Security Incidents mailing list archives
ISS Security Alert: Widespread incidents of SubSeven DEFCON8 2.1 Backdoor
From: Aleph One <aleph1 () UNDERGROUND ORG>
Date: Mon, 9 Oct 2000 13:54:43 -0700
Internet Security Systems Security Alert October 8, 2000 Widespread incidents of SubSeven DEFCON8 2.1 Backdoor Synopsis: Internet Security Systems (ISS) X-Force has discovered over 800 computers infected with the SubSeven DEFCON8 2.1 backdoor. This backdoor is an updated version of SubSeven, which is described at: http://xforce.iss.net/static/2245.php. It has been distributed on Usenet newsgroups with file names such as "SexxxyMovie.mpeg.exe". X-Force has determined that individuals are using this network of compromised hosts to test new distributed denial of service (DDoS) methods and strategies. Description: This version of SubSeven joins an IRC (Internet Relay Chat) channel on irc.icq.com to notify the attacker that a machine has been infected. X-Force has successfully reverse-engineered the password for the distributed server and has determined that the password for the distributed server is "acidphreak". Each installation of SubSeven is configured to use a random file name. This version of SubSeven listens on port 16959, which is nonstandard from previous versions of the SubSeven backdoor. There have been many previously released versions of the SubSeven backdoor. SubSeven allows remote attackers to obtain cached passwords, play audio files, view a webcam, and capture screenshots. SubSeven also contains functionality to notify intruders via IRC or ICQ when new computers are infected. This version of SubSeven only works on Windows 95 and Windows 98. Most of the computers infected to date appear to be home computers on high-speed cable modem or DSL connections. When SubSeven is being controlled with IRC commands, it is possible to utilize the victim computers to perform a distributed denial of service attack (DDoS). The X-Force observed an attacker launching a true distributed denial of service attack using this network of SubSeven agents. Without special configuration, attackers can launch oversized ping packet attacks with SubSeven. It is also possible for attackers to upload more advanced flooding tools to each agent and use them in a similar manner. Once connected to the SubSeven port 16959, the server will display "PWD" and prompt for a password. A successful login will return a banner similar to the text below: connected. 14:43.41 - October 6, 2000, Friday, version: DEFCON8 2.1 Recommendations: Infected parties can identify this version of the SubSeven backdoor by verifying that TCP port 16959 is listening and that a connection to that port responds with "PWD". The SubSeven 2.1 client can be used to connect to the infected machine using the password "acidphreak". To remove the server, go to the Connection menu, select Server options, and click the Remove server button. To download the SubSeven 2.1 client, use the following link: http://subseven.slak.org/download.html Internet Security Systems RealSecure customers can configure RealSecure to detect this version of SubSeven. To do so, edit the \template\protocols key in the policy file with a text editor. Add the port number "16959" to the subseven line if it exists, or add the following line if no SubSeven entry is present: subseven =S 27374 1243 16959; The ISS X-Force will provide additional functionality to detect these vulnerabilities in upcoming X-Press Updates for Internet Scanner, RealSecure, and System Scanner. Additional Information: The Common Vulnerabilities and Exposures (CVE) project has assigned the following names to these issues. These are candidates for inclusion in the CVE list (<http://cve.mitre.org>), which standardizes names for security problems. CAN-1999-0660 A hacker utility or Trojan Horse is installed on a system. CAN-2000-0138 A system has a distributed denial of service (DDOS) attack master, agent, or zombie installed. _______ About Internet Security Systems (ISS) Internet Security Systems (ISS) is a leading global provider of security management solutions for the Internet. By providing industry-leading SAFEsuiteĀ® security software, remote managed security services, and strategic consulting and education offerings, ISS is a trusted security provider to its customers, protecting digital assets and ensuring safe and uninterrupted e-business. ISSĀ security management solutions protect more than 6,000 customers worldwide including 21 of the 25 largest U.S. commercial banks, the top 10 telecommunications companies and more than 35 government agencies. Founded in 1994, ISS is headquartered in Atlanta, GA, with additional offices throughout North America and international operations in Asia, Australia, Europe, Latin America and the Middle East. For more information, visit the Internet Security Systems web site at www.iss.net or call 888-901-7477. Copyright (c) 2000 by Internet Security Systems, Inc. Permission is hereby granted for the redistribution of this Alert electronically. It is not to be edited in any way without express consent of the X-Force. If you wish to reprint the whole or any part of this Alert in any other medium excluding electronic medium, please e-mail xforce () iss net for permission. Disclaimer The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties with regard to this information. In no event shall the author be liable for any damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk. X-Force PGP Key available at: http://xforce.iss.net/sensitive.php as well as on MIT's PGP key server and PGP.com's key server. Please send suggestions, updates, and comments to: X-Force xforce () iss net of Internet Security Systems, Inc.
Current thread:
- ISS Security Alert: Widespread incidents of SubSeven DEFCON8 2.1 Backdoor Aleph One (Oct 10)