RE: Sub7 (SubSeven), Win2k, and IE 5.5

From: Damien Adams (dadams@scientech.com)
Date: 03/21/02 

From: "Damien Adams" <dadams@scientech.com>
To: "Butler, Brandon" <ButlerB@Curascript.com>, <jogglie@excite.com>
Date: Thu, 21 Mar 2002 10:17:22 -0500

You could also use SubSeven Sniper. Search for it on Google.

>-----Original Message-----
>From: Butler, Brandon [mailto:ButlerB@Curascript.com]
>Sent: Wednesday, March 20, 2002 4:55 PM
>To: 'jogglie@excite.com'
>Cc: focus-ms@securityfocus.com; incidents@securityfocus.com
>Subject: RE: Sub7 (SubSeven), Win2k, and IE 5.5
>
>
>This is quite interesting.. I do want to note a few things..
>
>I've done a lot of testing with sub7 (its actually useful in some
>situations
>for sysadmins, even ethical too :) there are a few things I want to point
>out, make aware, or whatever.. feel free to comment/correct me/etc..
>
>1. there are multiple versions of Sub7 ranging from 1.9 to 2.2 (you prolly
>already know this tho, lol).. 2.1 is the most common, a lot of features tho
>are not working in Win2k, or not working at all with XP. 2.2 is the same
>way, but barely works with XP.
>
>2. Most script kiddies will have a way for the sub7 to reach them, weather
>its using a mail drop, irc notification or ICQ. The better part, is most of
>them arn't smart enuff or too lazy to password the actuall server file. You
>can get ahold of sub7 server editor @ sub7.org (I beleive, do a search on
>google for "sub7" and "download") and find the information from the actual
>file. then you can use that to kinda "spy" to find out where it came from,
>or atleast who is using them, then move on from there..
>
>As far as IE5.5 goes, to be totally honest, it doesn't supprise me. there
>prolly is an accidental exploit someone found and is moving thru the script
>kiddie underworld. wouldn't exactly be new.
>
>and I bet your wondering what ligitimante uses are for sub7. My use is
>mainly the port forwarding, helps because my main machine doesn't have
>restricted access to the outside world, unlike the machines on dhcp. so if
>I'm on my laptop (dhcp) and need to ssh to my box at home, or something in
>the DMZ.
>
>as far as A/V missing it, not too hard to do really. infact, lets say you
>have remote administrator installed, or even telnet installed on a machine,
>and you upload sub7 thru a share, run it from the command line, and boom..
>for some reason virus scan completely misses it. I've been able to
>duplicate
>this with NAV CE (7.6) on WinNT4 SP6a and Win2K SP2 (using remote admin to
>telnet .. www.famatech.com)
>
>If at all possiable, I'd like a copy of the logs, and the .exe file, there
>might just be a new version out which isn't detetable or was just added to
>the database. if you do zip and send to me, please password the zip file,
>just so our NAV doesn't detect it ;)
>
>Thanks
>~Brandon
>
>-----Original Message-----
>From: Kirk Schafer [mailto:jogglie@excite.com]
>Sent: Wednesday, March 20, 2002 2:40 PM
>To: focus-ms@securityfocus.com; incidents@securityfocus.com
>Subject: Sub7 (SubSeven), Win2k, and IE 5.5
>
>
>
>Hi all,
>
>--- Note, I wrote this last week. If the list finally accepts it this time,
>please backdate the content several days ---
>
>I ran a search of the two groups I'm submitting to and found
>nothing. Within
>the last couple of days, my Windows 2000 Pro Workstation had Sub7 placed in
>the \WINNT\SYSTEM32 folder, as well as the "Run" registry key. It never
>installed, because my system caught it. Since I am running the latest
>patches (as of two days ago, according to HFNETCHK), and I have a
>full scale
>corporate AntiVirus product active and installed, I can't imagine how this
>sucker ended up on my hard drive. It was detected upon a reboot and login -
>somehow previously circumnavigating NAV CE's RealTime protection - by the
>logs, it WAS ACTIVE. I don't have any world-accessable shares, and I am
>behind a stealth firewall NAT with non-routable IP's, and no NETBIOS
>routing. It is also not possible to disable NAV from the workstation - it's
>centrally managed, and frighteningly current.
>
>The only thing I can figure is that someone figured out how to drop files
>from IE 5.5 (with all the latest patches) from script but it isn't
>world-pervasive yet. Also, a month ago, a colleague was browsing the web,
>downloading Word files, and the exact same thing happened - the user saved
>from their "protected" station to a NetWare server, and (potentially) via
>some scripting, NAV's RealTime protection was skipped (although that
>protection was running - an hour later, it was found by the very
>same person
>when they accessed the file normally. Seems to point to IE again). Our
>trusted sites (zones) are well managed, and well, we're pretty well off.
>
>Has anyone had similar experiences over the last week or month?
>
>Thanks,
>Kirk
>
>
>------------------------------------------------
>
>
>-------------------------------------------------------------------
>---------
>This list is provided by the SecurityFocus ARIS analyzer service.
>For more information on this free incident handling, management
>and tracking system please see: http://aris.securityfocus.com
>