• Sub7 Trojan / Backdoor

    by  • March 26, 2003 • Protect Against Malicious Software

    Sub7 (also known as Backdoor-G and all of its variants) is the most well known Trojan / backdoor application available. As far as hacker tools go, this one is one of the best.

    Sub7 arrives as a Trojan. According to Internet security firm Hackguard, these are the statistics for how one might come to be infected with a Trojan horse program:

  • Download an infected email attachment: 20%
  • Download an infected file from the Internet: 50%
  • Get an infected file on a floppy disk, CD or network: 10%
  • Download because of an exploited bug in Internet Explorer or Netscape: 10%
  • Other: 10%Because of its many uses, you may receive it from someone you would normally trust- a friend, spouse or co-worker. By virtue of being a Trojan horse program it comes hidden within a seemingly legitimate piece of software. Executing the software will do whatever the application is supposed to do while installing Sub7 in the background.

    Upon installing Sub7 will open a backdoor (enabling a port that you are not aware is open) and contact the attacker to notify them that Sub7 is installed and ready to go. This is when the fun begins (for the hacker at least).

    Once installed, Sub7 is essentially all-powerful. The hacker at the other end will be able to do any of the following and more:

  • Add, delete or modify any files
  • Log your keystrokes and capture things like your passwords and credit card numbers
  • Add programs like other Trojan and backdoor programs or Distributed Denial-of-Service applications
  • Anything you can do on your computer…The Sub7.org site seems to be defunct. Many sites refer to the main Sub7.org web site for hackers to download the latest version of Sub7 as well as for finding the directions for how to use it. However, just because Sub7.org seems to be gone doesn’t mean Sub7 is. A new release was introduced at the beginning of March, 2003. Developers continue to modify, tweak and improve Sub7 and with each subsequent release it is often just different enough to evade the antivirus detection designed to pick up previous versions.

    Often with Trojan horse programs like this the attacker will change the name of executable files to avoid detection. The executable can be named anything as long as the attacker knows what its called. Sometimes the Trojan may even have been hidden in a system file. The Trojan-infected system file will replace the real system file, but still work as it should. The impact of this is that you can’t simply “delete” the Trojan-infected file without disabling the operating system.

    Some of the “1337 h4x0rz” (elite hackers in “hacker-speak”) frown upon Sub7 as a tool for novices and script-kiddies. That doesn’t stop this utility from being a useful tool for hackers and a threat to you- it just means that the hacker using it will get no respect from you OR the 1337 h4x0rz.

    To protect yourself, you should never download or install any program from any person or web site you don’t implicitly trust. You should also have your operating system patched and be running updated antivirus software to narrow the possible methods of getting this Trojan into your system. Lastly, think twice about whether bizarre activity on your computer is a “fluke”. You can use a tool like Ad-Aware to scan your system for known spyware if you think you may have something.