KFSensor Extras

kfSubSeven

kfSubSeven is a honeypot emulation of the ever popular SubSeven trojan server.

kfSubSeven behaves just like a real thing, but without the unpleasant consequences.
It is a self contained application which is designed to work within a honeypot system, it will not work by itself.

kfSubSeven is not part of the KFSensor system, but can be used to add to its capabilities.
Unlike KFSensor, this application is released as open source under the GNU General Public License.
kfSubSeven works well within KFSensor and may also work under other honeypot systems.

• kfSubSeven is not a trojan, virus, spyware or malware
• kfSubSeven is not a version of SubSeven
• kfSubSeven is not based on SubSeven source code
• kfSubSeven will not help you hack into, or control other systems
• kfSubSeven will help you to detect hackers using SubSeven

Contents

1. What is SubSeven
2. How kfSubSeven works
3. Example attack
4. Screen shots
5. Installing kfSubSeven
6. Download

SubSeven is a trojan. Once installed on a victim's machine the SubSeven server runs undetected and opens a tcp port, or backdoor, which allows a hacker complete control of the victim's machine. The hacker uses the SubSeven client program to control the SubSeven server program from a remote location.

Different trojans have different capabilities.
SubSeven has the lot.
It has the ability to upload, download and execute files, key logging, turn the victim's into a FTP, chat, ICQ server. It can even turn on the web cam and watch the victim in real time and use text2speech to talk to the victim.

• It has lots of 'cool' features
• It has been developed for a number of years
• It is very easy to use
• It is easy to get hold of

Because of this people who use SubSeven are mostly script kiddies. However, existing SubSeven installations are also used by more advanced hackers as a convenient back door to enable them upload their custom scripts and trojans.

SubSeven can listen on any port. Its default port is 27374, which is one of the most scanned ports on the Internet.

SubSeven opens other ports for special function. 2774 for the chat feature and 7215 for the Matrix feature.

Warning: If you want to try it out for yourself bear in mind the following:
It is illegal in most countries to use it on a machine you do not legally control.
Many SubSeven distributions are infected with other trojan horses and using one of these will compromise you own security.

kfSubSeven listens on a port and accepts connections from a SubSeven client in the same way that the SubSeven server does.
kfSubSeven understands the SubSeven protocol and replicates the responses generated by the SubSeven server.

As far as a hacker is concerned there is no difference between controlling kfSubSeven and SubSeven.

Because kfSubSeven only simulates SubSeven and most importantly does not allow the hacker to compromise the system it is limited in the extent to which it can emulate SubSeven. This means an intelligent hacker, i.e. not a script kiddie will eventually work out there is something not quite right. Hopefully their intentions will be revealed by this point and a significant amount of their time will have been wasted.

For example a hacker may try to upload and execute their piece of malware on the honeypot, or use kfSubSeven to launch a scan on another machine. This will not work and will indicate that something is wrong.
However, the hacker may not realise that the server is a honeypot. Their victim's machine may be being blocked by a firewall.

kfSubSeven Features

There are too many features to mention them all here.
If you are keen to know all the details then read the source code.

Here are some of the kfSubSeven highlights:

• Lets the client chat to the honeypot.
  SubSeven has a chat feature called 'The Matrix' that makes the victim's machine behave like it does in the film where Neo is first contacted. kfSubSeven quotes lines from the film back at the hacker. :-)
• Lets the client browse the files on the computer
• Lets the client upload files. These are placed in a secure area for later analysis.
• Lets the client download files. These are special honey token files that you want people to see.
• Lets the client obtain the systems passwords

Have a look at the Screen shots for a few examples.

Staying on step ahead

If you managed to find kfSubSeven on the Internet, then you can be sure other less well intentioned people have as well. They will quickly learn what to look out for and develop tests to tell kfSubSeven and SubSeven apart, in other words they will have a kfSubSeven fingerprint.

In order to stay one step ahead do the following:

1. Change the kfsubseven configuration; change the settings in the kfsubseven.conf file
2. Let us know of anything that looks like a fingerprint and we will update kfSubSeven to counter it
3. Make you own customised version of kfSubSeven. The source code is there to be used

Click on this link to see the Example attack 1.

Click on this link to see the Example attack 2.

This is the transcript of a matrix chat session between a hacker and kfSubSeven's automated responses.
>>>> = kfSubSeven
<<<< = Hacker

>>>>You can't scare me with this Gestapo crap. I k
<<<<i know
>>>>now my right
<<<<i just wanna talk to you
>>>>s.[F6]What?[F6]
<<<<are you located in the US
>>>>Right.[F6]
<<<<oh cool
>>>>What?[F6]
<<<<do you have an AIM screen name
>>>>What the hell?[F6]
<<<<sorry for bothering you
>>>>Right.[F6]
<<<<oh one other thing
>>>>What, now?[F6]
<<<<have this ever been done to you before?
>>>>Follow the white rabbit?[F6]
<<<<lolLOLLOL
>>>>Oh shit. Oh shit shit shit![F6]Who are you?[F6]
<<<<The call me Mobman
>>>>what do you want[F6]
<<<<nothing
>>>>Oh
<<<<your computer is weird
>>>> shit. Oh shit shit shit![F6]Right.[F6]
<<<<listen you have a nice day and we'll keep in touch
>>>>How?[F6]
<<<<i will find you dont worry
>>>>Yeah...yeah...you're two hours late.[F6]You get
<<<<you funny
>>>>caught using that...[F6]What is the Matrix?[F6]
<<<<1101000110
>>>>You can't scare me with this Gestapo crap. I know my rights.[F6]
<<<<you know u
>>>>I am calling the police[F6]
<<<<ok
>>>>Yeah...yeah...you're two hours late.[F6]
<<<<male or female
>>>>what do you want[F6]
<<<<male or female
>>>>I am calling the police[F6]
<<<<this is not a real person
>>>>What?[F6]
<<<<you repeat the same things over and over
>>>>This is insane! Why is this happening to me? What did I do?[F6]

The hacker uses 'The Matrix' to talk to kfSubSeven and it answers him back!.
In this example the two of them swap lines from the film. The responses are configurable and can be selected at random, or picked from a sequence like this example.

SubSeven has this handy feature that tends to be the first thing hackers use.
The values can be changed in the kfsubseven.conf file.

kfSubSeven is configured with dummy passwords that it can give out.

The hacker can user SubSeven's file manager to browse the victim's hard disk.
The lists of files returned are contained in a config file.

The hacker can ask kfSubSeven to scan other computers.
The scan looks like it is working, but will never find anything, it keeps the hacker waiting for a long time.

Some of the 'fun' things SubSeven lets a hacker do to his victim.

kfSubSeven consists of a single executable and a number of other configuration and honeytoken files. Installation and configuration is a manual process.

Step 1

Step 2

You should now have the following tree structure.

C:
    kfsensor
        logs
        nbtuploads
        subsevenuploads
    Program Files
        KeyFocus
            KFSensor
                bin
                conf
                files
                iis
                    wwwroot
                kfsubseven
                nbtdownloads
                scripts
                sub7downloads

Step 3

You can change many options here but for now set the Path options as below:

UploadPath=C:\kfsensor\subsevenuploads
DownloadPath=C:\Program Files\KeyFocus\KFSensor\files\sub7downloads

This enables a kfSubSeven to capture and store uploaded files into subsevenuploads and to enable files in sub7downloads to be downloaded

Step 4

Go to the Scenario menu and select the Edit Sim Servers... menu item.

Use the Add.. button and select Action Type: Sim Std Server, Sim Type: External Console App, from the Add Sim Server dialog box.

Fill in the following field and press OK.

This is the main SubSeven server

Now repeat the process for the SubServer Chat port

Now repeat the process for the SubServer Matrix port

Go to the Scenario menu and select the Edit Active Scenario... menu item.

Use the Delete button to remove and listen definitions you might have on ports; 27374, 2774 and 7215

Use the Add... button to add three listen definitions for each of the Sim Std Server definitions you have just made.

Step 5

In order to test it you can either;

1. Use a copy of the SubSeven client, not recomended, but it is the best way
2. Use a Telnet client and open each of the three new ports in turn.
   You can type in some of the commands in the Example attack to see if they work.

Windows Executable - kfsubseven.zip
This file contains the compiled kfsubseven executable and the extra files it needs to run it on a Windows machine.

Source code - kfsubsevensrc.zip
This file contains everything you need to build kfsubseven, under Visual C++ .NET
The source code is written in ANSI C and if you create your own make file it will compile on an C compiler under Windows.

The current version contains Windows API calls and will not compile under Unix.
However, these API calls are all located in the file kfinout.c and it will not be too much work to replace them with Unix specific code.

kfSubSeven is licensed under the GNU General Public License.
If you make any enhancements to kfsubseven and want to distribute them, then please get in touch with us.
We are particulary interested in any ports to Unix or other systems.