Sub7, or SubSeven or Sub7Server, is a

Trojan horse In Greek mythology, the Trojan Horse () was a wooden horse said to have been used by the Greeks during the Trojan War to enter the city of Troy and win the war. The Trojan Horse is not mentioned in Homer, Homer's ''Iliad'', with the poem ending ...

- more specifically a Remote Trojan Horse - program originally released in February 1999. Because its typical use is to allow undetected and unauthorized access, Sub7 is usually described as a

trojan horse In Greek mythology, the Trojan Horse () was a wooden horse said to have been used by the Greeks during the Trojan War to enter the city of Troy and win the war. The Trojan Horse is not mentioned in Homer, Homer's ''Iliad'', with the poem ending ...

by security experts. Starting with version 2.1 (1999) it could be controlled via

IRC IRC (Internet Relay Chat) is a text-based chat system for instant messaging. IRC is designed for group communication in discussion forums, called '' channels'', but also allows one-on-one communication via private messages as well as chat ...

. As one security book phrased it: "This set the stage for all malicious

botnets A botnet is a group of Internet-connected devices, each of which runs one or more bots. Botnets can be used to perform distributed denial-of-service (DDoS) attacks, steal data, send spam, and allow the attacker to access the device and its conne ...

to come." Additionally Sub7 has some features deemed of little use in legitimate remote administration like

keystroke logging Keystroke logging, often referred to as keylogging or keyboard capturing, is the action of recording (logging) the keys struck on a keyboard, typically covertly, so that a person using the keyboard is unaware that their actions are being monitore ...

. Sub7 worked on the

Windows 9x Windows 9x is a generic term referring to a line of discontinued Microsoft Windows operating systems released from 1995 to 2000 and supported until 2006, which were based on the kernel introduced in Windows 95 and modified in succeeding version ...

and on the

Windows NT Windows NT is a Proprietary software, proprietary Graphical user interface, graphical operating system produced by Microsoft as part of its Windows product line, the first version of which, Windows NT 3.1, was released on July 27, 1993. Original ...

family of operating systems, up to and including

Windows 8.1 Windows 8.1 is a release of the Windows NT operating system developed by Microsoft. It was released to manufacturing on August 27, 2013, and broadly released for retail sale on October 17, 2013, about a year after the retail release of its pr ...

History

SubSeven was developed by mobman, a computer programmer originally from Craiova, Romania. Mobman released SubSeven on February 28, 1999. His first edition was titled SubSeven v1.0 carried echos of another Trojan of the time, Back Orifice (BO). Mobman described SubSeven as a clone of BO. The inaugural branch of versions v1.0 to v1.9 restricted user experience to a single window, making them straightforward and easy to use. In an experimental version of 1.9, the SubSeven 1.9 Apocalypse, Mobman revamped the previous blue/purple design that had been in use since v1.5. In 2001, in an attempt to reinvent the design again, the v2.2x branch was created. It proved to be short-lived as its modular approach allowing for the creation of plugins and custom features did not resonate with users who lacked either the skills or the motivation to create new extensions and plugins. Thus, Mobman decided to continue the 2.1.x branch. In 2003 2.1.5, known as the "SubSeven Legends", marked the end of SubSeven development under Mobman. In 2006 (sub7legends.net) re-opened with hundreds of thousands of users, and has kept Sub7 alive with clean downloads and support and new software releases. No development had occurred for several years until version 2.3 in 2010. This release was based on the genuine SubSeven 2.2 and 2.1.3 source code, which mobman himself shared to his close friends, "Read101" and "fc" and were responsible for this update. Unfortunately, the reborn did not capture the public's attention as anticipated. This lack of interest was primarily due to "fc", who was more interested in monetizing the new version than enhancing its quality. SubSeven 2.3, released on March 9, 2010, was revamped to work on all 32-bit and 64-bit versions of Windows and includes TCP Tunnel and Password Recovery for browsers, instant messengers and email clients. It was very buggy. The website that claimed to do this is no longer active. In June 2021, Jean-Pierre Lesueur (DarkCoderSc) released from scratch a complete remake of SubSeven version 2.2. This version maintained a similar look and feel to the original. Since then, development has ceased, and the source code has been made available to the public. In October 2023, "IllWill", a former member of the Sub7 Crew from the 1990s and early 2000s, delivered a talk at BSides CT 2023. This presentation delved into the story behind mobman, revealing several unknown facts about the mysterious developer. The talk concluded with IllWill releasing the official and genuine source code of SubSeven 2.1.2/3 in his Gitlab. This release was made possible by mobman's direct contribution and with his blessing. As of now, no other versions of SubSeven have been officially released, apart from version 2.1.2/3 by IllWill. The SubSeven 2.2 version remains exclusively in the possession of mobman, Read101, fc, and DarkCoderSc. In a 2013 article of ''

Rolling Stone ''Rolling Stone'' is an American monthly magazine that focuses on music, politics, and popular culture. It was founded in San Francisco, California, in 1967 by Jann Wenner and the music critic Ralph J. Gleason. The magazine was first known fo ...

'', mobman was identified to be an American man. In an October 2024 episode of the podcast ''

Darknet Diaries ''Darknet Diaries'' is an investigative podcast created by Jack Rhysider (), chronicling true stories about crackers, malware, botnets, cryptography, cryptocurrency, cybercrime, and Internet privacy, all subjects falling under the umbrella of ...

'', a man claiming to be from Romania and residing in Canada and to be the real mobman confronted the American, pointing out inconsistencies in his story such as that the first version of Sub7 said "From

Windsor, Ontario Windsor ( ) is a city in southwestern Ontario, Canada. It is situated on the south bank of the Detroit River directly across from the U.S city of Detroit, Detroit, Michigan. Geographically located within but administratively independent of Esse ...

