Subject: ISSalert: ISS Security Alert: Widespread incidents of SubSeven DEFCON8 2.1 Backdoor Date: Mon, 9 Oct 2000 15:38:01 -0400 Internet Security Systems Security Alert October 8, 2000 Widespread incidents of SubSeven DEFCON8 2.1 Backdoor Synopsis: Internet Security Systems (ISS) X-Force has discovered over 800 computers infected with the SubSeven DEFCON8 2.1 backdoor. This backdoor is an updated version of SubSeven, which is described at: http://xforce.iss.net/static/2245.php. It has been distributed on Usenet newsgroups with file names such as "SexxxyMovie.mpeg.exe". X-Force has determined that individuals are using this network of compromised hosts to test new distributed denial of service (DDoS) methods and strategies. Description: This version of SubSeven joins an IRC (Internet Relay Chat) channel on irc.icq.com to notify the attacker that a machine has been infected. X-Force has successfully reverse-engineered the password for the distributed server and has determined that the password for the distributed server is "acidphreak". Each installation of SubSeven is configured to use a random file name. This version of SubSeven listens on port 16959, which is nonstandard from previous versions of the SubSeven backdoor. There have been many previously released versions of the SubSeven backdoor. SubSeven allows remote attackers to obtain cached passwords, play audio files, view a webcam, and capture screenshots. SubSeven also contains functionality to notify intruders via IRC or ICQ when new computers are infected. This version of SubSeven only works on Windows 95 and Windows 98. Most of the computers infected to date appear to be home computers on high-speed cable modem or DSL connections. When SubSeven is being controlled with IRC commands, it is possible to utilize the victim computers to perform a distributed denial of service attack (DDoS). The X-Force observed an attacker launching a true distributed denial of service attack using this network of SubSeven agents. Without special configuration, attackers can launch oversized ping packet attacks with SubSeven. It is also possible for attackers to upload more advanced flooding tools to each agent and use them in a similar manner. Once connected to the SubSeven port 16959, the server will display "PWD" and prompt for a password. A successful login will return a banner similar to the text below: connected. 14:43.41 - October 6, 2000, Friday, version: DEFCON8 2.1 Recommendations: Infected parties can identify this version of the SubSeven backdoor by verifying that TCP port 16959 is listening and that a connection to that port responds with "PWD". The SubSeven 2.1 client can be used to connect to the infected machine using the password "acidphreak". To remove the server, go to the Connection menu, select Server options, and click the Remove server button. To download the SubSeven 2.1 client, use the following link: http://subseven.slak.org/download.html Internet Security Systems RealSecure customers can configure RealSecure to detect this version of SubSeven. To do so, edit the \template\protocols key in the policy file with a text editor. Add the port number "16959" to the subseven line if it exists, or add the following line if no SubSeven entry is present: subseven =S 27374 1243 16959; The ISS X-Force will provide additional functionality to detect these vulnerabilities in upcoming X-Press Updates for Internet Scanner, RealSecure, and System Scanner. Additional Information: The Common Vulnerabilities and Exposures (CVE) project has assigned the following names to these issues. These are candidates for inclusion in the CVE list (), which standardizes names for security problems. CAN-1999-0660 A hacker utility or Trojan Horse is installed on a system. CAN-2000-0138 A system has a distributed denial of service (DDOS) attack master, agent, or zombie installed. Disclaimer The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties with regard to this information. In no event shall the author be liable for any damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk.