[Snort-sigs] SID 107

Christopher_Lubrecht at ...381... Christopher_Lubrecht at ...381...
Fri Mar 1 07:27:21 EST 2002

# This is a template for submitting snort signature descriptions to
# the snort.org website
# Ensure that your descriptions are your own
# and not the work of others.  References in the rules themselves
# should be used for linking to other's work.
# If you are unsure of some part of a rule, use that as a commentary
# and someone else perhaps will be able to fix it.
# $Id$

alert tcp $EXTERNAL_NET 16959 -> $HOME_NET any (msg:"BACKDOOR subseven DEFCON8 2.1
access"; content: "PWD"; content:"acidphreak"; nocase; flags: A+; sid:107;
classtype:misc-activity; rev:4;)
The Subseven DEFCON8 2.1 is a newer version of the popular Subseven trojan.  This
backdoor notifies the attacker when it has been installed, and allows the attacker
to obtain cached passwords, play audio files, capture screen shots and view
This trojan is very popular and highly scanned for. Articles document its use in a
variety of DDOS set ups and attacks. Attackers congregate in IRC for the specific
reason of detailing and bragging about  their subseven 'zombies'. Due to its
popularity, ease of use and high configurability, this is a dangerous trojan.
Detailed Information:
This trojan is mass distributed via methods such a newsgroup binary posting with
filenames such as "SexxxyMovie.mpeg.exe"(although any name could be used.).  The
trojan operates on port 16959, and once the client connects, prompts for a
password with a "PWD" prompt. The default password is "acidphreak" Once connected,
a banner will be displayed which contains the date, time  and "version: DEFCON8
2.1". This version of subseven only works on Windows 95 and 98.
Attack Scenarios:
Steve Gibson, of Gibson Research (ShieldsUP!), wrote a paper outlining one method
in which a 'zombie' trojan is used via IRC. The attacker gathers infected
machines, and uses them in an assault against a larger target, (usually via ICMP
flood). Individually, each machine's bandwidth would matter little to the target,
however when upwards of a 100 machines assault a target together, the effects are
Ease of Attack:

False Positives:
It is possible to trip this signature with innocent traffic.
False Negatives:

Corrective Action:
The best method for removal of this trojan, is an anti-virus scanner, or a
subseven removal program. It is very difficult to remove manually, and not
Christopher Lubrecht chris_lubrecht at ...382... initial research
Additional References:
http://grc.com/dos/grcdos.htm (Steve Gibson's paper)



Any views or opinions are solely those of the
author and do not necessarily represent those
of PR Newswire. The contents are intended
only for the addressee and may contain confidential
and/or privileged material. If you are not the
intended recipient, please do not read, copy,
use or disclose this communication and notify
the sender.

More information about the Snort-sigs mailing list