan and have discovered additional capabilities that have thus far not been widely emphasized.

This analysis has so far revealed that certain versions of the SubSeven Trojan (analysis has focused on SubSeven 2.1) carry the ability to command a component of infected SubSeven servers from Internet relay chat channels and the ability to launch ping flood denial of service (DoS) attacks using these IRC commands.

The IRC command capacity is significant because corporate firewalls and other security devices that are not configured to stop questionable outbound traffic will not detect the passage of the commands. In addition, home and small office users that have "always connected" DSL and Cable Modem connections without firewalls and up to date anti-virus software, are of special concern. The ping flood capacity is also significant because it, in combination with the ability to communicate over IRC, allows a malicious attacker to launch a distributed ping flood attack using all the compromised machines logged onto the appropriate IRC channel at any given time.

Once the SubSeven server 2.1 has been run on a machine, the Trojan activates an IRC bot component to log the compromised machine onto a predefined IRC server. The bot sits passively on IRC until it sees a specially formulated "login" command. As soon as the bot sees this command on IRC, it automatically replies with information that an intruder would require in order to log in to the server through the Trojan client. This information includes the IP address of the compromised machine, the port on which the SubSeven server is listening for client connections, and the password it requires.

While properly configured firewalls should block any attempts to use this information to communicate with the server through the client, the response is valuable to the attacker because it indicates how many servers are available. The intruder can then send a number of commands to the server via IRC, while the server appears to be listening innocuously on a conventional IRC connection. These commands range from initiating traditional Trojan activities such as "spy" to the overlooked "ping" and "mping" capabilities.

The ability to command SubSeven servers to launch multiple ping (mping) attacks over IRC effectively allows anyone controlling multiple SubSeven server bots to launch a distributed denial of service attack to mulitple machines with a single IRC command. The attackers can command every compromised server logged onto the designated IRC channel to send thousands of large ping packets to a particular IP address at the same time. This is not the same master and zombie/slave relationship that has come to be identified with DDoS tools such as Trinoo and Stacheldraht, but SubSeven is capable of launching a denial of service attack distributed across potentially thousands of machines. And it could do so, in many cases, without alerting the owners of those machines if they have not taken any actions to mitigate the vulnerability.

iDEFENSE is urging its clients to take the following actions against SubSeven and similar explotation tools. As always, careful configuration of firewalls and other security devices is imperative. Firewalls should be set to disallow all unsolicited inbound services and to only allow those that are specifically required. Users are also encouraged to apply this guidance to outgoing traffic and to block and log traffic on known Trojan ports (e.g., 2221, 2222, 6669, and 7000, etc.). Up-to-date anti-virus software will catch uncompressed versions of the SubSeven Trojan. Customers are urged to update signatures and perform anti-virus scans to insure that SubSeven was not able to slip past these defenses through a Trojan dropper or some other vehicle.

iALERT delivers daily monitoring and analysis of cyberthreats, vulnerabilities, and incidents to iDEFENSE’s clients.

This e-mail is delivered to journalists covering the information security field.

For more information or comment please contact Jerry Irvine at 703.898.8283 or mail to: jirvine@idefense.com