RE: Sub7 (SubSeven), Win2k, and IE 5.5

From: Butler, Brandon (ButlerB@Curascript.com)
Date: 03/20/02 

From: "Butler, Brandon" <ButlerB@Curascript.com>
To: "'jogglie@excite.com'" <jogglie@excite.com>
Date: Wed, 20 Mar 2002 16:54:56 -0500

This is quite interesting.. I do want to note a few things..

I've done a lot of testing with sub7 (its actually useful in some situations
for sysadmins, even ethical too :) there are a few things I want to point
out, make aware, or whatever.. feel free to comment/correct me/etc..

1. there are multiple versions of Sub7 ranging from 1.9 to 2.2 (you prolly
already know this tho, lol).. 2.1 is the most common, a lot of features tho
are not working in Win2k, or not working at all with XP. 2.2 is the same
way, but barely works with XP.

2. Most script kiddies will have a way for the sub7 to reach them, weather
its using a mail drop, irc notification or ICQ. The better part, is most of
them arn't smart enuff or too lazy to password the actuall server file. You
can get ahold of sub7 server editor @ sub7.org (I beleive, do a search on
google for "sub7" and "download") and find the information from the actual
file. then you can use that to kinda "spy" to find out where it came from,
or atleast who is using them, then move on from there..

As far as IE5.5 goes, to be totally honest, it doesn't supprise me. there
prolly is an accidental exploit someone found and is moving thru the script
kiddie underworld. wouldn't exactly be new.

and I bet your wondering what ligitimante uses are for sub7. My use is
mainly the port forwarding, helps because my main machine doesn't have
restricted access to the outside world, unlike the machines on dhcp. so if
I'm on my laptop (dhcp) and need to ssh to my box at home, or something in
the DMZ.

as far as A/V missing it, not too hard to do really. infact, lets say you
have remote administrator installed, or even telnet installed on a machine,
and you upload sub7 thru a share, run it from the command line, and boom..
for some reason virus scan completely misses it. I've been able to duplicate
this with NAV CE (7.6) on WinNT4 SP6a and Win2K SP2 (using remote admin to
telnet .. www.famatech.com)

If at all possiable, I'd like a copy of the logs, and the .exe file, there
might just be a new version out which isn't detetable or was just added to
the database. if you do zip and send to me, please password the zip file,
just so our NAV doesn't detect it ;)

Thanks
~Brandon

-----Original Message-----
From: Kirk Schafer [mailto:jogglie@excite.com]
Sent: Wednesday, March 20, 2002 2:40 PM
To: focus-ms@securityfocus.com; incidents@securityfocus.com
Subject: Sub7 (SubSeven), Win2k, and IE 5.5

Hi all,

--- Note, I wrote this last week. If the list finally accepts it this time,
please backdate the content several days ---

I ran a search of the two groups I'm submitting to and found nothing. Within
the last couple of days, my Windows 2000 Pro Workstation had Sub7 placed in
the \WINNT\SYSTEM32 folder, as well as the "Run" registry key. It never
installed, because my system caught it. Since I am running the latest
patches (as of two days ago, according to HFNETCHK), and I have a full scale
corporate AntiVirus product active and installed, I can't imagine how this
sucker ended up on my hard drive. It was detected upon a reboot and login -
somehow previously circumnavigating NAV CE's RealTime protection - by the
logs, it WAS ACTIVE. I don't have any world-accessable shares, and I am
behind a stealth firewall NAT with non-routable IP's, and no NETBIOS
routing. It is also not possible to disable NAV from the workstation - it's
centrally managed, and frighteningly current.

The only thing I can figure is that someone figured out how to drop files
from IE 5.5 (with all the latest patches) from script but it isn't
world-pervasive yet. Also, a month ago, a colleague was browsing the web,
downloading Word files, and the exact same thing happened - the user saved
from their "protected" station to a NetWare server, and (potentially) via
some scripting, NAV's RealTime protection was skipped (although that
protection was running - an hour later, it was found by the very same person
when they accessed the file normally. Seems to point to IE again). Our
trusted sites (zones) are well managed, and well, we're pretty well off.

Has anyone had similar experiences over the last week or month?

Thanks,
Kirk

------------------------------------------------

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com

Relevant Pages

  • RE: Sub7 (SubSeven), Win2k, and IE 5.5
    ... Most script kiddies will have a way for the sub7 to reach them, ... >somehow previously circumnavigating NAV CE's RealTime protection - by the ... >For more information on this free incident handling, management ...
    (Focus-Microsoft)
  • RE: Increase in Sub7 scans
    ... > From: Obert, Jack E. ... > Subject: Increase in Sub7 scans ... I've been receiving tcp port scans ... For more information on this free incident handling, management ...
    (Incidents)