SUB7
Secrets X-Posed
-=[ Presented by WaJ
]=-
Author | Wajid |
Target | SUB7 2.0 trojan horse. |
Completed | 20 NOV 99 (Public release) |
Last Update | 9 DEC 99. |
Groups | Hellforge |
Contact | [email protected] |
Dedication | DG '99 |
Wise Word | Treasure
Your Privacy! |
Please note, I have nothing against the SUB7 crew. Infact with the updates, I believe that SUB7 is by far the best remote access package in its own ways. It is full of features that no other trojan has. Although the features can be done manually, mobman has done a great job in implementing them within the program itself. I have decided to remove all my ANTI-SUB7-CREW documents and I would like to apologise to Slim and all the crew members and mobman for me being such a fewl. Although this will not effect my future work on the trojan, You will no longer see SUB7 vs BO2K theories, or anti-slim documents. Condolences to ReVeNGeR. Even though I don't recommend using SUB7 on your precious victims. SUB7 has a backdoor where a person (apparently mobman) can connect to your victims over-riding any password mechanism. This STILL exists in the most up-to-date version. SUB7 is not the only one that does this... remember netbus 1.7? remember how it opens 12345 & 12346? remember how netbuster is able to reset the password? how? hehe. BO2K has NO SUCH over-riding feature! Look at the source. Compile it and use it. And yeah... Don't think your victims are only your victims!
Sub7
employ's some new characteristics that haven't been yet exposed to the public on
a mass scale. Apparently 3/10 people will not realise the way Sub7 starts up
& where it stores its information at the time of
writing this (11/11/99). This document is meant to expose that "top
secret" information. This, as far as I can tell is not available on the
internet at the moment. But you might see many modified versions of this text
after its initial release.
There
are 5 methods of sub 7 starting up. They say that the last 2 are secret and
"unknown". They will be soon known to you after reading this document.
heh....
Startup
Methods:
#1:
Registry RUN: \run -- duh. the most obvious.
#2: Registry RUNSERVICES: \runservices -- duh. the second
most obvious.
#3: WIN.INI RUN= -- duh. the third most obvious.
#4: SYSTEM.INI Explorer {filename} -- duh. the so-called
"not-very-known" method
#5: Now our start method. heh....
NOT
KNOWN =
C:\WINDOWS\RUN.EXE
is created - this is for execution of the server. It itself is NOT the server.
This is released from the resource section of the server at runtime (if the
unknown start method option was selected)
Now
obviously this file cant run by itself, just by calling it run.exe and placing
it in the windows directory so... there must be somewhere where its startup
information is kept.. duh.. yeah and that is the key:
HKCR\exefile\shell\open\command
hmmmmmmmm.
i hear you say... and it sets the default value to: "run.exe "%1"
%*".
11,371
bytes long. Also packed by UPX 0.72 packer. Damnit. these guys love packers...
Now.
You may be asking. WHY THE HELL make run.exe? why not directly execute the
server? Intelligent question. I'll let you into a little secret... That above
method of execution, although is quite hidden, it replaces the usual execution
path of windows. When you execute an executable file... it DOES NOT directly
execute it... instead it executes "run.exe "%1" %*". here
the parameters of your executable (including any arguments) are passed to the
file "run.exe". This then executes the invoked program for you,
obviously also executing the server (if not already running)!. So run.exe
actually executes up on execution of ANY exe files (invoked with CreateProcessA
<> invocation of explorer)!!! VERY, VERY inefficient!.
so run.exe will be invoked many times... and of-course this is not very good...
So
if u are infected, kill any suspicious processes in the windows directory (up to
ver 2.0), you cant set the path.. heh. then delete the target file. then delete
run.exe from your windows directory, also setting the above key to value to:
"". NOTE: DO NOT DELETE THIS KEY! if you do, then you will not be able
to execute any exe files. heh.
Also
I hope you have a query regarding the execution of files that are not of the
extension .exe? You can configure the server to be a .dl . What’s up with this
I hear u say... Well, this was first introduced by cDc in their BO 1.2 (an
excellent tool I have to say). BO 1.2 config allowed you to name the file with
any extension.. now this is how they do it...
They
register a new file type of the extension. i.e. if already not created, they
create a key for it in the root key:
HKCR\
For
example for the .dl file, they would create "HKCR\.dl". They set the
default key to "exefile" and create another string value called:
"Content Type", within the same key. the string value of this is set
to: "application/x-msdownload". Now this is what the value for an exe
it. it allows the server to execute the file without 1st renaming it to an .exe.
Also
some encrypted data is held by the server at the registry key:
HKLM\Enum\PCI\RGNSSS\
just
delete this fucking key! I suspect it is something to do with that server
protection thing.
e.g.
HKLM\Enum\PCI\RGNSSS\â£Ö᪽ª¦Kû¦Çÿá£
="·7_"
HKLM\Enum\PCI\RGNSSS\t¼ñ®ÿÑ¿|xû =
"££ñÑÿhb£xû"
HKLM\Enum\PCI\RGNSSS\üªñ½Sà®ñbû
= "fpgp"
as
far as i know, this is only used by the server only. its not related to windows
in anyway. IMHO (even though i cant even get the server to work) this is the
information to protect the port from being modified etc.
Also
other keys the program creates/modifies:
HKLM\Software\Microsoft\Windows\CurrentVersion\SubVersionNumber
<-- Value
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer
<-- key
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\
<--- ??
HKLM\Software\Microsoft\Windows\CurrentVersion\Internet
Settings\Cache\Paths\Path1\CachePath
HKLM\Software\Microsoft\Windows\CurrentVersion\Internet
Settings\Cache\Paths\Path2\CachePath
HKLM\Software\Microsoft\Windows\CurrentVersion\Internet
Settings\Cache\Paths\Path3\CachePath
HKLM\Software\Microsoft\Windows\CurrentVersion\Internet
Settings\Cache\Paths\Path4\CachePath
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell
Folders\Cookies
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell
Folders\History
HKLM\Software\Microsoft\Windows\CurrentVersion\Internet
Settings\Cache\Paths\Path1\CacheLimit
HKLM\Software\Microsoft\Windows\CurrentVersion\Internet
Settings\Cache\Paths\Paths
I
hope this text has increased your awareness of startup methods and above all
answered your questions regarding SUB7. Please do not hesitate to contact me if
you have any problems. Manual removal should also be clear from the above text.
Further information is available from me. Also some more information on future
versions:
If
you suspect you have a server running, then go to dos and type:
netstat
-an
This
should give you all listening ports. Before you are connected to the internet,
There should be NO LISTENING PORTS whatsoever! If there are, then you can
get worried... and download the latest virus definitions. It is also possible
that the version you have is unique. This requires a manual removal... The
techniques applied above could be used generically to eradicate any trojan out
there! NOTE: legitimate programs DO NOT listen on ports (i.e. Virtual Drive 3.1
by Farstone = transfers user details). Of-course it can be made that the port is
opened on a sense of a connection (to the net), so it is also wise to check your
open ports while online.
Greetz: LaZaRuS, Shadow, ReVeNGeR, HH, Int_13. damn I hate it when I forget the names so i'll just add an (etc.) heh..... & of-course DG'99.
Treasure
Your Privacy!
(C)
Copyright 1999. Wajid. Any literature found at this site MAY NOT be reproduced
partially or in whole without my prior written consent.