ISS Security Alert: Widespread incidents of SubSeven DEFCON8 2.1 Backdoor

[Aleph One <aleph1 () UNDERGROUND ORG>]

Internet Security Systems Security Alert
October 8, 2000

Widespread incidents of SubSeven DEFCON8 2.1 Backdoor

Synopsis:

Internet Security Systems (ISS) X-Force has discovered over 800 computers
infected with the SubSeven DEFCON8 2.1 backdoor. This backdoor is an updated
version of SubSeven, which is described at:
http://xforce.iss.net/static/2245.php. It has been distributed on Usenet
newsgroups with file names such as "SexxxyMovie.mpeg.exe".  X-Force has
determined that individuals are using this network of compromised hosts to
test new distributed denial of service (DDoS) methods and strategies.

Description:

This version of SubSeven joins an IRC (Internet Relay Chat) channel on
irc.icq.com to notify the attacker that a machine has been infected.
X-Force has successfully reverse-engineered the password for the distributed
server and has determined that the password for the distributed server is
"acidphreak". Each installation of SubSeven is configured to use a random
file name.   This version of SubSeven listens on port 16959, which is
nonstandard from previous versions of the SubSeven backdoor.

There have been many previously released versions of the SubSeven backdoor.
SubSeven allows remote attackers to obtain cached passwords, play audio files,
view a webcam, and capture screenshots.   SubSeven also contains functionality
to notify intruders via IRC or ICQ when new computers are infected.  This
version of SubSeven only works on Windows 95 and Windows 98.   Most of the
computers infected to date appear to be home computers on high-speed cable
modem or DSL connections.

When SubSeven is being controlled with IRC commands, it is possible to utilize
the victim computers to perform a distributed denial of service attack (DDoS).
The X-Force observed an attacker launching a true distributed denial of
service attack using this network of SubSeven agents.  Without special
configuration, attackers can launch oversized ping packet attacks with
SubSeven. It is also possible for attackers to upload more advanced flooding
tools to each agent and use them in a similar manner.

Once connected to the SubSeven port 16959, the server will display "PWD" and
prompt for a password.  A successful login will return a banner similar to
the text below:

connected. 14:43.41 - October 6, 2000, Friday, version: DEFCON8 2.1

Recommendations:

Infected parties can identify this version of the SubSeven backdoor by
verifying that TCP port 16959 is listening and that a connection to that port
responds with "PWD".

The SubSeven 2.1 client can be used to connect to the infected machine using
the password "acidphreak". To remove the server, go to the Connection menu,
select Server options, and click the Remove server button.

To download the SubSeven 2.1 client, use the following link:

http://subseven.slak.org/download.html

Internet Security Systems RealSecure customers can configure RealSecure to
detect this version of SubSeven. To do so, edit the \template\protocols key
in the policy file with a text editor.  Add the port number "16959" to the
subseven line if it exists, or add the following line if no SubSeven entry
is present:

subseven        =S      27374 1243 16959;

The ISS X-Force will provide additional functionality to detect these
vulnerabilities in upcoming X-Press Updates for Internet Scanner, RealSecure,
and System Scanner.

Additional Information:

The Common Vulnerabilities and Exposures (CVE) project has assigned the
following names to these issues. These are candidates for inclusion in the
CVE list (<http://cve.mitre.org>), which standardizes names for security
problems.

CAN-1999-0660  A hacker utility or Trojan Horse is installed on a system.
CAN-2000-0138  A system has a distributed denial of service (DDOS) attack
                   master, agent, or zombie installed.

_______

About Internet Security Systems (ISS)

Internet Security Systems (ISS) is a leading global provider of security
management solutions for the Internet. By providing industry-leading
SAFEsuite® security software, remote managed security services, and
strategic consulting and education offerings, ISS is a trusted security
provider to its customers, protecting digital assets and ensuring safe
and uninterrupted e-business. ISS’ security management solutions protect
more than 6,000 customers worldwide including 21 of the 25 largest U.S.
commercial banks, the top 10 telecommunications companies and more than
35 government agencies. Founded in 1994, ISS is headquartered in
Atlanta, GA, with additional offices throughout North America and
international operations in Asia, Australia, Europe, Latin America and
the Middle East.   For more information, visit the Internet Security
Systems web site at www.iss.net or call 888-901-7477.

Copyright (c) 2000 by Internet Security Systems, Inc.

Permission is hereby granted for the redistribution of this Alert
electronically. It is not to be edited in any way without express
consent of the X-Force. If you wish to reprint the whole or any part of
this Alert in any other medium excluding electronic medium, please
e-mail xforce () iss net for permission.

Disclaimer

The information within this paper may change without notice. Use of this
information constitutes acceptance for use in an AS IS condition. There
are NO warranties with regard to this information. In no event shall the
author be liable for any damages whatsoever arising out of or in
connection with the use or spread of this information. Any use of this
information is at the user's own risk.

X-Force PGP Key available at: http://xforce.iss.net/sensitive.php as well
as on MIT's PGP key server and PGP.com's key server.

Please send suggestions, updates, and comments to: X-Force
xforce () iss net of Internet Security Systems, Inc.