", to which the American said he had never been.

Architecture and features

Like other remote admin programs, Sub7 is distributed with a

server Server may refer to: Computing *Server (computing), a computer program or a device that provides requested information for other programs or devices, called clients. Role * Waiting staff, those who work at a restaurant or a bar attending custome ...

and a

client Client(s) or The Client may refer to: * Client (business) * Client (computing), hardware or software that accesses a remote service on another computer * Customer or client, a recipient of goods or services in return for monetary or other valuable ...

. The server is the program that the host must run in order to have their machines controlled remotely, and the client is the program with a

GUI Gui or GUI may refer to: People Surname * Gui (surname), an ancient Chinese surname, ''xing'' * Bernard Gui (1261 or 1262–1331), inquisitor of the Dominican Order * Luigi Gui (1914–2010), Italian politician * Gui Minhai (born 1964), Ch ...

that the user runs on their own machine to control the server/host PC. Computer security expert Steve Gibson once said that with these features, Sub7 allows a hacker to take "virtually complete control" over a computer. Sub7 is so invasive, he said, that anyone with it on their computer "might as well have the hacker standing right next to them" while using their computer. Gibson, Steve
The strange tale of the denial of service attacks on grc.com
2002-03-05. Sub7 has more features than Netbus (webcam capture, multiple port redirect, user-friendly registry editor, chat and more). According to a security analysis,Crapanzano, Jamie (2003),
Deconstructing SubSeven, the Trojan Horse of Choice.

SANS Institute The SANS Institute (officially the Escal Institute of Advanced Technologies) is a private U.S. for-profit company founded in 1989 that specializes in information security, cybersecurity training, and selling certificates. Topics available for tr ...

Information Security Reading Sub7's server-side (target computer) features include: * Recording: ** Sound files from a microphone attached to the machine ** Images from an attached video camera ** Screen shots of the computer * Retrieving a listing of recorded and cached passwords * Taking over an

ICQ ICQ was a cross-platform instant messaging (IM) and VoIP client founded in June 1996 by Yair Goldfinger, Sefi Vigiser, Amnon Amir, Arik Vardi, and Arik's father, Yossi Vardi. The name ICQ derives from the English phrase "I Seek You". Originally ...

account used on the target machine (back then the most popular messaging service); added in version 2.1. This included the ability to disable the local use of the account and read the chat history * Features which were presumably intended to be used for prank or irritating purposes including: ** Changing desktop colors ** Opening and closing the optical drive ** Swapping the mouse buttons ** Turning the monitor off/on ** "text2speech" voice synthesizer which allowed the remote controller to have the computer "talk" to its user *

Penetration test A penetration test, colloquially known as a pentest, is an authorized simulated cyberattack on a computer system, performed to evaluate the security of the system; this is not to be confused with a vulnerability assessment. The test is perform ...

ing features, including a

port scanner A port scanner is an application designed to probe a server or host for open ports. Such an application may be used by administrators to verify security policies of their networks and by attackers to identify network services running on a host and ...

and a port redirector On the client-side the software had an "address book" that allowed the controller to know when the target computers are online. Additionally the server program could be customized before being delivered by a so-called server editor (an idea borrowed from Back Orifice 2000). Customizations possible with the Sub7 server editor included changing the port addresses, displaying a customized message upon installation that could be used for example "to deceive the victim and mask the true intent of the program". The Sub7 server could also be configured to notify the controller of

IP address An Internet Protocol address (IP address) is a numerical label such as that is assigned to a device connected to a computer network that uses the Internet Protocol for communication. IP addresses serve two main functions: network interface i ...

changes of the host machine by email, ICQ or IRC. Connections to Sub7 servers can be password protected with a chosen password. A deeper

reverse engineering Reverse engineering (also known as backwards engineering or back engineering) is a process or method through which one attempts to understand through deductive reasoning how a previously made device, process, system, or piece of software accompl ...

analysis revealed however that "SubSeven's author has secretly included a hardcoded master password for all of his Trojans! The Trojan itself has been Trojaned". For Version 1.9 the master password is predatox and 14438136782715101980 for versions 2.1 through 2.2b. The Master Password for SubSeven DEFCON8 2.1 Backdoor is acidphreak.

Uses and incidents

SubSeven has been used to gain unauthorized access to computers since it also worked as a keylogger. While it can be used for causing mischief (such as making sound files play out of nowhere, changing screen colors, etc.), it can also read keystrokes that were made since the last boot—a capability that can be used to steal passwords, credit card numbers, and other sensitive data. In 2003, a hacker began distributing a Spanish-language email purporting to be from security firm

Symantec Symantec may refer to: * Gen Digital, an American consumer software company formerly known as Symantec * Symantec Security, a brand of enterprise security software purchased by Broadcom Broadcom Inc. is an American multinational corporation, ...

that was used to trick recipients into downloading Sub7. Although Sub7 is not itself a

worm Worms are many different distantly related bilateria, bilateral animals that typically have a long cylindrical tube-like body, no limb (anatomy), limbs, and usually no eyes. Worms vary in size from microscopic to over in length for marine ...

(it has no built-in self-propagation features) it has been leveraged by some worms such as W32/Leaves (2001). Some versions of Sub7 include code from Hard Drive Killer Pro to format the hard drive; this code will only run if it matches the

number of "7889118" (mobman's rival trojan author.)

References

{{remote administration software Windows remote administration software Windows trojans Pascal (programming language) software

History

Architecture and features

Uses and incidents

See also

References

External links